Cisco 642-637
Securing Networks with Cisco Routers and Switches
(SECURE) v1.0Version: 6.0
QUESTION NO: 1 Refer to the exhibit. Given the partial output of the debug command, what can be determined?
A. There is no ID payload in the packet, as indicated by the message ID = 0. B. The peer has not matched any offered profiles. C. This is an IKE quick mode negotiation. D. This is normal output of a successful Phase 1 IKE exchange.
Answer: B
Explanation:
QUESTION NO: 2 DRAG DROP
Answer:
Cisco 642-637 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 2
Explanation:
Existing lists of LAN switches
Existing user credentials
Existing addressing scheme
Existing transport protocols used in the environment.
QUESTION NO: 3
Cisco 642-637 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 3
Refer to the exhibit. Which two Cisco IOS WebVPN features are enabled with the partialconfiguration shown? (Choose two.) A. The end-user Cisco AnyConnect VPN software will remain installed on the end system. B. If the Cisco AnyConnect VPN software fails to install on the end-user PC, the end user cannotuse other modes. C. Client based full tunnel access has been enabled. D. Traffic destined to the 10.0.0.0/8 network will not be tunneled and will be allowed access via asplit tunnel. E. Clients will be assigned IP addresses in the 10.10.0.0/16 range.
Answer: A,C
Explanation:
QUESTION NO: 4 Which two of these are benefits of implementing a zone-based policy firewall in transparent mode?(Choose two.)
Cisco 642-637 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 4
A. Less firewall management is needed. B. It can be easily introduced into an existing network. C. IP readdressing is unnecessary. D. It adds the ability to statefully inspect non-IP traffic. E. It has less impact on data flows.
Answer: B,C
Explanation:
QUESTION NO: 5 When configuring a zone-based policy firewall, what will be the resulting action if you do notspecify any zone pairs for a possible pair of zones? A. All sessions will pass through the zone without being inspected. B. All sessions will be denied between these two zones by default. C. All sessions will have to pass through the router "self zone" for inspection before being allowedto pass to the destination zone. D. This configuration statelessly allows packets to be delivered to the destination zone.
Answer: B
Explanation:
QUESTION NO: 6 Refer to the exhibit. What can be determined from the output of this show command?
A. The IPsec connection is in an idle state. B. The IKE association is in the process of being set up. C. The IKE status is authenticated. D. The ISAKMP state is waiting for quick mode status to authenticate before IPsec parameters arepassed between peers E. IKE Quick Mode is in the idle state, indicating a problem with IKE phase 1.
Answer: C
Explanation:
Cisco 642-637 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 5
QUESTION NO: 7 DRAG DROP
Answer:
Explanation:
Delete IPsec security association –> clear crypto sa
Verify cryptographic configurations and show SA lifetimes -> show crypto map
Verify the IPsec protection policy settings - > show crypto ipsec transform-set
Verify current IPsec settings in use by the SAs – show cyrpto ipsec sa
Cisco 642-637 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 6
Clear active IKE connections – clear crypto isakmp
QUESTION NO: 8 You are running Cisco IOS IPS software on your edge router. A new threat has become an issue.The Cisco IOS IPS software has a signature that can address the new threat, but you previouslyretired the signature. You decide to unretire that signature to regain the desired protection level.How should you act on your decision? A. Retired signatures are not present in the routers memory. You will need to download a newsignature package to regain the retired signature. B. You should re-enable the signature and start inspecting traffic for signs of the new threat. C. Unretiring a signature will cause the router to recompile the signature database, which cantemporarily affect performance. D. You cannot unretire a signature. To avoid a disruption in traffic flow, it's best to create a customsignature until you can download a new signature package and reload the router.
Answer: C
Explanation:
QUESTION NO: 9 Which statement best describes inside policy based NAT? A. Policy NAT rules are those that determine which addresses need to be translated per theenterprise security policy B. Policy NAT consists of policy rules based on outside sources attempting to communicate withinside endpoints. C. These rules use source addresses as the decision for translation policies. D. These rules are sensitive to all communicating endpoints.
Answer: A
Explanation:
QUESTION NO: 10 Refer to the exhibit. What can be determined about the IPS category configuration shown?
Cisco 642-637 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 7
A. All categories are disabled. B. All categories are retired. C. After all other categories were disabled, a custom category named "os ios" was created D. Only attacks on the Cisco IOS system result in preventative actions.
Answer: D
Explanation:
QUESTION NO: 11 When Cisco IOS IPS is configured to use SDEE for event notification, how are events managed? A. They are stored in the router's event store and will allow authenticated remote systems to pullevents from the event store. B. All events are immediately sent to the remote SDEE server. C. Events are sent via syslog over a secure SSUTLS communications channel. D. When the event store reaches its maximum configured number of event notifications, the storedevents are sent via SDEE to a remote authenticated server and a new event store is created.
Answer: A
Explanation:
QUESTION NO: 12 Which two of these will match a regular expression with the following configuration parameters?[a-zA-Z][0-9][a-z] (Choose two.) A. Q3h
Cisco 642-637 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 8
B. B4Mn C. aaB132AA D. c7lm E. BBpjnrIT
Answer: A,D
Explanation:
QUESTION NO: 13 Which of these is a configurable Cisco IOS feature that triggers notifications if an attack attemptsto exhaust critical router resources and if preventative controls have been bypassed or are notworking correctly? A. Control Plane Protection B. Management Plane Protection C. CPU and memory thresholding D. SNMPv3
Answer: C
Explanation:
QUESTION NO: 14 Which Cisco IOS IPS feature allows to you remove one or more actions from all active signaturesbased on the attacker and/or target address criteria, as well as the event risk rating criteria? A. signature event action filters B. signature event action overrides C. signature attack severity rating D. signature event risk rating
Answer: A
Explanation:
QUESTION NO: 15 You are troubleshooting reported connectivity issues from remote users who are accessingcorporate headquarters via an IPsec VPN connection. What should be your first step in
Cisco 642-637 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 9
troubleshooting these issues? A. issue a show crypto isakmp policy command to verify matching policies of the tunnel endpoints B. ping the tunnel endpoint C. run a traceroute to verify the tunnel path D. debug the connection process and look for any error messages in tunnel establishment
Answer: B
Explanation:
QUESTION NO: 16 Which of these is correct regarding the configuration of virtual-access interfaces? A. They cannot be saved to the startup configuration. B. You must use static routes inside the tunnels. C. DVTI interfaces should be assigned a unique IP address range. D. The Virtual-Access 1 interface must be enabled in an up/up state administratively
Answer: A
Explanation:
QUESTION NO: 17 Refer to the exhibit. The INSIDE zone has been configured and assigned to two separate routerinterfaces. All other zones and interfaces have been properly configured. Given the configurationexample shown, what can be determined?
Cisco 642-637 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 10
A. Hosts in the INSIDE zone, with addresses in the 10.10.10.0/24 network, can access any host inthe 10.10.10.0/24 network using the SSH protocol. B. If a host in the INSIDE zone attempts to communicate via SSH with another host on a differentinterface within the INSIDE zone, communications must pass through the router self zone usingthe INTRAZONE policy. C. This is an illegal configuration. You cannot have the same source and destination zones. D. This policy configuration is not needed, traffic within the same zone is allowed to pass bydefault.
Answer: D
Explanation:
QUESTION NO: 18 Which action does the command private-vlan association 100,200 take? A. configures VLANs 100 and 200 and associates them as a community B. associates VLANs 100 and 200 with the primary VLAN C. creates two private VLANs with the designation of VLAN 100 and VLAN 200 D. assigns VLANs 100 and 200 as an association of private VLANs
Answer: B
Explanation:
QUESTION NO: 19 Which of these allows you to add event actions globally based on the risk rating of each event,without having to configure each signature individually? A. event action summarization B. event action filter C. event action override D. signature event action processor
Answer: C
Explanation:
QUESTION NO: 20
Cisco 642-637 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 11
When using Cisco Easy VPN, what are the three options for entering an XAUTH username andpassword for establishing a VPN connection from the Cisco Easy VPN remote router? (Choosethree.) A. using an external AAA server B. entering the information via the router crypto ipsec client ezvpn connect CLI command inprivileged EXEC mode C. using the router local user database D. entering the information from the PC via a browser E. storing the XAUTH credentials in the router configuration file
Answer: B,D,E
Explanation:
QUESTION NO: 21 Which of these is true regarding tunnel configuration when deploying a Cisco ISR as a DMVPNhub router? A. Only one tunnel can be created per tunnel source interface. B. Only one tunnel can be created and should be associated with a loopback interface for dynamicredundancy C. The GRE tunnel key is used to encrypt the traffic going through the tunnel through the hub. D. You can run multiple parallel DMVPNs on the hub router, but each tunnel requires a uniquetunnel key.
Answer: D
Explanation:
QUESTION NO: 22 Given the Cisco IOS command crypto key generate rsa label MY_KEYS modulus 2048, whichadditional command keyword should be added if you would like to use these keys on anotherrouter or have the ability to back them up to another device? A. redundancy B. exportable C. on:USB smart-token D. usage-keys
Cisco 642-637 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 12
Answer: B
Explanation:
QUESTION NO: 23 Which two types of deployments can be implemented for a zone-based policy firewall? (Choosetwo.) A. routed mode B. interzone mode C. fail open mode D. transparent mode E. inspection mode
Answer: A,D
Explanation:
QUESTION NO: 24 DRAG DROP
Answer:
Cisco 642-637 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 13
Explanation: Dropping application layer protocol units that do not confirm to the protocol
standard.
An application-aware method of filtering that works on OSI layers 3 and 4.
Filtering inside the protocol and its related content
QUESTION NO: 25 What is the result of configuring the command dotlx system-auth-control on a Cisco Catalystswitch? A. enables the switch to operate as the 802.1X supplicant B. globally enables 802.1X on the switch C. globally enables 802.1X and defines ports as 802.1X-capable D. places the configuration sub-mode into dotix-auth mode, in which you can identify theauthentication server parameters
Answer: B
Explanation:
QUESTION NO: 26 Which information is displayed when you enter the Cisco IOS command show epm session? A. Enforcement Policy Module sessions B. External Proxy Mappings, per authenticated sessions C. Encrypted Policy Management sessions
Cisco 642-637 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 14
D. Enhanced Protected Mode sessions
Answer: A
Explanation:
QUESTION NO: 27 Refer to the exhibit. Based on the partial configuration shown, which the GET VPN group memberGDOI configuration?
A. key server IP address B. local priority C. mapping of the IPsec profile to the IPsec SA D. mapping of the IPsec transform set to the GDOI group
Answer: A
Explanation:
QUESTION NO: 28 Refer to the exhibit. Given the partial configuration shown, which two statements are correct?(Choose two.)
Cisco 642-637 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 15
A. The tunnel will use the routing protocol configured for GigabitEthemet 1/1 for all tunnelcommunication with the peer. B. The IP route statement to reach the remote network behind the DMVPN peer is incorrect, itshould be ip route 192.168.2.0 255.255.255.0 tunnel 0. C. This is an example of a static point-to-point VTI tunnel. D. The tunnel will use esp-sha-hmac encryption in ESP tunnel mode. E. The tunnel will use 128-bit AES encryption in ESP tunnel mode.
Answer: C,E
Explanation:
QUESTION NO: 29 You are troubleshooting a Cisco Easy VPN installation that is experiencing session establishmentproblems. You have verified that matching IKE and IPsec polices exist on both peers. The remoteclient has also successfully entered authentication credentials. What is the next step to take introubleshooting this problem? A. verify that the router is not denying traffic from the tunnel B. verify that the router is able to assign an IP address to the client C. examine routing tables D. issue a ping from the client to the router to verify reachability
Answer: B
Explanation:
QUESTION NO: 30 Which of these is a result of using the same routing protocol process for routing outside and insidethe VPN tunnel?
Cisco 642-637 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 16
A. This will provide for routing-protocol-based failover redundancy. B. Spoke routers will able to dynamically learn routes to peer networks. C. This will allow VPN-encapsulated packets to be routed out the correct physical interface used toreach the remote peer D. The tunnel will constantly flap.
Answer: D
Explanation:
QUESTION NO: 31 DRAG DROP
Answer:
Explanation: VLAN Assignment
Time-based access
Endpoint posture assessment
Cisco 642-637 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 17
QUESTION NO: 32 Refer to the exhibit. What can be determined from the output of this show command?
A. The switch port interface is enabled and operating as a community port. B. The interface is acting as an isolated switch port operating in VLAN 1. C. The interface is configured for Private VLAN Edge. D. The switch port interface is not a trusted port.
Answer: C
Explanation:
QUESTION NO: 33 You are troubleshooting a problem related to IPsec connectivity issues. You see that there is noISAKMP security association established between peers. You debug the connection process andsee an error message of 1d00h: ISAKMP (0:1): atts are not acceptable. Next payload is 0. Whatdoes this message indicate? A. This indicates a policy mismatch. B. This indicates that the offered attributes did not contain a payload. C. IKE has failed initial attempts and will resend policy offerings to the peer router. D. The time stamp of the message shows that it is one day old. This could indicate a possiblemismatch of system clocks and invalidate the connection attempt.
Cisco 642-637 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 18
Answer: A
Explanation:
QUESTION NO: 34 Refer to the exhibit. Given the output shown, what can be determined?
A. An attacker has sent a spoofed DHCP address. B. An attacker has sent a spoofed ARP response that violates a static mapping. C. The MAC address has matched a deny rule within the ACL. D. This is an invalid proxy ARP packet, as indicated by the 0000.0000.0000 MAC address on thedestination
Answer: B
Explanation:
QUESTION NO: 35 Which command will enable a SCEP interface when you are configuring a Cisco router to be acertificate server? A. seep enable (under interface configuration mode) B. crypto pki seep enable C. grant auto D. ip http server
Answer: D
Explanation:
QUESTION NO: 36 When 802.1X is implemented, how do the client (supplicant) and authenticator communicate?
Cisco 642-637 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 19
A. RADIUS B. TACACS+ C. MAB D. EAPOL
Answer: D
Explanation:
QUESTION NO: 37 Refer to the exhibit. Assuming that all other supporting configurations are correct, what can bedetermined from the partial IP admission configuration shown?
A. The router will forward authentication requests to a AAA server for authentication andauthorization. B. The local user password is thl3F4ftvA. C. The router will intercept incoming HTTP sessions on interface G0/0 for authentication. D. The SUPERUSER's privilege level is being restricted. E. The attribute type supplicant-group "SUPERUSER" configuration can be used to match criteriain the "inspect" class-map type using the match access-group option.
Answer: C
Explanation:
Cisco 642-637 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 20
QUESTION NO: 38 Which of these is an implementation guideline when deploying the IP Source Guard feature in anenvironment with multiple switches? A. Do not configure IP Source Guard on interswitch links. B. Configure PACLs for DHCP-addressed end devices. C. IP Source Guard must be configured in the trunk subconfiguration mode to work on interswitchlinks. D. Configure static IP Source Guard mapping for all access ports.
Answer: A
Explanation:
QUESTION NO: 39 DRAG DROP
Answer:
Cisco 642-637 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 21
Explanation: Dynamic Inside NAT
Dynamic Inside PAT
Static Inside NAT
Static Inside PAT
QUESTION NO: 40 What does the command errdisable recovery cause arp-inspection interval 300 provide for? A. It will disable a port when the ARP rate limit of 300 packets per second is received and wait aconfigured interval time before placing the port back in normal operation. B. It will inspect for ARP-disabled ports every 300 seconds. C. It will recover a disabled port and limit ARP traffic to 300 packets per second to avoid potentialARP attacks from reoccurring. D. It will recover a disabled port due to an ARP inspection condition in 5 minutes.
Answer: D
Explanation:
QUESTION NO: 41 You have configured Management Plane Protection on an interface on a Cisco router. What is theresulting action on implementing MPP?
Cisco 642-637 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 22
A. Inspection of protected management interfaces is automatically configured to ensure thatmanagement protocols comply with standards. B. The router gives preference to the configured management interface. If that interface becomesunavailable, management protocols will be allowed on alternate interfaces. C. Along with normal user data traffic, management traffic is also allowed only on the protectedinterface. D. Only management protocols are allowed on the protected interface.
Answer: D
Explanation:
QUESTION NO: 42 DRAG DROP
Answer:
Explanation: Use static access ports
Disable DTP
Avoid trunk native VLAN on access ports
QUESTION NO: 43
Cisco 642-637 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 23
Refer to the exhibit. What can be determined from the configuration shown?
A. The community SNMP string is SNMP-MGMT-VIEW. B. All interfaces will be included in the SNMP GETs. C. This SNMP group will only allow read access to interface MIBs. D. The SNMP server group is using 128-bit SHA authentication.
Answer: C
Explanation:
QUESTION NO: 44 When enabling the Cisco IOS IPS feature, which step should you perform to prevent roguesignature updates from being installed on the router? A. configure authentication and authorization for maintaining signature updates B. install a known RSA public key that correlates to a private key used by Cisco C. manually import signature updates from Cisco to a secure server, and then transfer files fromthe secure server to the router D. use the SDEE protocol for all signature updates from a known secure management station
Answer: B
Explanation:
QUESTION NO: 45 A user has requested a connection to an external website. After initiating the connection, amessage appears in the user's browser stating that access to the requested website has beendenied by the company usage policy. What is the most likely reason for this message to appear?
Cisco 642-637 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 24
A. An antivirus software program has blocked the session request due to potential maliciouscontent. B. The network has been configured with a URL filtering service. C. The network has been configured for 802.1X authentication and the user has failed toauthenticate D. The user's configured policy access level does not contain proper permissions
Answer: B
Explanation:
QUESTION NO: 46 Refer to the exhibit. Given the partial configuration shown, what can be determined.
A. This is an example of a dynamic policy PAT rule. B. This is an example of a static policy NAT rule. C. Addresses in the 10.10.30.0 network will be exempt from translation when destined for the10.100.100.0 network. D. The extended access list provides for one-to-one translation mapping of the 10.10.30.0 networkto the 10.100.100.0 network
Answer: A
Explanation:
QUESTION NO: 47 When is it most appropriate to choose IPS functionality based on Cisco IOS software? A. when traffic rates are low and a complete signature is not required B. when accelerated, integrated performance is required using hardware ASIC-based IPSinspections C. when integrated policy virtualization is required D. when promiscuous inspection meets security requirements
Cisco 642-637 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 25
Answer: A
Explanation:
QUESTION NO: 48 When performing NAT, which of these is a limitation you need to account for? A. exhaustion of port number translations B. embedded IP addresses C. security payload identifiers D. inability to provide mutual connectivity to networks with overlapping address spaces
Answer: B
Explanation:
QUESTION NO: 49 DRAG DROP
Answer:
Cisco 642-637 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 26
Explanation: Routing Protocol Filtering
BPDU Guard
VTP Authentication
Routing Protocol Authentication
QUESTION NO: 50 You have enabled Cisco IOS IPS on a router in your network. However, you are not seeingexpected events on your monitoring system (such as Cisco IME). On the router, you see eventsbeing captured. What is the next step in troubleshooting the problem? A. verify that syslog is configured to send events to the correct server B. verify SDEE communications C. verify event action rules D. verify that the IPS license is valid
Answer: B
Explanation:
QUESTION NO: 51 Which two of these are features of control plane security on a Cisco ISR? (Choose two. A. CoPP B. RBAC C. AAA D. CPPr E. uRPF F. FPM
Answer: A,D
Explanation:
QUESTION NO: 52 Which two of these are potential results of an attacker performing a DHCP server spoofing attack?(Choose two.)
Cisco 642-637 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 27
A. DHCP snooping B. DoS C. confidentiality breach D. spoofed MAC addresses E. switch ports being converted to an untrusted state
Answer: B,C
Explanation:
QUESTION NO: 53 When Cisco IOS IPS signatures are being tuned, how is the Target Value Rating assigned? A. It is calculated from the Event Risk Rating. B. It is calculated from a combination of the Attack Severity Rating and Signature Fidelity Rating C. It is manually set by the administrator. D. It is set based upon SEAP functions.
Answer: C
Explanation:
QUESTION NO: 54 Which of these should you do before configuring IP Source Guard on a Cisco Catalyst switch? A. Enable NTP for event correlation B. Enable IP routing authentication C. Configure an access list with exempt DHCP-initiated IP address ranges D. Turn DHCP snooping on at least 24 hours in advance
Answer: D
Explanation:
QUESTION NO: 55 What action will the parameter-map type ooo global command enable? A. globally initiates tuning of the router's TCP normalizer parameters for out-of-order packets
Cisco 642-637 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 28
B. globally classifies type ooo packets within the parameter map and subsequent policy map C. enables a parameter map named ooo D. configures a global parameter map for traffic destined to the router itself
Answer: A
Explanation:
QUESTION NO: 56 DRAG DROP
Answer:
Explanation: Port ACLs
Port Security
VLAN ACLs
Private VLANs
QUESTION NO: 57 Scenario:
Cisco 642-637 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 29
To access the router console ports, refer to the exhibit and click router R1 or R2 for access. TheISP router will not need to be accessed. You will be placed directly into Cisco IOS enable mode.Using CLI show commands, answer the questions presented regarding GET VPN configurations.For this exercise, you will not be able to use show running-config or show start-conflg CLIcommands. You may use other specific show run and global show commands to determine thecorrect answers. Not all Cisco IOS CU features are enabled for this simulation.
What is the registration status of the group member router and what is the IP addresses of the keyserver? (Choose two.) A. group registration has not yet been attempted B. the member router is registered with the C. 192.168.2.2 D. 192.168.12
Answer: B,D
Explanation:
QUESTION NO: 58 Scenario: To access the router console ports, refer to the exhibit and click router R1 or R2 for access. The
Cisco 642-637 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 30
ISP router will not need to be accessed. You will be placed directly into Cisco IOS enable mode.Using CLI show commands, answer the questions presented regarding GET VPN configurations.For this exercise, you will not be able to use show running-config or show start-conflg CLIcommands. You may use other specific show run and global show commands to determine thecorrect answers. Not all Cisco IOS CU features are enabled for this simulation.
On the key server router, what is the name of the transform set applied to the IPsec profile andwhich protection services is the transform set providing? (Choose two.) A. the name is ESP-3DES-SHA B. the name is GETSET C. the transform set is offering esp-aes esp-sha-hrnac D. the transform set is offering esp-3des esp-sha-hmac
Answer: B,C
Explanation:
QUESTION NO: 59 Scenario: To access the router console ports, refer to the exhibit and click router R1 or R2 for access. TheISP router will not need to be accessed. You will be placed directly into Cisco IOS enable mode.
Cisco 642-637 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 31
Using CLI show commands, answer the questions presented regarding GET VPN configurations.For this exercise, you will not be able to use show running-config or show start-conflg CLIcommands. You may use other specific show run and global show commands to determine thecorrect answers. Not all Cisco IOS CU features are enabled for this simulation.
Which router is acting as the key server and which is acting as a group member? (Choose two.) A. Router 1 is the key server B. Router 2 is the key server C. Router 1 is the group member D. Router 2 is the group member E. The ISP router is the key server F. The ISP router is the group member G. Router 1 and Router 2 are both key servers H. Router 1 and Router 2 are both group members
Answer: B,F
Explanation:
QUESTION NO: 60 Scenario:
Cisco 642-637 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 32
To access the router console ports, refer to the exhibit and click router R1 or R2 for access. TheISP router will not need to be accessed. You will be placed directly into Cisco IOS enable mode.Using CLI show commands, answer the questions presented regarding GET VPN configurations.For this exercise, you will not be able to use show running-config or show start-conflg CLIcommands. You may use other specific show run and global show commands to determine thecorrect answers. Not all Cisco IOS CU features are enabled for this simulation.
What is the Identity used to distinguish the GETVPNGROUP GDOI group? A. the IP address of the peer B. identity number 67890 C. group 14 D. GETVPNKEY
Answer: A,D
Explanation:
QUESTION NO: 61 Scenario: To access the router console ports, refer to the exhibit and click router R1 or R2 for access. TheISP router will not need to be accessed. You will be placed directly into Cisco IOS enable mode.Using CLI show commands, answer the questions presented regarding GET VPN configurations.For this exercise, you will not be able to use show running-config or show start-conflg CLI
Cisco 642-637 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 33
commands. You may use other specific show run and global show commands to determine thecorrect answers. Not all Cisco IOS CU features are enabled for this simulation.
On the group member router, where is the crypto map applied and what is the ISAKMP sharedkey? (Choose two.) A. the crypto map is applied to the FastEthernet0/1 interface B. the crypto map name is applied globally on the router and is active on all enabled a interfaces C. the shared Key Is GETVPNKEY D. the shared Key is 67890
Answer: A,B
Explanation:
QUESTION NO: 62 Which protocol is EAP encapsulated in for communications between the authenticator and theauthentication server? A. EAP-MD5 B. IPsec C. EAPOL D. RADIUS
Cisco 642-637 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 34
Answer: D
Explanation:
QUESTION NO: 63 You are loading a basic IPS signature package onto a Cisco router. After a period of time, you seethis message: %IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 275013 ms. What do you expecthappened during downloading and compilation of the files? A. The files were successfully copied with an elapse time of 275013 ms. The router will continuewith extraction and compilation of the signature database. B. The signature engines were compiles, but there is no indication that the actual signatures werecompiled. C. The compilation failed for some of the signature engines. There are 16 engines, but only 6 werecompleted according to the %IPS-6 message D. The files were compiled without error.
Answer: D
Explanation:
QUESTION NO: 64 Refer to the exhibit. Given the configuration shown, which of these statements is correct?
Cisco 642-637 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 35
A. An external service is providing URL filtering via a subscription service. B. All HTTP traffic to websites with the name "Gambling" included in the URL will be reset. C. A service policy on the zone pair needs to be configured in the opposite direction or all returnHTTP traffic will be blocked by policy D. The URL filter policy has been configured in a fail-closed scenario.
Answer: A
Explanation:
Cisco 642-637 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 36
QUESTION NO: 65 DRAG DROP
Answer:
Explanation: Spoke-to-hub GRE and IPSec tunnels are created
NHRP mappings are created.
All spoke traffic is forwarded to the hub.
QUESTION NO: 66 Refer to the exhibit. Which two of these are most likely to have caused the issue with NHRP, giventhis output of the show command? (Choose two.)
Cisco 642-637 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 37
A. There was a network ID mismatch. B. The spoke router has not yet sent a request via Tunnel0. C. The spoke router received a malformed NHRP packet. D. There was an authentication key mismatch. E. The registration request was expecting a return request ID of 1201, but received an ID of 120.
Answer: A,D
Explanation:
QUESTION NO: 67 DRAG DROP
Answer:
Explanation: Event action filter
Event action override
Target value rating
Cisco 642-637 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 38
QUESTION NO: 68 You have configured a guest VLAN using 802.1X on a Cisco Catalyst switch. A client incapable ofusing 802.1X has accessed the port and has been assigned to the guest VLAN. What happenswhen a client capable of using 802.1Xjoins the network on the same port? A. The client capable of using 802.1X is allowed access and proper security policies are applied tothe client. B. EAPOL packets will not be allowed on the guest VLAN and the access attempt with fail. C. The port is put into the unauthorized state in the user-configured access VLAN, andauthentication is restarted. D. This is considered a security breach by the authentication server and all users on the accessport will be placed into the restricted VLAN.
Answer: C
Explanation:
QUESTION NO: 69 Refer to the exhibit. What can be determined from the information shown?
A. The user has been restricted to privilege level 1. B. The standard access list should be reconfigured as an extended access list to allow desireduser permissions C. RBAC has been configured with restricted views.
Cisco 642-637 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 39
D. IP access list DMZ_ACL has not yet been configured with proper permissions.
Answer: C
Explanation:
QUESTION NO: 70 Refer to the exhibit. Assuming that all other supporting configurations are correct, what can bedetermined from the partial IP admission configuration shown?
A. The router will forward authentication requests to a AAA server for authentication andauthorization. B. The user maint3nanc3 will have complete CLI command access once authenticated. C. After a period of 20 minutes, the user will again be required to provide authenticationcredentials. D. The authentication proxy will fail, because the router's HTTP server has not been enabled. E. All traffic entering interface GO/1 will be intercepted for authentication, but only Telnet traffic willbe authorized.
Answer: C
Explanation:
Cisco 642-637 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 40
QUESTION NO: 71 What will the authentication event fail retry 0 action authorize vlan 300 command accomplish? A. assigns clients that fail 802.1X authentication into the restricted VLAN 300 B. assigns clients to VLAN 300 and attempts reauthorization C. assigns a client to the guest VLAN 300 if it does not receive a response from the client to itsEAPOL request/identity frame D. locks out a user who fails an 802.1X authentication and does not allow the user to try to gainnetwork access again for 300 seconds
Answer: A
Explanation:
QUESTION NO: 72 DRAG DROP
Answer:
Explanation:
Protocol verification
Payload minimization
Protocol minimization
Application layer inspections
Cisco 642-637 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 41
QUESTION NO: 73 When you are configuring a hub-and-spoke DMVPN network, which tunnel mode should you usefor the spoke router configuration? A. GRE multipoint B. classic point-to-point GRE C. IPsec multipoint D. nonbroadcast multiaccess
Answer: B
Explanation:
QUESTION NO: 74 Which Cisco IOS feature provides secure, on-demand, meshed connectivity? A. DMVPN B. Easy VPN C. IPsec VPN D. mGRE
Answer: A
Explanation:
QUESTION NO: 75 You have configured a Cisco router to act a PKI certificate server. However, you are experiencingproblems starting the server. You have verified that al CA parameters have been correctlyconfigured. What is the next step you should take in troubleshooting this problem? A. Disable and restart the router’s HTTP server function B. Enable the SCEP interface C. Verify the RSA key pair and generate new keys D. Verify that the correct time is being used and time source are reachable
Cisco 642-637 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 42
Answer: D
Explanation:
QUESTION NO: 76 Which three of these are features of data plane security on a Cisco ISR? (Choose three) A. uRPF B. NetFlow export C. FPM D. CPPr E. RBAC F. routing protocol filtering
Answer: A,B,C
Explanation:
QUESTION NO: 77 What will the authentication event fail retry 0 action authorize vlan 300 command accomplish? A. assigns clients that fail 802.1X authentication into the restricted VLAN 300 B. assigns clients to VLAN 300 and attempts reauthorization C. assigns a client to the guest VLAN 300 if it does not receive a response from the client to itsEAPOL request/identity frame D. locks out a user who fails an 802.1X authentication and does not allow the user to try to gainnetwork access again for 300 seconds
Answer: A
Explanation:
QUESTION NO: 78 When you are configuring DHCP snooping, how should you classify access ports? A. untrusted B. trusted C. promiscuous
Cisco 642-637 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 43
D. private
Answer: A
Explanation:
QUESTION NO: 79 When configuring URL filtering with the Trend Micro filtering service, which of these steps mustyou take to prepare for configuration? A. define blacklists and whitelists B. categorize traffic types C. install the appropriate root CA certificate on the router D. synchronize clocks via NTP to ensure accuracy of URL filter updates from the service
Answer: D
Explanation:
QUESTION NO: 80 Which of these is correct regarding the functionality of DVTI tunnels? A. DVTI tunnels are created dynamically from a preconfigured template as tunnels are establishedto the hub. B. The hub router needs a static DVT1 tunnel to each spoke router in order to establish remotecommunications from spoke to spoke. C. Spoke routers require a virtual template to clone the configuration on which the DVTI tunnel isestablished. D. DVTI tunnels appear on the hub as tunnel interfaces.
Answer: C
Explanation:
QUESTION NO: 81 When implementing GET VPN, which of these is a characteristic of GDOI IKE? A. GDOI IKE sessions are established between all peers in the network.
Cisco 642-637 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 44
B. Security associations do not need to linger between members once a group member hasauthenticated to the key server and obtained the group policy. C. Each pair of peers has a private set of IPsec security associations that is only shared betweenthe two peers. D. GDOI IKE uses UDP port 500.
Answer: B
Explanation:
QUESTION NO: 82 DRAG DROP
Answer:
Explanation:
User Traffic Encapsulation
Cisco 642-637 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 45
Tunneling VPN
Non-tunneling VPN
Configuration Scalability
Automated peer discovery
Manual provisioning of paths
Authentication Scalability
Manual provisioning of peer identity
PKI provisioning
QUESTION NO: 83 DRAG DROP
Answer:
Cisco 642-637 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 46
Explanation:
Step 1 – The VPN Client initiates IKE Phase 1.
Step 2 – The VPN Client establishes an ISAKMP SA.
Step 3 – The Easy VPN Server accepts the SA proposal.
Step 4 – The Easy VPN Server initiates a username and password challenge.
Step 5 – The mode configuration process is initiated.
Step 6 – The RRI process is initiated.
Step 7 – IPSec quick mode completes the connection process
QUESTION NO: 84 Which of these are the two types of keys used when implementing GET VPN? (Choose two) A. key encryption B. group encryption C. pre-shared key D. public key E. private key F. traffic encryption key
Answer: A,F
Explanation:
QUESTION NO: 85 CORRECT TEXT
Cisco 642-637 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 47
Scenario: You have been given the task of performing initial zone-based policy firewall configurations. Youwill need to create zones, assign the zones to specific interfaces, and create zone pairs to allowfor traffic flow between interfaces. You will also need to define a zone-based policy firewall andassign the policy to the zone pair. To access the router console ports, refer to the exhibit, click therouter for access, and perform the following tasks.
Note that when performing the configuration, you should use the exact names highlighted in boldbelow: Globally create zones and label them with the following names: • OUTSIDE • IHSIDE • Assign interfaces to zones as indicated in the exhibit • Create a zone pair for traffic flowing from the inside to outside zones named IH-TO-OUT - •Define a zone-based firewall policy named IH-TO-OUT-POLICY • Use the "match protocol" classification option to statefully inspect HTTP traffic and drop all othertraffic • Use a class-map named HTTP_POLICY Apply zone-based firewall policy IN-TO-OUT-POLICY to the zone pair
Answer: First we divide the networks into 2 zones: Inside and Outside.
Router(config)#zone security INSIDE
Router(config)#zone security OUTSIDE
Router(config)#interface fa0/0/1
Router(config-if)#no shutdown
Router(config-if)#zone-member security INSIDE
Router(config)#interface fa0/0/0
Router(config-if)#no shutdown
Router(config-if)#zone-member security OUTSIDE
Router(config)#class-map type inspect match-any HTTP_POLICY
Cisco 642-637 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 48
Router(config-cmap)#match protocol http
Router(config)#policy-map type inspect IN-TO-OUT-POLICY
Router(config-pmap)#class type inspect HTTP_POLICY
Router(config-pmap-c)#inspect
Router(config)#zone-pair security IN-TO-OUT-POLICY source INSIDE destination OUTSIDE
Router(config-sec-zone-pair)#service-policy type inspect IN-TO-OUT-POLICY
QUESTION NO: 86 Refer to the exhibit.
What can be determined from the partial configuration shown A. The zone-based policy firewall is providing for bridging of non-IP protocols. B. Since the interfaces are in the same bridge group, access policies are not required. C. Traffic flow will be allowed to pass between the interfaces without being inspected. D. The zone-based policy firewall is operating in transparent mode.
Answer: D
Explanation:
QUESTION NO: 87 When is it feasible for a port to be both a guest VLAN and a restricted VLAN? A. this configuration scenario is never be implemented B. when you have configured the port for promiscuous mode C. when private VLANs have been configured to place each end device into different subnets D. when you want to allow both types of users the same services
Answer: D
Explanation:
Cisco 642-637 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 49
QUESTION NO: 88 Refer to the exhibit.
What can be determined from the information provided in the system image output? A. The router supports LDAP. B. A Key Version of "A" indicates that this is an advanced IP security image of the Cisco IOSsystem. C. The router is in ROM monitor mode. D. This is a digitally-signed Cisco IOS image.
Answer: D
Explanation:
QUESTION NO: 89 Which three of these are sources used when the router is configured for URL filtering? (Choosethree.) A. Websense URL filter B. AAA server downloadable ACLs C. ASA URL filter feature set D. Trend Micro cloud-based URL filter service E. locally configured filter rules on the router F. Cisco SenderBase URL filtering service
Answer: A,D,E
Cisco 642-637 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 50
Explanation:
QUESTION NO: 90 In an 802.1X environment, which feature allows for non-802.1X-supported devices such asprinters and fax machines to authenticate? A. multiauth B. WebAuth C. MAB D. 802.1X guest VLAN
Answer: C
Explanation:
QUESTION NO: 91 The advantages of virtual tunnel interfaces (VTIs) over GRE VPN solutions are which three of thefollowing? (Choose three.) A. VTI can support QoS. B. VTI provides a routable interface. C. VTI supports nonencrypted tunnels. D. VTI is more scalable than a GRE-based VPN solution. E. IPsec VTIs need fewer established SAs to cover different types of traffic, both unicast andmulticast, thus enabling improved scaling. F. IPsec VTIs require a loopback interface for configuration.
Answer: A,B,E
Explanation:
QUESTION NO: 92 In Cisco IOS 15.0.1M code for the router platform, which new feature has been added to the zone-based policy firewall? A. removal of support for port-to-application matching B. ability to configure policies for traffic that is traveling between interfaces in the same security
Cisco 642-637 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 51
zone C. intrazone traffic is not freely permitted by default now D. NBAR is not compatible with transparent firewall
Answer: B
Explanation:
QUESTION NO: 93 When configuring NAT, which three protocols that are shown may have limitations orcomplications when using NAT? (Choose three.) A. Kerberos B. HTTPS C. NTP D. SIP E. FTP F. SQL
Answer: A,D,E
Explanation:
QUESTION NO: 94 Which two answers are potential results of an attacker that is performing a DHCP server spoofingattack? (Choose two.) A. ability to selectively change DHCP options fields of the current DHCP server, such as thegiaddr field. B. DoS C. excessive number of DHCP discovery requests D. ARP cache poisoning on the router E. client unable to access network resources
Answer: B,E
Explanation:
QUESTION NO: 95
Cisco 642-637 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 52
Cisco IOS Software displays the following message: DHCP_SNOOPING_5-DHCP_SNOOPING_MATCH_MAC_FAIL. What does this message indicate? A. The message indicates that an attacker is pretending to be a DHCP server on an untrustedport. B. The source MAC address in the Ethernet header does not match the address in the "chaddr"field of the DHCP request message. C. The message indicates that the DHCP snooping has dropped a DHCP message that claimedan existing, legitimate host is present on an unexpected interface. D. A Layer 2 port security MAC address violation has occurred on an interface that is set up foruntrusted DHCP snooping.
Answer: B
Explanation:
QUESTION NO: 96 Refer to the exhibit.
Based on the partial configuration that is provided, if a non-802.1X client connects to a port on thisswitch, which VLAN will it be assigned to, and how long will it take for the port to time out andtransition to the guest VLAN? (Choose all that apply.) A. The switch is configured for the default 802.1X timeout period of 90 seconds. B. The 802.1X authentication process will time out in 10 seconds and immediately change the portto the guest VLAN. C. The 802.1X authentication process will time out, and the switch will roll over the port to theguest VLAN in 15 seconds. D. The non-802.1X client and phones will all be assigned to VLAN 30.
Cisco 642-637 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 53
E. The non-802.1X client will be assigned to VLAN 40. F. The non-802.1X client will be assigned to VLAN 10.
Answer: C,E
Explanation:
QUESTION NO: 97 When 802.1X is implemented, how do the authenticator and authentication server communicate? A. RADIUS B. TACACS+ C. MAB D. EAPOL
Answer: A
Explanation:
QUESTION NO: 98 Refer to the exhibit.
What can be determined about IPS updates from the configuration shown? A. Updates will be stored on the ida-client server. B. Updates will be stored in the directory labeled "cisco." C. Updates will be retrieved from an external source every day of the week. D. Updates will occur once per week on Sundays between midnight and 6 a.m. (0000 and 0600).
Answer: C
Explanation:
Cisco 642-637 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 54
QUESTION NO: 99 Refer to the exhibit.
Which of these is correct based on the partial configuration shown? A. The policy is configured to use an authentication key of "rsa-sig." B. The policy is configured to use hashing group sha-1. C. The policy is configured to use triple DES IPsec encryption. D. The policy is configured to use digital certificates. E. The policy is configured to use access list 101 to identify the IKE-protected traffic.
Answer: D
Explanation:
QUESTION NO: 100 When uploading an IPS signature package to a Cisco router, what is required for the upload toself-extract the files? A. the idconf on the end of the copy command B. a public key on the Cisco router C. IPS must be disabled on the upload interface D. HTTP Secured server must be enabled
Answer: A
Explanation:
Cisco 642-637 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 55
QUESTION NO: 101 To prevent a spanning-tree attack, which command should be configured on a distribution switchport that is connected to an access switch? A. spanning-tree portfast bpduguard default B. spanning-tree backbone fast C. spannning-tree bpduguard enable D. spanning-tree guard root
Answer: D
Explanation:
QUESTION NO: 102 In a GETVPN solution, which two ways can the key server distribute the new keys to the groupmembers during the rekey process? (Choose two.) A. multicast UDP transmission B. multicast TCP transmission C. unicast UDP transmission D. unicast TCP transmission
Answer: A,C
Explanation:
QUESTION NO: 103 You are a network administrator and are moving a web server from inside the company network toa DMZ segment that is located on a Cisco router. The web server was located at IP address172.16.10.50 on the inside and changed to the IP address 172.20.10.5 on the DMZ. Additionally,you are moving the web port to 8080 but do not want your inside users to be affected. Which NATstatement should you configure on your router to support the change? A. hostname(config)# ip nat inside source static 172.16.10.50 172.20.10.5 B. hostname(config)# ip nat inside source static tcp 172.16.10.50 80 172.20.10.5 8080 C. hostname(config)# ip nat outside source static tcp 172.16.10.50 80 172.20.10.5 8080 D. hostname(config)# ip nat static outside source tcp 172.20.10.5 80 172.16.10.50 8080
Cisco 642-637 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 56
E. hostname(config)# ip nat static inside source udp 172.20.10.50 172.20.10.5
Answer: B
Explanation:
QUESTION NO: 104 When configuring NAT, and your solution requires the ability to see the inside local and outsideglobal address entries and any TCP or UDP port in the show ip nat command output, how shouldNAT be configured on the router? A. use the overload option on the end of your static NAT statement B. include both static and dynamic NAT configuration on the router C. tie the ip nat inside command to a dynamic NAT pool D. attach a route-map to the ip nat inside command E. configure the ip nat inside command to an extended ACL
Answer: D
Explanation:
QUESTION NO: 105 Refer to the exhibit.
You are working for a corporation that has connected its network to a partner network. Based onthis partial configuration that is supplied in the exhibit, which two things happen to traffic that isinbound from the partner network (outside is 10.10.30.0/24) and the return traffic from the inside
Cisco 642-637 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 57
as it travels through this router? (Choose two.) A. The source address of the IP packets that are traveling from the 10.10.30.0/24 network to10.10.19.0/24 are translated to 172.19.1.0/24. B. The destination address of IP packets that are traveling from 10.10.19.0/24 to any IP network istranslated to 172.19.1.0/24. C. IP traffic that is flowing from 10.10.19.0/24 to 10.10.30.0/24 has the source address translatedto 172.19.1.0/24. D. The destination address of IP packets that are traveling from 10.10.19.0/24 to 10.10.30.0/24are translated to 172.19.1.0/24. E. The destination address of IP packets that are traveling from 10.10.30.0/24 to 10.10.19.0/24 aretranslated to 172.19.1.0/24.
Answer: A,D
Explanation:
QUESTION NO: 106 You are a network administrator that is deploying a Cisco router that needs to support both PATand site-to-site VPN on one public IP address. In order to make both work simultaneously, howshould the NAT configuration be set up? A. The VPN configuration should be set up with a static NAT configuration. B. Because PAT does support AH, the VPN tunnel must not be configured with EncapsulatingSecurity Payload (ESP). C. An ACL should be attached to the nat command to permit the NAT traffic and deny the VPNtraffic. D. The nat configuration command needs to include a range of IP addresses with the overloadword on the end. E. A route-map should be used with the nat command to support the use of AH and ESP. F. The ip nat inside command needs to exclude the VPN source address in the NAT pool.
Answer: C
Explanation:
QUESTION NO: 107 Refer to the exhibit.
Cisco 642-637 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 58
Based on the configuration that is shown in the exhibit, select the three answers that apply.(Choose three.) A. The configuration supports multidomain authentication, which allows one MAC address on thevoice VLAN and one on the data VLAN. B. Traffic will not flow for either the phone or the host computer until one device completes the802.1X authentication process. C. Registration and DHCP traffic will flow on either the data or voice VLAN before authentication. D. The port will only require the 802.1X supplicant to authenticate one time. E. MAC Authentication Bypass will be attempted only after 802.1X authentication times out. F. Non-802.1X devices are supported on this port by setting up the host for MAC addressauthentication in the endpoint database.
Answer: A,C,F
Explanation:
QUESTION NO: 108 You are finding that the 802.1X-configured ports are going into the error-disable state. Whichcommand will show you the reason why the port is in the error-disable state, and which commandwill automatically be re-enabled after a specific amount of time? (Choose two.) A. show error-disable status B. show error-disable recovery C. show error-disable flap-status D. error-disable recovery cause security-violation E. error-disable recovery cause dot1x
Cisco 642-637 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 59
F. error-disable recovery cause l2ptguard
Answer: B,D
Explanation:
QUESTION NO: 109 Your company has a requirement that if security is compromised on phase 1 of a Diffie-Hellmankey exchange that a secondary option will strengthen the security on the IPsec tunnel. Whatshould you implement to ensure a higher degree of key material security? A. Diffie-Hellman Phase II ESP B. PFS Group 5 C. Transform-set SHA-256 D. XAUTH with AAA authentication E. Diffie-Hellman Group 5 Phase I
Answer: B
Explanation:
QUESTION NO: 110 Which solution on a Cisco router requires the loading of a protocol header definition file (PHDF)? A. reflexive access control lists B. NetFlow C. Flexible Packet Matching D. Control Plane Policing
Answer: C
Explanation:
QUESTION NO: 111 You are troubleshooting a problem for which end users are reporting connectivity issues. Yournetwork has been configured with Layer 2 protection controls. You have determined that theDHCP snooping database is correct and that proper static addressing maps have beenconfigured. Which of these should be your next step in troubleshooting this problem?
Cisco 642-637 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 60
A. Generate a proxy ARP request and verify that the DHCP database has been updated asexpected. B. Temporarily disable DHCP snooping and test connectivity again. C. Clear the ARP tables and have end users release and renew their DHCP-learned addressing. D. Use a protocol analyzer to determine if there are malformed DHCP or ARP packets.
Answer: D
Explanation:
QUESTION NO: 112 You are troubleshooting a reported connectivity issue from a remote office whose users areaccessing corporate headquarters via an IPsec VPN connection. You issued a show cryptoisakmp sa command on the headend router, and the state has MM_NO_STATE. Which debugcommand should you enter next, and which part of the VPN tunnel establishment process isfailing? (Choose two.) A. ISAKMP Phase II B. ISAKMP Phase I C. debug crypto isakmp sa D. debug crypto isakmp E. debug crypto ipsec
Answer: B,D
Explanation:
QUESTION NO: 113 You are installing a brand-new, site-to-site VPN tunnel and notice that it is not working correctly.When connecting to the corporate router and issuing a show crypto ipsec sa command, you noticethat for this particular SA that packets are being encrypted but not decrypted. What are twopotential reasons for this problem? (Choose two.) A. XAUTH needs to be enabled. B. Inbound and outbound IP 50 packets are being filtered at the remote site. C. The transform-set needs to be set to transport mode. D. The access-list attached to the crypto map at the remote site is incorrect. E. The remote site is failing Diffie-Hellman Phase I negotiation. F. The NAT exception on the corporate side is filtering the return packets.
Answer: B,D
Cisco 642-637 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 61
Explanation:
QUESTION NO: 114 Which two of these are features of control plane security on a Cisco ISR? (Choose two.) A. CoPP B. RBAC C. AAA D. CPPr E. uRPF F. FPM
Answer: A,D
Explanation:
QUESTION NO: 115 Which additional configuration steps are required for a zone-based policy firewall to operate in aVRF scenario? A. You must assign zone-based policy firewall bridge groups to work in the virtual environment. B. Separate zone-based policy firewall policies must be defined for each VRF environment. C. Separate zones must be defined for each virtual zone-based policy firewall instance. D. No special zone-based policy firewall configurations are needed.
Answer: D
Explanation:
QUESTION NO: 116 You are troubleshooting an IPsec VPN problem. During debugging of IPsec operations, you seethe message "attributes not acceptable" on the IKE responder after issuing the debug cryptoisakmp command. Which step should you take next? A. verify matching ISAKMP policies on each peer B. verify that an IKE security association has been established between peers C. verify that IPsec transform sets match on each peer D. verify if default IPsec attributes are in place on each peer
Cisco 642-637 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 62
Answer: C
Explanation:
QUESTION NO: 117 Which state is a Cisco IOS IPS signature in if it does not take an appropriate associated actioneven if it has been successfully compiled? A. retired B. disabled C. unsupported D. inactive
Answer: B
Explanation:
QUESTION NO: 118 Which CLI command would you use to verify installed SSL VPN licensing on a Cisco 1900, 2900,or 3900 Series ISR? A. show crypto ssl license B. show crypto webvpn details C. show webvpn license D. show webvpn ssl license count all E. show webvpn gateway
Answer: C
Explanation:
QUESTION NO: 119 Which statement is correct regarding GRE tunnel endpoints when you are configuring GRE overIPsec? A. The tunnel interfaces of both endpoints must be in the same IP subnet. B. A mirror image of the IPsec crypto ACL needs to be configured to permit the interesting end-user traffic between the GRE endpoints.
Cisco 642-637 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 63
C. The tunnel interfaces of both endpoints should be configured to use the outside IP address ofthe router as the unnumbered IP address. D. For high availability, the GRE tunnel interface should be configured with a primary and abackup tunnel destination IP address.
Answer: A
Explanation:
QUESTION NO: 120 Refer to the exhibit.
Which of these is correct regarding the configuration parameters shown? A. Complete certificates will be written to and stored in NVRAM. B. The RSA key pair is valid for five hours before being revoked. C. The router is configured as a certificate server. D. Certificate lifetimes are mismatched and will cause intermittent connectivity errors. E. The router has enrolled to the MY-TRUSTPOINT PKI server, which is an external CA server.
Answer: C
Explanation:
Cisco 642-637 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 64
QUESTION NO: 121 Refer to the exhibit.
When you are using dynamic IPsec VTI tunnels, what can you determine about virtual-accessinterfaces from the output shown? A. The Virtual-Access1 interface currently does not have an IPsec peer connection established. B. The Virtual-Access2 interface does not yet have an IPsec peer defined. C. The Virtual-Access1 interface is in the down/down state, because the virtual tunnel sourcephysical interface is down. D. The Virtual-Access1 interface, which is used internally by the Cisco IOS software, is alwaysdown.
Answer: D
Explanation:
QUESTION NO: 122 Refer to the exhibit.
Cisco 642-637 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 65
Based on the partial configuration shown, which additional configuration parameter is neededunder the GET VPN group member GDOI configuration? A. key server IP address B. local priority C. mapping of the IPsec profile to the IPsec SA D. mapping of the IPsec transform set to the GDOI group
Answer: A
Cisco 642-637 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 66