Cisco 640-554 Exam Questions & Answers

Number: 640-554 Passing Score: 800 Time Limit: 120 min File Version: 24.7

Cisco 640-554 Exam Questions & Answers Exam Name: Implementing Cisco IOS Network Security (IINS v2.0) For Full Set of Questions please visit: http://www.braindumps.com/640-554.htm

Braindumps QUESTION 1 Which two features are supported by Cisco IronPort Security Gateway? (Choose two.) A. B. C. D. E. spam protection outbreak intelligence HTTP and HTTPS scanning email encryption DDoS protection

Correct Answer: AD Section: (none) Explanation Explanation/Reference: QUESTION 2 Which option is a feature of Cisco ScanSafe technology? A. B. C. D. spam protection consistent cloud-based policy DDoS protection RSA Email DLP

Correct Answer: B Section: (none) Explanation Explanation/Reference: QUESTION 3 Under which higher-level policy is a VPN security policy categorized? A. B. C. D. E. application policy DLP policy remote access policy compliance policy corporate WAN policy

Correct Answer: C Section: (none) Explanation Explanation/Reference: QUESTION 4 Refer to the exhibit. What does the option secret 5 in the username global configuration mode command indicate about the user password?

A. B. C. D. E. F.

It is hashed using SHA. It is encrypted using DH group 5. It is hashed using MD5. It is encrypted using the service password-encryption command. It is hashed using a proprietary Cisco hashing algorithm. It is encrypted using a proprietary Cisco encryption algorithm.

Correct Answer: C Section: (none) Explanation Explanation/Reference: QUESTION 5 What does level 5 in this enable secret global configuration mode command indicate? A. B. C. D. E. F. router#enable secret level 5 password The enable secret password is hashed using MD5. The enable secret password is hashed using SHA. The enable secret password is encrypted using Cisco proprietary level 5 encryption. Set the enable secret command to privilege level 5. The enable secret password is for accessing exec privilege level 5.

Correct Answer: E Section: (none) Explanation Explanation/Reference: QUESTION 6 Which Cisco management tool provides the ability to centrally provision all aspects of device configuration across the Cisco family of security products? A. B. C. D. Cisco Configuration Professional Security Device Manager Cisco Security Manager Cisco Secure Management Server

Correct Answer: C Section: (none) Explanation Explanation/Reference: QUESTION 7 Which option is the correct representation of the IPv6 address 2001:0000:150C:0000:0000:41B1:45A3:041D? A. B. C. D. 2001::150c::41b1:45a3:041d 2001:0:150c:0::41b1:45a3:04d1 2001:150c::41b1:45a3::41d 2001:0:150c::41b1:45a3:41d

Correct Answer: D Section: (none) Explanation Explanation/Reference: QUESTION 8 Which three options are common examples of AAA implementation on Cisco routers? (Choose three.) A. B. C. D. E. F. authenticating remote users who are accessing the corporate LAN through IPsec VPN connections authenticating administrator access to the router console port, auxiliary port, and vty ports implementing PKI to authenticate and authorize IPsec VPN peers using digital certificates tracking Cisco NetFlow accounting statistics securing the router by locking down all unused services performing router commands authorization using TACACS+

Correct Answer: ABF Section: (none) Explanation Explanation/Reference: QUESTION 9 Which two characteristics of the TACACS+ protocol are true? (Choose two.) A. B. C. D. E. uses UDP ports 1645 or 1812 separates AAA functions encrypts the body of every packet offers extensive accounting capabilities is an open RFC standard protocol

Correct Answer: BC Section: (none) Explanation Explanation/Reference: QUESTION 10 Refer to the exhibit. Which statement about this output is true?

A. B. C. D.

The user logged into the router with the incorrect username and password. The login failed because there was no default enable password. The login failed because the password entered was incorrect. The user logged in and was given privilege level 15.

Correct Answer: C Section: (none) Explanation Explanation/Reference: QUESTION 11 Refer to the exhibit. Which statement about this partial CLI configuration of an access control list is true?

A. B. C. D.

The access list accepts all traffic on the 10.0.0.0 subnets. All traffic from the 10.10.0.0 subnets is denied. Only traffic from 10.10.0.10 is allowed. This configuration is invalid. It should be configured as an extended ACL to permit the associated wildcard mask. E. From the 10.10.0.0 subnet, only traffic sourced from 10.10.0.10 is allowed; traffic sourced from the other 10.0.0.0 subnets also is allowed.

F. The access list permits traffic destined to the 10.10.0.10 host on FastEthernet0/0 from any source. Correct Answer: E Section: (none) Explanation Explanation/Reference: QUESTION 12 Which type of Cisco ASA access list entry can be configured to match multiple entries in a single statement? A. B. C. D. nested object-class class-map extended wildcard matching object groups

Correct Answer: D Section: (none) Explanation Explanation/Reference: QUESTION 13 Which statement about an access control list that is applied to a router interface is true? A. B. C. D. It only filters traffic that passes through the router. It filters pass-through and router-generated traffic. An empty ACL blocks all traffic. It filters traffic in the inbound and outbound directions.

Correct Answer: A Section: (none) Explanation Explanation/Reference: QUESTION 14 You have been tasked by your manager to implement syslog in your network. Which option is an important factor to consider in your implementation? A. Use SSH to access your syslog information. B. Enable the highest level of syslog function available to ensure that all possible event messages are logged. C. Log all messages to the system buffer so that they can be displayed when accessing the router. D. Synchronize clocks on the network with a protocol such as Network Time Protocol. Correct Answer: D Section: (none) Explanation Explanation/Reference: QUESTION 15 Which two considerations about secure network management are important? (Choose two.)

A. B. C. D. E. F.

log tampering encryption algorithm strength accurate time stamping off-site storage Use RADIUS for router commands authorization. Do not use a loopback interface for device management access.

Correct Answer: AC Section: (none) Explanation Explanation/Reference: QUESTION 16 Which command enables Cisco IOS image resilience? A. B. C. D. secure boot-<IOS image filename> secure boot-running-config secure boot-start secure boot-image

Correct Answer: D Section: (none) Explanation Explanation/Reference: QUESTION 17 Which router management feature provides for the ability to configure multiple administrative views? A. B. C. D. role-based CLI virtual routing and forwarding secure config privilege {level} parser view view name

Correct Answer: A Section: (none) Explanation Explanation/Reference: QUESTION 18 Which statement describes a best practice when configuring trunking on a switch port? A. B. C. D. E. Disable double tagging by enabling DTP on the trunk port. Enable encryption on the trunk port. Enable authentication and encryption on the trunk port. Limit the allowed VLAN(s) on the trunk to the native VLAN only. Configure an unused VLAN as the native VLAN.

Correct Answer: E Section: (none) Explanation Explanation/Reference:

QUESTION 19 Which type of Layer 2 attack causes a switch to flood all incoming traffic to all ports? A. B. C. D. MAC spoofing attack CAM overflow attack VLAN hopping attack STP attack

Correct Answer: B Section: (none) Explanation Explanation/Reference: QUESTION 20 What is the best way to prevent a VLAN hopping attack? A. B. C. D. Encapsulate trunk ports with IEEE 802.1Q. Physically secure data closets. Disable DTP negotiations. Enable BDPU guard.

Correct Answer: C Section: (none) Explanation Explanation/Reference: QUESTION 21 Which statement about PVLAN Edge is true? A. B. C. D. PVLAN Edge can be configured to restrict the number of MAC addresses that appear on a single port. The switch does not forward any traffic from one protected port to any other protected port. By default, when a port policy error occurs, the switchport shuts down. The switch only forwards traffic to ports within the same VLAN Edge.

Correct Answer: B Section: (none) Explanation Explanation/Reference: QUESTION 22 When Cisco IOS zone-based policy firewall is configured, which three actions can be applied to a traffic class? (Choose three.) A. B. C. D. E. F. pass police inspect drop queue shape

Correct Answer: ACD Section: (none)

Explanation Explanation/Reference: QUESTION 23 Which option is a key difference between Cisco IOS interface ACL configurations and Cisco ASA appliance interface ACL configurations? A. B. C. D. The Cisco IOS interface ACL has an implicit permit-all rule at the end of each interface ACL. Cisco IOS supports interface ACL and also global ACL. Global ACL is applied to all interfaces. The Cisco ASA appliance interface ACL configurations use netmasks instead of wildcard masks. The Cisco ASA appliance interface ACL also applies to traffic directed to the IP addresses of the Cisco ASA appliance interfaces. E. The Cisco ASA appliance does not support standard ACL. The Cisco ASA appliance only support extended ACL. Correct Answer: C Section: (none) Explanation Explanation/Reference: QUESTION 24 Refer to the exhibit. Using a stateful packet firewall and given an inside ACL entry of permit ip 192.16.1.0 0.0.0.255 any, what would be the resulting dynamically configured ACL for the return traffic on the outside ACL?

A. B. C. D.

permit tcp host 172.16.16.10 eq 80 host 192.168.1.11 eq 2300 permit ip 172.16.16.10 eq 80 192.168.1.0 0.0.0.255 eq 2300 permit tcp any eq 80 host 192.168.1.11 eq 2300 permit ip host 172.16.16.10 eq 80 host 192.168.1.0 0.0.0.255 eq 2300

Correct Answer: A Section: (none) Explanation Explanation/Reference: QUESTION 25 Which option is the resulting action in a zone-based policy firewall configuration with these conditions? Source: Zone 1 Destination: Zone 2 Zone pair exists?: Yes Policy exists?: No

A. B. C. D.

no impact to zoning or policy no policy lookup (pass) drop apply default policy

Correct Answer: C Section: (none) Explanation Explanation/Reference: . QUESTION 26 A Cisco ASA appliance has three interfaces configured. The first interface is the inside interface with a security level of 100. The second interface is the DMZ interface with a security level of 50. The third interface is the outside interface with a security level of 0. By default, without any access list configured, which five types of traffic are permitted? (Choose five.) A. B. C. D. E. F. G. H. I. J. outbound traffic initiated from the inside to the DMZ outbound traffic initiated from the DMZ to the outside outbound traffic initiated from the inside to the outside inbound traffic initiated from the outside to the DMZ inbound traffic initiated from the outside to the inside inbound traffic initiated from the DMZ to the inside HTTP return traffic originating from the inside network and returning via the outside interface HTTP return traffic originating from the inside network and returning via the DMZ interface HTTP return traffic originating from the DMZ network and returning via the inside interface HTTP return traffic originating from the outside network and returning via the inside interface

Correct Answer: Section: (none) Explanation Explanation/Reference: Answer: A,B,C,G,H QUESTION 27 Which two protocols enable Cisco Configuration Professional to pull IPS alerts from a Cisco ISR router? (Choose two.) A. B. C. D. E. F. syslog SDEE FTP TFTP SSH HTTPS

Correct Answer: BF Section: (none) Explanation Explanation/Reference: QUESTION 28 On Cisco ISR routers, for what purpose is the realm-cisco.pub public encryption key used? A. used for SSH server/client authentication and encryption

B. used to verify the digital signature of the IPS signature file C. used to generate a persistent self-signed identity certificate for the ISR so administrators can authenticate the ISR when accessing it using Cisco Configuration Professional D. used to enable asymmetric encryption on IPsec and SSL VPNs E. used during the DH exchanges on IPsec VPNs Correct Answer: B Section: (none) Explanation Explanation/Reference: QUESTION 29 Which four tasks are required when you configure Cisco IOS IPS using the Cisco Configuration Professional IPS wizard? (Choose four.) A. B. C. D. E. F. Select the interface(s) to apply the IPS rule. Select the traffic flow direction that should be applied by the IPS rule. Add or remove IPS alerts actions based on the risk rating. Specify the signature file and the Cisco public key. Select the IPS bypass mode (fail-open or fail-close). Specify the configuration location and select the category of signatures to be applied to the selected interface(s).

Correct Answer: ABDF Section: (none) Explanation Explanation/Reference: QUESTION 30 Which statement is a benefit of using Cisco IOS IPS? A. B. C. D. It uses the underlying routing infrastructure to provide an additional layer of security. It works in passive mode so as not to impact traffic flow. It supports the complete signature database as a Cisco IPS sensor appliance. The signature database is tied closely with the Cisco IOS image.

Correct Answer: A Section: (none) Explanation Explanation/Reference: QUESTION 31 Which IPS technique commonly is used to improve accuracy and context awareness, aiming to detect and respond to relevant incidents only and therefore, reduce noise? A. B. C. D. attack relevancy target asset value signature accuracy risk rating

Correct Answer: D Section: (none) Explanation

Explanation/Reference: QUESTION 32 Which option describes the purpose of Diffie-Hellman? A. B. C. D. used between the initiator and the responder to establish a basic security policy used to verify the identity of the peer used for asymmetric public key encryption used to establish a symmetric shared key via a public key exchange process

Correct Answer: D Section: (none) Explanation Explanation/Reference: QUESTION 33 Which three statements about the IPsec ESP modes of operation are true? (Choose three.) A. B. C. D. E. Tunnel mode is used between a host and a security gateway. Tunnel mode is used between two security gateways. Tunnel mode only encrypts and authenticates the data. Transport mode authenticates the IP header. Transport mode leaves the original IP header in the clear.

Correct Answer: ABE Section: (none) Explanation Explanation/Reference: QUESTION 34 For what purpose is the Cisco ASA appliance web launch SSL VPN feature used? A. B. C. D. E. to enable split tunneling when using clientless SSL VPN access to enable users to login to a web portal to download and launch the AnyConnect client to enable smart tunnel access for applications that are not web-based to optimize the SSL VPN connections using DTLS to enable single-sign-on so the SSL VPN users need only log in once

Correct Answer: B Section: (none) Explanation Explanation/Reference: QUESTION 35 Which statement describes how VPN traffic is encrypted to provide confidentiality when using asymmetric encryption? A. The sender encrypts the data using the sender's private key, and the receiver decrypts the data using the sender's public key. B. The sender encrypts the data using the sender's public key, and the receiver decrypts the data using the sender's private key.

C. The sender encrypts the data using the sender's public key, and the receiver decrypts the data using the receiver's public key. D. The sender encrypts the data using the receiver's private key, and the receiver decrypts the data using the receiver's public key. E. The sender encrypts the data using the receiver's public key, and the receiver decrypts the data using the receiver's private key. F. The sender encrypts the data using the receiver's private key, and the receiver decrypts the data using the sender's public key. Correct Answer: E Section: (none) Explanation Explanation/Reference: QUESTION 36 Which description of the Diffie-Hellman protocol is true? A. It uses symmetrical encryption to provide data confidentiality over an unsecured communications channel. B. It uses asymmetrical encryption to provide authentication over an unsecured communications channel. C. It is used within the IKE Phase 1 exchange to provide peer authentication. D. It provides a way for two peers to establish a shared-secret key, which only they will know, even though they are communicating over an unsecured channel. E. It is a data integrity algorithm that is used within the IKE exchanges to guarantee the integrity of the message of the IKE exchanges. Correct Answer: D Section: (none) Explanation Explanation/Reference: QUESTION 37 Which two options are characteristics of the Cisco Configuration Professional Security Audit wizard? (Choose two.) A. displays a screen with fix-it check boxes to let you choose which potential security-related configuration changes to implement B. has two modes of operation: interactive and non-interactive C. automatically enables Cisco IOS firewall and Cisco IOS IPS to secure the router D. uses interactive dialogs and prompts to implement role-based CLI E. requires users to first identify which router interfaces connect to the inside network and which connect to the outside network Correct Answer: AE Section: (none) Explanation Explanation/Reference: QUESTION 38 Which statement describes a result of securing the Cisco IOS image using the Cisco IOS image resilience feature? A. The show version command does not show the Cisco IOS image file location. B. The Cisco IOS image file is not visible in the output from the show flash command.

C. When the router boots up, the Cisco IOS image is loaded from a secured FTP location. D. The running Cisco IOS image is encrypted and then automatically backed up to the NVRAM. E. The running Cisco IOS image is encrypted and then automatically backed up to a TFTP server. Correct Answer: B Section: (none) Explanation Explanation/Reference: QUESTION 39 Which access list permits HTTP traffic sourced from host 10.1.129.100 port 3030 destined to host 192.168.1.10? A. access-list 101 permit tcp any eq 3030 B. access-list 101 permit tcp 10.1.128.0 0.0.1.255 eq 3030 192.168.1.0 0.0.0.15 eq www C. access-list 101 permit tcp 10.1.129.0 0.0.0.255 eq www 192.168.1.10 0.0.0.0 eq www www.test-inexam. com 14 / 38 The safer , easier way to help you pass any IT exams. D. access-list 101 permit tcp host 192.168.1.10 eq 80 10.1.0.0 0.0.255.255 eq 3030 E. access-list 101 permit tcp 192.168.1.10 0.0.0.0 eq 80 10.1.0.0 0.0.255.255 F. access-list 101 permit ip host 10.1.129.100 eq 3030 host 192.168.1.100 eq 80 Correct Answer: B Section: (none) Explanation Explanation/Reference: QUESTION 40 Which option can be used to authenticate the IPsec peers during IKE Phase 1? A. B. C. D. E. F. Diffie-Hellman Nonce pre-shared key XAUTH integrity check value ACS AH

Correct Answer: B Section: (none) Explanation Explanation/Reference: QUESTION 41 Which single Cisco IOS ACL entry permits IP addresses from 172.16.80.0 to 172.16.87.255? A. B. C. D. E. F. permit 172.16.80.0 0.0.3.255 permit 172.16.80.0 0.0.7.255 permit 172.16.80.0 0.0.248.255 permit 176.16.80.0 255.255.252.0 permit 172.16.80.0 255.255.248.0 permit 172.16.80.0 255.255.240.0

Correct Answer: B Section: (none) Explanation Explanation/Reference: QUESTION 42 Which two options represent a threat to the physical installation of an enterprise network? (Choose two.) A. B. C. D. E. surveillance camera security guards electrical power computer room access change control

Correct Answer: CD Section: (none) Explanation Explanation/Reference: QUESTION 43 Which type of network masking is used when Cisco IOS access control lists are configured? A. B. C. D. extended subnet masking standard subnet masking priority masking wildcard masking

Correct Answer: D Section: (none) Explanation Explanation/Reference: QUESTION 44 Which type of management reporting is defined by separating management traffic from production traffic? A. B. C. D. IPsec encrypted in-band out-of-band SSH

Correct Answer: C Section: (none) Explanation Explanation/Reference: QUESTION 45 Which syslog level is associated with LOG_WARNING? A. 1 B. 2 C. 3

D. 4 E. 5 F. 6 Correct Answer: D Section: (none) Explanation Explanation/Reference: QUESTION 46 Which security measure must you take for native VLANs on a trunk port? A. Native VLANs for trunk ports should never be used anywhere else on the switch. B. The native VLAN for trunk ports should be VLAN 1. C. Native VLANs for trunk ports should match access VLANs to ensure that cross-VLAN traffic from multiple switches can be delivered to physically disparate switches. D. Native VLANs for trunk ports should be tagged with 802.1Q. Correct Answer: A Section: (none) Explanation Explanation/Reference: QUESTION 47 Refer to the exhibit. Which switch is designated as the root bridge in this topology?

www.test-inexam.com 17 / 38 The safer , easier way to help you pass any IT exams.

A. B. C. D.

It depends on which switch came on line first. Neither switch would assume the role of root bridge because they have the same default priority. switch X switch Y

Correct Answer: C Section: (none) Explanation Explanation/Reference: QUESTION 48 Which type of NAT is used where you translate multiple internal IP addresses to a single global, routable IP address? A. B. C. D. E. policy NAT dynamic PAT static NAT dynamic NAT policy PAT

Correct Answer: B Section: (none) Explanation Explanation/Reference: QUESTION 49 Which Cisco IPS product offers an inline, deep-packet inspection feature that is available in integrated services routers? A. B. C. D. Cisco iSDM Cisco AIM Cisco IOS IPS Cisco AIP-SSM

Correct Answer: C Section: (none) Explanation Explanation/Reference: QUESTION 50 During role-based CLI configuration, what must be enabled before any user views can be created? A. B. C. D. E. F. multiple privilege levels usernames and passwords aaa new-model command secret password for the root user HTTP and/or HTTPS server TACACS server group

Correct Answer: C Section: (none) Explanation Explanation/Reference: QUESTION 51 When port security is enabled on a Cisco Catalyst switch, what is the default action when the configured

maximum number of allowed MAC addresses value is exceeded? A. B. C. D. The port remains enabled, but bandwidth is throttled until old MAC addresses are aged out. The port is shut down. The MAC address table is cleared and the new MAC address is entered into the table. The violation mode of the port is set to restrict.

Correct Answer: B Section: (none) Explanation Explanation/Reference: QUESTION 52 Which three statements about the Cisco ASA appliance are true? (Choose three.) A. B. C. D. The DMZ interface(s) on the Cisco ASA appliance most typically use a security level between 1 and 99. The Cisco ASA appliance supports Active/Active or Active/Standby failover. The Cisco ASA appliance has no default MPF configurations. The Cisco ASA appliance uses security contexts to virtually partition the ASA into multiple virtual firewalls. E. The Cisco ASA appliance supports user-based access control using 802.1x. F. An SSM is required on the Cisco ASA appliance to support Botnet Traffic Filtering. Correct Answer: ABD Section: (none) Explanation Explanation/Reference: QUESTION 53 Refer to the exhibit. This Cisco IOS access list has been configured on the FA0/0 interface in the inbound direction. Which four TCP packets sourced from 10.1.1.1 port 1030 and routed to the FA0/0 interface are permitted? (Choose four.)

A. destination ip address: 192.168.15.37 destination port: 22

B. C. D. E. F.

destination ip address: 192.168.15.80 destination port: 23 destination ip address: 192.168.15.66 destination port: 8080 destination ip address: 192.168.15.36 destination port: 80 destination ip address: 192.168.15.63 destination port: 80 destination ip address: 192.168.15.40 destination port: 21

Correct Answer: BCDE Section: (none) Explanation Explanation/Reference: QUESTION 54 Which statement describes how the sender of the message is verified when asymmetric encryption is used? A. The sender encrypts the message using the sender's public key, and the receiver decrypts the www. test-inexam.com 20 / 38 The safer , easier way to help you pass any IT exams. message using the sender's private key. B. The sender encrypts the message using the sender's private key, and the receiver decrypts the message using the sender's public key. C. The sender encrypts the message using the receiver's public key, and the receiver decrypts the message using the receiver's private key. D. The sender encrypts the message using the receiver's private key, and the receiver decrypts the message using the receiver's public key. E. The sender encrypts the message using the receiver's public key, and the receiver decrypts the message using the sender's public key. Correct Answer: B Section: (none) Explanation Explanation/Reference: QUESTION 55 Which type of security control is defense in depth? A. B. C. D. threat mitigation risk analysis botnet mitigation overt and covert channels

Correct Answer: A Section: (none) Explanation Explanation/Reference: QUESTION 56 Which two options are two of the built-in features of IPv6? (Choose two.) A. B. C. D. VLSM native IPsec controlled broadcasts mobile IP

E. NAT Correct Answer: BD Section: (none) Explanation Explanation/Reference: QUESTION 57 Refer to the below. 14:00:09: TAC+: Opening TCP/IP connection to 192.168.60.15 using source 10.116.0.79 14:00:09: TAC+: Sending TCP/IP packet number 383258052-1 to 192.168.60.15 (AUTHEN/START) 14:00:09: TAC+: Receiving TCP/IP packet number 383258052-2 from 192.168.60.15 14:00:09: TAC+ (383258052): received authen response status = GETUSER 14:00:10: TAC+: send AUTHEN/CONT packet 14:00:10: www.test-inexam.com 22 / 38 The safer , easier way to help you pass any IT exams. TAC+: Sending TCP/IP packet number 383258052-3 to 192.168.60.15 (AUTHEN/CONT) 14:00:10: TAC+: Receiving TCP/IP packet number 383258052-4 from 192.168.60.15 14:00:10: TAC+ (383258052): received authen response status = GETPASS 14:00:14: TAC+: send AUTHEN/CONT packet 14:00:14: TAC+: Sending TCP/IP packet number 383258052-5 to 192.168.60.15 (AUTHEN/CONT) 14:00:14: TAC+: Receiving TCP/IP packet number 383258052-6 from 192.168.60.15 14:00:14: TAC+ (383258052): received authen response status = PASS 14:00:14: TAC+: Closing TCP/IP connection to 192.168.60.15 Which statement about this debug output is true? A. The requesting authentication request came from username GETUSER. B. The TACACS+ authentication request came from a valid user. C. The TACACS+ authentication request passed, but for some reason the user's connection was closed immediately. D. The initiating connection request was being spoofed by a different source address. Correct Answer: B Section: (none) Explanation Explanation/Reference: QUESTION 58 Which type of Cisco IOS access control list is identified by 100 to 199 and 2000 to 2699? A. standard B. extended

C. named D. IPv4 for 100 to 199 and IPv6 for 2000 to 2699 Correct Answer: B Section: (none) Explanation Explanation/Reference: QUESTION 59 Which step is important to take when implementing secure network management? A. B. C. D. E. Implement in-band management whenever possible. Implement telnet for encrypted device management access. Implement SNMP with read/write access for troubleshooting purposes. Synchronize clocks on hosts and devices. Implement management plane protection using routing protocol authentication.

Correct Answer: D Section: (none) Explanation Explanation/Reference: QUESTION 60 Which Layer 2 protocol provides loop resolution by managing the physical paths to given network segments? A. B. C. D. root guard port fast HSRP STP

Correct Answer: D Section: (none) Explanation Explanation/Reference: QUESTION 61 When STP mitigation features are configured, where should the root guard feature be deployed? A. B. C. D. toward ports that connect to switches that should not be the root bridge on all switch ports toward user-facing ports Root guard should be configured globally on the switch.

Correct Answer: A Section: (none) Explanation Explanation/Reference: QUESTION 62 Which option is a characteristic of a stateful firewall?

A. B. C. D.

can analyze traffic at the application layer allows modification of security rule sets in real time to allow return traffic will allow outbound communication, but return traffic must be explicitly permitted supports user authentication

Correct Answer: B Section: (none) Explanation Explanation/Reference: QUESTION 63 Which statement about disabled signatures when using Cisco IOS IPS is true? A. B. C. D. They do not take any actions, but do produce alerts. They are not scanned or processed. They still consume router resources. They are considered to be "retired" signatures.

Correct Answer: C Section: (none) Explanation Explanation/Reference: QUESTION 64 Which type of intrusion prevention technology is the primary type used by the Cisco IPS security appliances? A. B. C. D. E. profile-based rule-based protocol analysis-based signature-based NetFlow anomaly-based

Correct Answer: D Section: (none) Explanation Explanation/Reference: QUESTION 65 DRAG DROP

A. B. C. D. Correct Answer: Section: (none) Explanation Explanation/Reference:

QUESTION 66 DRAG DROP

A. B. C. D.

Correct Answer: Section: (none) Explanation Explanation/Reference:

Control plane secures traffic destined to the router itself Data plane secures transit traffic through the router Management plane secures router access QUESTION 67 DRAG DROP

A. B. C. D. Correct Answer: Section: (none) Explanation Explanation/Reference: www.test-inexam.com 26 / 38 The safer , easier way to help you pass any IT exams.

False positive an alarm is triggered by normal traffic or a benign action False negative a signature is not fired when offending traffic is detected True positive generates an alarm when offending traffic is detected True negative a signature is not fired when non-offending traffic is captured and analyzed QUESTION 68 DRAG DROP

A. B. C. D. Correct Answer:

Section: (none) Explanation Explanation/Reference:

Global Link-local 6to4 Site-local QUESTION 69 DRAG DROP

A. B. C. D. Correct Answer: Section: (none) Explanation Explanation/Reference:

Ports A and B root port(s) )Ports A, B, C and D designated port(s) )Ports E and F non-designated port(s) QUESTION 70 DRAG DROP Match the descriptions on the left with the IKE phases on the right.

A. B. C. D. Correct Answer: Section: (none) Explanation

Explanation/Reference:

QUESTION 71 DRAG DROP

A. B. C. D.

Correct Answer: Section: (none) Explanation Explanation/Reference:

Can permit or deny traffic based on IP address Can permit or deny traffic based on protocol Can permit or deny based on source and destination ports QUESTION 72 DRAG DROP

A. B. C. D. Correct Answer: Section: (none) Explanation Explanation/Reference:

TACACS+ Uses TCP Separates the authentication, authorization, and accounting functions Encrypts the entire body of the packet Supports authorization of router commands on a per-user of per-group basis RADIUS Uses UDP Combines the authentication and authorization functions Encrypts only the password QUESTION 73 CORRECT TEXT

A. B. C. D. Correct Answer: Section: (none) Explanation Explanation/Reference: Switch1>enable Switch1#config t Switch1(config)#interface fa0/12 Switch1(config-if)#switchport mode access Switch1(config-if)#switchport port-security maximum 2 Switch1(config-if)#switchport port-security violation shutdown Switch1(config-if)#no shut Switch1(config-if)#end Switch1#copy run start QUESTION 74 Scenario: You are the security admin for a small company. This morning your manager has supplied you with a list of Cisco ISR and CCP configuration questions. Using CCP, your job is to navigate the pre-configured CCP in order to find answers to your business question. Which four properties are included in the inspection Cisco Map OUT_SERVICE? (Choose four)

A. B. C. D. E. F.

FTP HTTP HTTPS SMTP P2P ICMP

Correct Answer: ABEF Section: (none) Explanation Explanation/Reference: QUESTION 75 Scenario: You are the security admin for a small company. This morning your manager has supplied you with a list of Cisco ISR and CCP configuration questions. Using CCP, your job is to navigate the pre-configured CCP in order to find answers to your business question. Which Class Map is used by the INBOUND Rule?

A. B. C. D.

SERVICE_IN Class-map-ccp-cls-2 Ccp-cts-2 Class-map SERVICE_IN

Correct Answer: B Section: (none) Explanation Explanation/Reference: QUESTION 76 Scenario: You are the security admin for a small company. This morning your manager has supplied you with a list of Cisco ISR and CCP configuration questions. Using CCP, your job is to navigate the pre-configured CCP in order to find answers to your business question. Which policy is assigned to Zone Pair sdm-zip-OUT-IN?

A. B. C. D.

Sdm-cls-http OUT_SERVICE Ccp-policy-ccp-cls-1 Ccp-policy-ccp-cls-2

Correct Answer: D Section: (none) Explanation Explanation/Reference: