Untitled

Cisco 642-825
Implementing Secure Converged Wide Area Networks

Q&A Version 2010-02-16
It will provide you questions and answers carefully compiled and written by our
experts. Try to understand
the concepts behind the questions instead of cramming the questions.
Go through the entire document at least twice so that you make sure that you are
not missing anything.
Exam A
QUESTION 1
Which two statements about common network attacks are true? (Choose two.)
A. Access attacks can consist of password attacks, trust exploitation, port redi
rection, and man-in-themiddle
attacks.
B. Access attacks can consist of password attacks, ping sweeps, port scans, and
man-in-the-middle
attacks.
C. Access attacks can consist of packet sniffers, ping sweeps, port scans, and m
an-in-the-middle attacks.
D. Reconnaissance attacks can consist of password attacks, trust exploitation, p
ort redirection and
Internet information queries.
E. Reconnaissance attacks can consist of packet sniffers, port scans, ping sweep
s, and Internet
information queries.
F. Reconnaissance attacks can consist of ping sweeps, port scans, man-in-middle
attacks and Internet
information queries.
Answer: AE
Section: (none)
Explanation/Reference:
QUESTION 2
Which two statements about the Cisco AutoSecure feature are true? (Choose two.)
A. All passwords entered during the AutoSecure configuration must be a minimum o
f 8 characters in
length.
B. Cisco123 would be a valid password for both the enable password and the enabl
e secret commands.
C. The auto secure command can be used to secure the router login as well as the
NTP and SSH
protocols.
D. For an interactive full session of AutoSecure, the auto secure login command
should be used.
E. If the SSH server was configured, the 1024 bit RSA keys are generated after t
he auto secure command
is enabled.
Answer: CE
Section: (none)
QUESTION 3
Which three statements are correct about MPLS-based VPNs? (Choose three.)
A. Route Targets (RTs) are attributes attached to a VPNv4 BGP route to indicate
its VPN membership.
B. Scalability becomes challenging for a very large, fully meshed deployment.
C. Authentication is done using a digital certificate or pre-shared key.
D. A VPN client is required for client-initiated deployments.
E. A VPN client is not required for users to interact with the network.
F. An MPLS-based VPN is highly scalable because no site-to-site peering is requi
red.
Answer: AEF
Section: (none)
QUESTION 4
Which two statements are true about broadband cable (HFC) systems? (Choose two.)
PassGuide.com - Make You Succeed To Pass IT Exams
PassGuide 642-825
A. Cable modems only operate at Layer 1 of the OSI model.
B. Cable modems operate at Layers 1 and 2 of the OSI model.
C. Cable modems operate at Layers 1, 2, and 3 of the OSI model.
D. A function of the cable modem termination system (CMTS) is to convert the mod
ulated signal from the
cable modem into a digital signal.
E. A function of the cable modem termination system is to convert the digital da
ta stream from the end
user host into a modulated RF signal for transmission onto the cable system.
Answer: BD
Section: (none)
QUESTION 5
Which form of DSL technology is typically used as a replacement for T1 lines?
A. VDSL
B. HDSL
C. ADSL
D. SDSL
E. G.SHDSL
F. IDSL
Answer: B
Section: (none)
QUESTION 6
Refer to the exhibit. Which two statements about the AAA configuration are true?
(Choose two.)
A. A good security practice is to have the none parameter configured as the fina
l method used to ensure
that no other authentication method will be used.
B. If a TACACS+ server is not available, then a user connecting via the console
port would not be able to
gain access since no other authentication method has been defined.
C. If a TACACS+ server is not available, then the user Bob could be able to ente
r privileged mode as long
as the proper enable password is entered.
D. The aaa new-model command forces the router to override every other authentic
ation method
previously configured for the router lines.
E. To increase security, group radius should be used instead of group tacacs+.
F. Two authentication options are prescribed by the displayed aaa authentication
command.
Answer: DF
Section: (none)
QUESTION 7
Which two Network Time Protocol (NTP) statements are true? (Choose two.)
A. A stratum 0 time server is required for NTP operation.
B. NTP is enabled on all interfaces by default, and all interfaces receive NTP p
ackets.
C. NTP operates on IP networks using User Datagram Protocol (UDP) port 123.
D. The ntp server global configuration is used to configure the NTP master clock
to which other
PassGuide 642-825
peers synchronize themselves.
E. The show ntp status command displays detailed association information of all
NTP peers.
F. Whenever possible, configure NTP version 5 because it automatically provides
authentication and
encryption services.
Answer: BC
Section: (none)
QUESTION 8
What are the two main features of Cisco IOS Firewall? (Choose two.)
A. TACACS+
B. AAA
C. Cisco Secure Access Control Server
D. Intrusion Prevention System
E. Authentication Proxy
Answer: DE
Section: (none)
QUESTION 9
Refer to the exhibit. On the basis of the partial configuration, which two state
ments are true? (Choose two.)
A. A CBAC inspection rule is configured on router RTA.
B. A named ACL called SDM_LOW is configured on router RTA.
C. A QoS policy has been applied on interfaces Serial 0/0 and FastEthernet 0/1.
PassGuide 642-825
D. Interface Fa0/0 should be the inside interface and interface Fa0/1 should be
the outside interface. E.
On interface Fa0/0, the ip inspect statement should be incoming.
E. The interface commands ip inspect SDM_LOW in allow CBAC to monitor multiple p
rotocols.
Answer: A
Section: (none)
QUESTION 10
Which two statements describe the functions and operations of IDS and IPS system
s? (Choose two.)
A. A network administrator entering a wrong password would generate a true-negat
ive alarm.
B. A false positive alarm is generated when an IDS/IPS signature is correctly id
entified.
C. An IDS is significantly more advanced over IPS because of its ability to prev
ent network attacks.
D. Cisco IDS works inline and stops attacks before they enter the network.
E. Cisco IPS taps the network traffic and responds after an attack.
F. Profile-based intrusion detection is also known as "anomaly detection".
Answer: BF
Section: (none)
QUESTION 11
Which IOS command would display IPS default values that may not be displayed usi
ng the show runningconfig
command?
A. show ip ips configuration
B. show ip ips interface
C. show ip ips statistics
D. show ip ips session
Answer: A
Section: (none)
QUESTION 12
Refer to the exhibit. What statement is true about the interface S1/0 on router
R1?
A. Labeled packets can be sent over an interface.
B. MPLS Layer 2 negotiations have occurred.
C. IP label switching has been disabled on this interface.
D. None of the MPLS protocols have been configured on the interface.
PassGuide 642-825
Answer: D
Section: (none)
QUESTION 13
Which two statements about packet sniffers or packet sniffing are true? (Choose
two.)
A. To reduce the risk of packet sniffing, traffic rate limiting and RFC 2827 fil
tering should be used.
B. Packet sniffers can only work in a switched Ethernet environment.
C. To reduce the risk of packet sniffing, cryptographic protocols such as Secure
Shell Protocol (SSH) and
Secure Sockets Layer (SSL) should be used.
D. To reduce the risk of packet sniffing, strong authentication, such as one tim
e passwords, should be
used.
Answer: CD
Section: (none)
QUESTION 14
Which two network attack statements are true? (Choose two.)
A. Access attacks can consist of password attacks, trust exploitation, port redi
rection, and man-in-themiddle
attacks.
B. Access attacks can consist of UDP and TCP SYN flooding, ICMP echo-request flo
ods, and ICMP
directed broadcasts.
C. DoS attacks can be reduced through the use of access control configuration, e
ncryption, and RFC 2827
filtering.
D. DoS attacks can consist of IP spoofing and DDoS attacks.
E. IP spoofing can be reduced through the use of policy-based routing.
F. IP spoofing exploits known vulnerabilities in authentication services, FTP se
rvices, and web services to
gain entry to web accounts, confidential databases, and other sensitive informat
ion.
Answer: AD
Section: (none)
QUESTION 15
Which three techniques should be used to secure management protocols? (Choose th
ree.)
A. Configure SNMP with only read-only community strings.
B. Encrypt TFTP and syslog traffic in an IPSec tunnel.
C. Implement RFC 3704 filtering at the perimeter router when allowing syslog acc
ess from devices on the
outside of a firewall.
D. Synchronize the NTP master clock with an Internet atomic clock. E. Use SNMP v
ersion 2.
E. Use TFTP version 3 or above because these versions support a cryptographic au
thentication
mechanism between peers.
Answer: ABC
Section: (none)
QUESTION 16
Refer to the exhibit. Which three tasks can be configured using the IPS Policies
wizard via the Cisco
Security Device Manager (SDM)? (Choose three.)
PassGuide 642-825
A. the configuration of an IP address and the enabling of the interface
B. the selection of the encapsulation on the WAN interfaces
C. the selection of the interface to apply the IPS rule
D. the selection of the traffic flow direction that should be inspected by the I
PS rules
E. the creation of the signature definition file (SDF) to be used by the router
F. the location of the signature
definition file (SDF) to be used by the router
Answer: CD
Section: (none)
QUESTION 17
Which two statements about the AutoSecure feature are true? (Choose two.)
A. AutoSecure automatically disables the CDP feature.
B. If you enable AutoSecure, the minimum length of the login and enable password
s is set to 6 characters.
C. The auto secure full command automatically configures the management and forw
arding planes without
any user interaction.
D. To enable AutoSecure, the auto secure global configuration command must be us
ed.
E. Once AutoSecure has been configured, the user can launch the SDM Web interfac
e to perform a
security audit.
Answer: AB
Section: (none)
PassGuide 642-825
QUESTION 18
Refer to the exhibit. Which two statements about the Network Time Protocol (NTP)
are true? (Choose two.)
A. Router RTA will adjust for eastern daylight savings time.
B. To enable authentication, the ntp authenticate command is required on routers
RTA and RTB.
C. To enable NTP, the ntp master command must be configured on routers RTA and R
TB.
D. Only NTP time requests are allowed from the host with IP address 10.1.1.1.
E. The preferred time source located at 130.207.244.240 will be used for synchro
nization regardless of the
other time sources.
Answer: AB
Section: (none)
QUESTION 19
Refer to the exhibit. All routers participate in the MPLS domain. An IGP propaga
tes the routing information
for network 10.10.10.0/24 from R5 to R1. However, router R3 summarizes the routi
ng information to
10.10.0.0/16. How will the routes be propagated through the MPLS domain?
PassGuide 642-825
A. R3, using LDP, will advertise labels for both networks, and the information w
ill be propagated
throughout the MPLS domain.
B. R3 will label the summary route using a pop label. The route will then be pro
pagated through the rest of
the MPLS domain. R3 will label the 10.10.10.0/24 network and forward to R2 where
the network will be
dropped.
C. R3 will label the 10.10.10.0/24 network using a pop label which will be propa
gated through the rest of
the MPLS domain. R3 will label the summary route and forward to R2 where the net
work will be
dropped.
D. None of the networks will be labeled and propagated through the MPLS domain b
ecause aggregation
breaks the MPLS domain.
Answer: B
Section: (none)
QUESTION 20
Refer to the exhibit, which shows a PPPoA diagram and partial SOHO77 configurati
on. Which command
needs to be applied to the SOHO77 to complete the configuration?
PassGuide 642-825
A. encapsulation aal5snap applied to the PVC
B. encapsulation aal5ciscoppp applied to the PVC
C. encapsulation aal5ciscoppp applied to the ATM0 interface
D. encapsulation aal5mux ppp dialer applied to the ATM0 interface
E. encapsulation aal5mux ppp dialer applied to the PVC
Answer: E
Section: (none)
QUESTION 21
Which three statements about frame-mode MPLS are true? (Choose three.)
A. MPLS has three distinct components consisting of the data plane, the forwardi
ng plane, and the control
plane.
B. The control plane is a simple label-based forwarding engine that is independe
nt of the type of routing
protocol or label exchange protocol.
C. The CEF FIB table contains information about outgoing interfaces and their co
rresponding Layer 2
header.
D. The MPLS data plane takes care of forwarding based on either destination addr
esses or labels.
E. To exchange labels, the control plane requires protocols such as Tag Distribu
tion Protocol (TDP) or
MPLS Label Distribution Protocol (LDP).
F. Whenever a router receives a packet that should be CEF-switched, but the dest
ination is not in the FIB,
the packet is dropped.
Answer: DEF
Section: (none)
QUESTION 22
Which three statements about IOS Firewall configurations are true? (Choose three
.)
PassGuide 642-825
A. The IP inspection rule can be applied in the inbound direction on the secured
interface.
B. The IP inspection rule can be applied in the outbound direction on the unsecu
red interface.
C. The ACL applied in the outbound direction on the unsecured interface should b
e an extended ACL.
D. The ACL applied in the inbound direction on the unsecured interface should be
an extended ACL.
E. For temporary openings to be created dynamically by Cisco IOS Firewall, the a
ccess-list for the
returning traffic must be a standard ACL.
F. For temporary openings to be created dynamically by Cisco IOS Firewall, the I
P inspection rule must be
applied to the secured interface.
Answer: ABD
Section: (none)
QUESTION 23
What are three features of the Cisco IOS Firewall feature set? (Choose three.)
A. network-based application recognition (NBAR)
B. authentication proxy
C. stateful packet filtering
D. AAA services
E. proxy server
F. IPS
Answer: BCF
Section: (none)
QUESTION 24
Which statement describes the Authentication Proxy feature?
A. All traffic is permitted from the inbound to the outbound interface upon succ
essful authentication of the
user.
B. A specific access profile is retrieved from a TACACS+ or RADIUS server and ap
plied to an IOS Firewall
based on user provided credentials.
C. Prior to responding to a proxy ARP, the router will prompt the user for a log
in and password which are
authenticated based on the configured AAA policy.
D. The proxy server capabilities of the IOS Firewall are enabled upon successful
authentication of the
user.
Answer: B
Section: (none)
QUESTION 25
Which two statements about an IDS are true? (Choose two.)
A. The IDS is in the traffic path.
B. The IDS can send TCP resets to the source device.
C. The IDS can send TCP resets to the destination device.
D. The IDS listens promiscuously to all traffic on the network.
E. Default operation is for the IDS to discard malicious traffic.
Answer: BD
Section: (none)
PassGuide 642-825
QUESTION 26
Which statement about an IPS is true?
A. The IPS is in the traffic path.
B. Only one active interface is required.
C. Full benefit of an IPS will not be realized unless deployed in conjunction wi
th an IDS.
D. When malicious traffic is detected, the IPS will only send an alert to a mana
gement station.
Answer: A
Section: (none)
QUESTION 27
Which three categories of signatures can a Cisco IPS microengine identify? (Choo
se three.)
A. DDoS signatures
B. strong signatures
C. exploit signatures
D. numeric signatures
E. spoofing signatures
F. connection signatures
Answer: ACF
Section: (none)
QUESTION 28
Which two statements are true about signatures in a Cisco IOS IPS? (Choose two.)
A. The action of a signature can be enabled on a per-TCP-session basis.
B. Common signatures are hard-coded into the IOS image.
C. IOS IPS signatures are propagated with the SDEE protocol.
D. IOS IPS signatures are stored in the startup config of the router.
E. Selection of an SDF file should be based on the amount of RAM memory availabl
e on the router.
Answer: BE
Section: (none)
QUESTION 29
Which two active response capabilities can be configured on an intrusion detecti
on system (IDS) in
response to malicious traffic detection? (Choose two.)
A. the initiation of dynamic access lists on the IDS to prevent further maliciou
s traffic
B. the configuration of network devices to prevent malicious traffic from passin
g through
C. the shutdown of ports on intermediary devices
D. the transmission of a TCP reset to the offending end host
E. the invoking of SNMP-sourced controls
Answer: BD
Section: (none)
QUESTION 30
What two proactive preventive actions are taken by an intrusion prevention syste
m (IPS) when malicious
traffic is detected? (Choose two.)
A. The IPS shuts down intermediary ports.
B. The IPS invokes SNMP-enabled controls.
C. The IPS sends an alert to the management station.
PassGuide 642-825
D. The IPS enables a dynamic access list.
E. The IPS denies malicious traffic.
Answer: CE
Section: (none)
QUESTION 31
Refer to the exhibit. What is the VPN IPv4 label for the network 172.16.13.0/24?
A. 17
B. 17, 12308
C. 12308
D. 11
Answer: C
Section: (none)
QUESTION 32
Refer to the exhibit. What does the "26" in the first two hop outputs indicate?
A. the outer label used to determine the next hop
B. the IPv4 label for the destination network
C. the IPv4 label for the forwarding router
D. the IPv4 label for the destination router
Answer: B
Section: (none)
QUESTION 33
Refer to the exhibit. Which statement is true about the partial MPLS configurati
on that is shown?
PassGuide 642-825
A. The route-target both 100:2 command sets import and export route-targets for
vrf2.
B. The route-target both 100:2 command changes a VPNv4 route to a IPv4 route.
C. The route-target import 100:1 command sets import route-targets routes specif
ied by the route map.
D. The route-target import 100:1 command sets import route-targets for vrf2 that
override the other routetarget
configuration.
Answer: A
Section: (none)
QUESTION 34
What are three configurable parameters when editing signatures in Security Devic
e Manager (SDM)?
(Choose three.)
A. AlarmSeverity
B. AlarmKeepalive
C. AlarmTraits
D. EventMedia
E. EventAlarm
F. EventAction
Answer: ACF
Section: (none)
QUESTION 35
Refer to the exhibit. Which two statements are true about the authentication met
hod used to authenticate
users who want privileged access into Router1? (Choose two.)
PassGuide 642-825
A. All users will be authenticated using the RADIUS server. If the RADIUS server
is unavailable, the router
will attempt to authenticate the user using its local database.
B. All users will be authenticated using the RADIUS server. If the RADIUS server
is unavailable, the
authentication process stops and no other authentication method is attempted.
C. All users will be authenticated using the RADIUS server. If the user authenti
cation fails, the router will
attempt to authenticate the user using its local database.
D. All users will be authenticated using the RADIUS server. If the user authenti
cation fails, the
authentication process stops and no other authentication method is attempted.
E. The default login authentication method is applied automatically to all lines
including console, auxiliary,
TTY, and VTY lines.
Answer: AD
Section: (none)
QUESTION 36
Refer to the exhibit. Which statement about the authentication process is true?
PassGuide 642-825
A. The LIST1 list will disable authentication on the console port.
B. Because no method list is specified, the LIST1 list will not authenticate any
one on the console port.
C. All login requests will be authenticated using the group tacacs+ method.
D. All login requests will be authenticated using the local database method.
E. The default login authentication will automatically be applied to all login c
onnections.
Answer: A
Section: (none)
QUESTION 37
Refer to the exhibit. Which statement is true?
PassGuide 642-825
A. A PPPoE session is established.
B. A PPPoE session is rejected because of the per-MAC session limit.
C. The MAC address of the remote router is 0001.c9f0.0c1c.
D. The CPE router is configured as a PPPoE client over an Ethernet interface.
Answer: A
Section: (none)
QUESTION 38
Refer to the exhibit. On the basis of the information that is provided, which tw
o statements are true?
(Choose two.)
PassGuide 642-825
A. An IPS policy can be edited by choosing the Edit button.
B. Right-clicking on an interface will display a shortcut menu with options to e
dit an action or to set severity
levels.
C. The Edit IPS window is currently in Global Settings view.
D. The Edit IPS window is currently in IPS Policies view.
E. The Edit IPS window is currently in Signatures view.
F. To enable an IPS policy on an interface, click on the interface and deselect
Disable.
Answer: AD
Section: (none)
QUESTION 39
Refer to the exhibit. The SDM IPS Policies wizard is displaying the Select Inter
faces window. Which
procedure is best for applying IPS rules to interfaces?
PassGuide 642-825
A. Apply the IPS rules in the outbound direction on interfaces where outgoing ma
licious traffic is likely.
B. Apply the IPS rules in the outbound direction on interfaces where incoming ma
licious traffic is likely.
C. Apply the IPS rules in the inbound direction on interfaces where incoming mal
icious traffic is likely.
D. Apply the rules in the inbound direction on interfaces where outgoing malicio
us traffic is likely.
E. Apply the IPS rules both in the inbound and outbound direction on all interfa
ces.
Answer: C
Section: (none)
QUESTION 40
Refer to the exhibit. Which statement describes the results of clicking the OK b
utton in the Security Device
Manager (SDM) Add a Signature Location window?
PassGuide 642-825
A. SDM will respond with a message asking for the URL that points to the 256MB.s
df file.
B. Cisco IOS IPS will choose to load the 256MB.sdf only if the Built-in Signatur
es (as backup) check box is
unchecked.
C. If Cisco IOS IPS fails to load the 256MB.sdf, it will load the built-in signa
tures provided the Built-in
Signatures (as backup) check box is checked.
D. Cisco IOS IPS will choose to load the 256MB.sdf and then also add the Cisco I
OS built-in signatures.
E. SDM will respond with an error that indicates that no such file exists.
Answer: C
Section: (none)
QUESTION 41
Refer to the exhibit. Which statement best describes Security Device Event Excha
nge (SDEE)?
PassGuide 642-825
A. It is an application level communications protocol that is used to exchange I
PS messages between IPS
clients and servers.
B. It is a process for ensuring IPS communication between the SDM-enabled device
s.
C. It is a suite of protocols for ensuring IPS communication between the SDM-ena
bled devices.
D. It is an OSI level-7 protocol, and it is used to exchange IPS messages betwee
n IPS agents.
E. The primary purpose of SDEE is for SDM users to send messages to IPS agents.
Answer: A
Section: (none)
QUESTION 42
Refer to the exhibit. When editing the Invalid DHCP Packet signature using secur
ity device manager
(SDM), which additional severity levels can be chosen? (Choose three.)
PassGuide 642-825
A. low
B. urgent
C. high
D. debug
E. informational
F. warning
Answer: ACE
Section: (none)
QUESTION 43
Which three statements about hybrid fiber-coaxial (HFC) networks are true? (Choo
se three.)
A. A tap produces a significantly larger output signal.
B. An amplifier divides the input RF signal power to provide subscriber drop con
nections.
C. Baseband sends multiple pieces of data simultaneously to increase the effecti
ve rate of transmission.
D. Downstream is the direction of an RF signal transmission (TV channels and dat
a) from the source
(headend) to the destination (subscribers).
E. The term CATV refers to residential cable systems.
F. Upstream is the direction from subscribers to the headend.
Answer: DEF
Section: (none)
QUESTION 44
Which two statements about the transmission of signals over a cable network are
true? (Choose two.)
A. Downstream signals travel from the cable operator to the subscriber and use f
requencies in the range
of 5 to 42 MHz.
B. Downstream signals travel from the cable operator to the subscriber and use f
requencies in the range
of 50 to 860 MHz.
PassGuide 642-825
C. Downstream and upstream signals operate in the same frequency ranges.
D. Upstream signals travel from the subscriber to the cable operator and use fre
quencies in the range of 5
to 42 MHz.
E. Upstream signals travel from the subscriber to the cable operator and use fre
quencies in the range of
50 to 860 MHz.
Answer: BD
Section: (none)
QUESTION 45
Refer to the exhibit. On the basis of the partial output that is displayed in th
e exhibit, which two statements
A. The ISP router initiated the connection to the CPE router.
B. The output is the result of the debug pppoe events command.
C. The output is the result of the debug ppp authentication command.
D. The output is the result of the debug ppp negotiation command.
E. This is the CPE router.
F. This is the ISP router.
Answer: CE
Section: (none)
QUESTION 46
Refer to the exhibit. On the basis of the presented information, which configura
tion was completed on the
router CPE?
PassGuide 642-825
A. CPE(config)# ip nat inside source list 101 interface Dialer0 CPE(config)# acc
ess-list 101 permit ip
10.0.0.0 0.255.255.255 any
B. CPE(config)# ip nat inside source list 101 interface Dialer0 overload CPE(con
fig)# access-list 101
permit ip 10.0.0.0 0.255.255.255 any
C. CPE(config)# ip nat inside source list 101 interface Ethernet 0/0 CPE(config)
# access-list 101 permit ip
10.0.0.0 0.255.255.255 any
D. CPE(config)# ip nat inside source list 101 interface Ethernet 0/0 overload CP
E(config)# access-list 101
permit ip 10.0.0.0 0.255.255.255 any
E. CPE(config)# ip nat inside source list 101 interface Ethernet 0/1 CPE(config)
# access-list 101 permit ip
10.0.0.0 0.255.255.255 any
F. CPE(config)# ip nat inside source list 101 interface Ethernet 0/1 overload CP
E(config)# access-list 101
permit ip 10.0.0.0 0.255.255.255 any
Answer: B
Section: (none)
QUESTION 47
An administrator is troubleshooting an ADSL connection. For which OSI layer is t
he ping atm interface
command useful for probing problems?
A. Layer 1
B. Layer 2
C. Layer 3
D. Layer 4
Answer: B
Section: (none)
QUESTION 48
Which two devices serve as the main endpoint components in a DSL data service ne
twork? (Choose two.)
A. SOHO workstation
B. ATU-R
PassGuide 642-825
C. ATU-C
D. POTS splitter
E. CO switch
Answer: BC
Section: (none)
QUESTION 49
Which IOS command will display IPS default values that may not be displayed usin
g the show runningconfig
command?
A. show ip ips session
B. show ip ips interface
C. show ip ips statistics
D. show ip ips configuration
E. show ip ips running-config
Answer: D
Section: (none)
QUESTION 50
Refer to the exhibit. Which of the configuration tasks would allow you to quickl
y deploy default signatures?
A. firewall and ACLs
PassGuide 642-825
B. security audit
C. routing
D. NAT
E. intrusion prevention
F. NAC
Answer: E
Section: (none)
QUESTION 51
What are two possible actions Cisco IOS IPS can take if a packet in a session ma
tches a signature?
(Choose two.)
A. drop the packet
B. forward the packet
C. quartile the packet
D. reset the connection
E. check the packet against an ACL
Answer: AD
Section: (none)
QUESTION 52
A router interface is configured with an inbound access control list and an insp
ection rule. How will an
inbound packet on this interface be processed?
A. It will be processed by the inbound ACL. If the packet is dropped by the ACL,
then it will be processed
by the inspection rule.
B. It will be processed by the inbound ACL. If the packet is not dropped by the
ACL, then it will be
processed by the inspection rule.
C. It will be processed by the inspection rule. If the packet matches the inspec
tion rule, the inbound ACL
will be invoked.
D. It will be processed by the inspection rule. If the packet does not match the
inspection rule, the inbound
ACL will be invoked.
Answer: B
Section: (none)
QUESTION 53
Which two statements are true about the Cisco Classic (CBAC) IOS Firewall set? (
Choose two.)
A. It can be used to block bulk encryption attacks.
B. It can be used to protect against denial of service attacks.
C. Traffic originating from the router is considered trusted, so it is not inspe
cted.
D. Based upon the custom firewall rules, an ACL entry is statically created and
added to the existing ACL
permanently.
E. Temporary ACL entries that allow selected traffic to pass are created and per
sist for the duration of the
communication session.
Answer: BE
Section: (none)
QUESTION 54
Which command displays the settings used by the current IPsec security associati
ons?
PassGuide 642-825
A. debug crypto isakmp sa
B. show crypto isakmp sa
C. show crypto isakmp key
D. show crypto ipsec sa
Answer: D
Section: (none)
QUESTION 55
Which two statements about management protocols are true? (Choose two.)
A. IGMP should be enabled on edge interfaces to allow remote testing.
B. NTP version 3 or later should be used because these versions support the use
of a cryptographic
authentication mechanism between peers.
C. SNMP version 3 is recommended since it provides authentication and encryption
services for
management packets.
D. NTP version 3 or later should be used because these versions support the use
of a RADIUS-based
authentication mechanism between peers.
E. SNMP version 3 is recommended since it provides a RADIUS-based authentication
mechanism
between peers.
Answer: BC
Section: (none)
QUESTION 56
Which two statements about packet sniffers or packet sniffing are true? (Choose
two.)
A. Packet sniffers can only work in a switched Ethernet environment.
B. To reduce the risk of packet sniffing, traffic rate limitation and RFC 2827 f
iltering should be used.
C. To reduce the risk of packet sniffing, cryptographic protocols such as SSH an
d SSL should be used.
D. To reduce the risk of packet sniffing, strong authentication, such as one-tim
e passwords, should be
used.
Answer: CD
Section: (none)
QUESTION 57
Refer to the exhibit. Based on this partial configuration, which two statements
PassGuide 642-825
A. You can log into the console using either the "cisco" or "sanfran" password.
B. The local parameter is missing at the end of each aaa authentication LOCAL-AU
TH command.
C. The aaa authentication default command should be issued for each line instead
of the login
authentication LOCAL_AUTH command.
D. This is an example of a self-contained AAA configuration using the local data
base.
E. To make the configuration more secure, the none parameter should be added to
the end of the aaa
authentication login LOCAL_AUTH local command.
F. To successfully establish a Telnet session with RTA, a user can enter the use
rname Bob and password
cisco.
Answer: DF
Section: (none)
QUESTION 58
Refer to the exhibit. Routers RTB and RTC have established LDP neighbor sessions
. During
troubleshooting, you discovered that labels are being distributed between the tw
o routers but no label
swapping information is in the LFIB. What is the most likely cause of this probl
em?
A. The IGP is summarizing the address space.
B. IP Cisco Express Forwarding has not been enabled on both RTB and RTC.
C. BGP neighbor sessions have not been configured on both routers.
D. LDP has been enabled on one router and TDP has been enabled on the other.
PassGuide 642-825
Answer: B
Section: (none)
QUESTION 59
Refer to the exhibit. A PPPoA DSL diagram and partial configuration are shown. Y
ou would like to allow the
router to automatically receive its IP address from the service provider's DSLAM
. Which configuration
statement or statements do you need to add to SOHO77, and to which interface or
interfaces?
A. ip nat outside applied to the ATM0 interface
B. ip address negotiated applied to the dialer0 interface
C. ip address negotiated applied to the ATM0/0 interface
D. ip address 0.0.0.0 255.255.255.255 applied to the dialer0 interface and ip na
t outside applied to the
ATM0/0 interface
E. ip address 0.0.0.0 255.255.255.255 applied to the ATM0/0 interface and ip nat
outside applied to the
dialer0 interface
Answer: B
Section: (none)
QUESTION 60
Refer to the exhibit. The DSL router with this partial configuration is connecte
d to a service provider using a
PPPoE session over an ATM interface. FTP traffic, generated from inside the netw
ork 10.92.1.0/24, fails to
reach the PPPoE server. What should be configured on the DSL Router to fix the p
roblem?
PassGuide 642-825
PassGuide 642-825
A. The ip mtu command with a bytes argument set greater than 1492 needs to be co
nfigured for the
Dialer1 interface.
B. The ip mtu command with a bytes argument set lower than 1492 needs to be conf
igured for the Dialer1
interface.
C. The ip mtu command with a bytes argument set greater than 1492 needs to be co
nfigured for the ATM0
interface.
D. The ip mtu command with a bytes argument set lower than 1492 needs to be conf
igured for the ATM0
interface.
Answer: B
Section: (none)
QUESTION 61
Refer to the exhibit. The show mpls interfaces detail command has been used to d
isplay information about
the interfaces on MPLS edge router R1 that have been configured for label switch
ing. Which statement
about R1 is true?
A. MPLS is not operating on Fa1/0, because the MTU size has exceeded the 1500 li
mit of Ethernet.
PassGuide 642-825
B. The router has established a TDP session with its neighbor on Fa0/1. Packets
can be labeled and
forwarded out that interface.
C. LSP tunnel labeling has not been enabled on either interface Fa0/0 or Fa1/1,
therefore MPLS is not
operating on Fa0/1.
D. The router has established an LDP session with its neighbor on Fa1/1. However
, packets cannot be
forwarded out that interface because MPLS is not operational.
Answer: B
Section: (none)
QUESTION 62
Refer to the exhibit. Which statement about this Cisco IOS Firewall configuratio
n is true?
A. Outbound TCP sessions are blocked, preventing inside users from browsing the
Internet.
B. INSIDEACL permits outbound HTTP sessions; INSIDEACL is applied to the outside
interface in the
inbound direction.
C. OUTSIDEACL permits inbound SMTP and HTTP; OUTSIDEACL is applied to the inside
interface in the
outbound direction.
D. ICMP unreachable "packet-too-big" messages are rejected on all interfaces to
prevent DDoS attacks.
E. The TCP inspection will automatically allow return traffic for the outbound H
TTP sessions and inbound
SMTP and HTTP sessions.
Answer: E
Section: (none)
QUESTION 63
What is an MPLS forwarding equivalence class?
A. a set of destination networks forwarded from the same ingress router
B. a set of destination networks forwarded to the same egress router
C. a set of source networks forwarded from the same ingress router PassGuide.com
- Make You Succeed
To Pass IT Exams
PassGuide 642-825
D. a set of source networks forwarded to the same egress router
Answer: B
Section: (none)
QUESTION 64
Which approach for identifying malicious traffic involves looking for a fixed se
quence of bytes in a single
packet or in predefined content?
A. policy-based
B. anomaly-based
C. honeypot-based
D. signature-based
E. regular-expression-based
Answer: D
Section: (none)
QUESTION 65
Which Cisco SDM feature expedites the deployment of the default IPS settings and
provides configuration
steps for interface and traffic flow selection, SDF location, and signature depl
oyment?
A. IPS Edit menu
B. IPS Command wizard
C. IPS Policies wizard
D. IPS Signature wizard
Answer: C
Section: (none)
QUESTION 66
For what purpose does Cisco SDM use Security Device Event Exchange?
A. to extract relevant SNMP information
B. to pull event logs from the router
C. to perform application-level accounting
D. to provide a keepalive mechanism E. to allows SNMP to generate traps
Answer: B
Section: (none)
QUESTION 67
In an MPLS VPN implementation, how are overlapping customer prefixes propagated?
A. A unique route target is attached to each customer routing update.
B. Separate BGP sessions are established between each pair of customer edge LSRs
.
C. Each customer is given a unique set of edge LSPs.
D. A route distinguisher is attached to each customer prefix. E. Each customer i
s given a unique IGP
instance.
Answer: D
Section: (none)
QUESTION 68
Which two techniques should be used to secure management protocols? (Choose two.
)
A. Use SNMP version 2.
PassGuide 642-825
B. Encrypt TFTP and syslog traffic in an IPsec tunnel.
C. Configure SNMP exclusively with read-only community strings.
D. Synchronize the NTP master clock with an Internet atomic clock.
E. Use TFTP version 3 or later, because these versions support the use of a cryp
tographic authentication
mechanism between peers.
Answer: BC
Section: (none)
QUESTION 69
Refer to the exhibit. A network administrator wishes to mitigate network threats
. Given this purpose, which
two statements about the Cisco IOS Firewall configuration that is revealed by th
e output are true? (Choose
two.)
A. The ip inspect FIREWALL_ACL out command must be applied on Fa0/0 interface.
B. The ip inspect FIREWALL_ACL out command must be applied on Fa0/1 interface.
C. The ip access-group FIREWALL_ACL in command must be applied on Fa0/0 interfac
e.
D. The ip access-group FIREWALL_ACL in command must be applied on Fa0/1 interfac
e.
E. The configuration excerpt is an example of a CBAC list.
F. The configuration excerpt is an example of a reflexive ACL.
Answer: BE
Section: (none)
QUESTION 70
In an MPLS VPN implementation, how are overlapping customer prefixes propagated?
A. A separate instance of the core IGP is used for each customer.
B. Separate BGP sessions are established between each customer edge LSR.
PassGuide 642-825
C. Because customers have their own unique LSPs, address space is kept separate.
D. A route distinguisher is attached to each customer prefix.
E. Because customers have their own interfaces, distributed CEFs keep the forwar
ding tables separate.
Answer: D
Section: (none)
QUESTION 71
Which two statements are true about the Data-over-Cable Service Interface Specif
ications? (Choose two.)
A. DOCSIS is an international standard developed by CableLabs.
B. DOCSIS defines cable operations at Layer 1, Layer 2, and Layer 3 of the OSI m
odel.
C. Cable operators employ DOCSIS to provide cable access over their existing IP
infrastructures.
D. DOCSIS defines a set of frequency allocation bands that are common to both U.
S. and European cable
systems.
E. Compliance with DOCSIS has been mandated by the major governmental regulatory
agencies in both
the U.S. and Europe.
F. Euro-DOCSIS requires the European cable channels to conform to PAL-based stan
dards, whereas
DOCSIS requires the North American cable channels to conform to the NTSC standar
d.
Answer: AF
Section: (none)
QUESTION 72
Refer to the exhibit. Which of these statements is true?
A. The router failed to train or successfully initialize because of a Layer 1 is
sue.
B. The router cannot activate the line because of a Layer 2 authentication issue
.
C. The router failed to train or successfully initialize because of a PPP negoti
ation issue.
D. The router cannot activate the line because the ISP has not provided the requ
ested IP address.
Answer: A
Section: (none)
QUESTION 73
Refer to the exhibit. Which of these statements correctly identifies why the PPP
oE client session has not
been established successfully?
PassGuide 642-825
A. The PPP LCP phase has failed because of excessive link noise.
B. The PPP authentication phase has failed at the CPE.
C. The PPP NCP phase has failed because the local router cannot successfully ini
tialize the DSLAM.
D. The PPP LCP phase has failed because the correct DSL operating mode (DSL modu
lation) is not
configured on the CPE router.
Answer: B
Section: (none)
QUESTION 74
Refer to the exhibit. What information can be derived from this show ip cef comm
and output?
A. This router will use a label of "21" to reach the destination network of 150.
1.12.16.
B. This router will use a PHP label to reach the destination network of 150.1.12
.16.
C. This router will advertise a label of "19" for the destination network of 150
.1.12.16.
D. This router will advertise a label of "21" for the destination network of 150
.1.12.16.
PassGuide 642-825
Answer: D
Section: (none)
QUESTION 75
Refer to the exhibit. Why does the third hop only have one label?
A. MPLS is not enabled on that link, so only the VPN label is needed.
B. MPLS is not enabled on that link, so only the LSP label is needed.
C. That link is directly connected to the customer, so only the VPN label is nee
ded.
D. That link is directly connected to the customer, so only the LSP label is nee
ded.
E. The PHP process on that link has removed the LSP label, leaving only the VPN
label.
F. The PHP process on that link has removed the VPN label, leaving only the LSP
label.
Answer: E
Section: (none)
QUESTION 76
If you disable Cisco Express Forwarding on a P router in an MPLS network, what w
ill the router do?
A. stop forwarding all traffic
B. stop advertising MPLS labels
C. start forwarding MPLS packets using process switching
D. start advertising all destination networks with an implicit null label value
E. start stripping the MPLS labels off of packets and forwarding them using the
destination IP addresses
Answer: B
Section: (none)
QUESTION 77
Refer to the exhibit. Host 1 cannot ping Server 1. In the course of troubleshoot
ing, you have eliminated all
network issues. Based upon the partial configuration shown, what is the issue?
PassGuide 642-825
A. No routing protocol is running on R 1 and R 2.
B. An encryption algorithm has been configured on R 1 and R 2.
C. The tunnel destinations on R 1 and R 2 are not on the same subnet.
D. R 1 has the wrong tunnel source configured under the tunnel interface. E. R 2
has the wrong tunnel
source configured under the tunnel interface.
E. The tunnel numbers (interface tunnel 0 and interface tunnel 1) on R 1 and R 2
do not match.
Answer: D
Section: (none)
QUESTION 78
Refer to the exhibit. Host 1 cannot ping Server 1. In the course of troubleshoot
ing, you have eliminated all
network issues. Based upon the partial configuration shown, what is the issue?
PassGuide 642-825
A. No routing protocol is running on R 1 and R 2.
B. An encryption algorithm has been configured on R 1 and R 2.
C. The tunnel destinations on R 1 and R 2 are not on the same subnet.
D. R 1 has the wrong tunnel source configured under the tunnel interface.
E. R 2 has the wrong tunnel source configured under the tunnel interface.
F. The tunnel numbers (interface tunnel 0 and interface tunnel 1) on R 1 and R 2
do not match.
Answer: E
Section: (none)
QUESTION 79
Refer to the exhibit. What type of high-availability option is being implemented
?
PassGuide 642-825
A. IPsec stateful failover
B. IPsec dead peer detection
C. Hot Standby Router Protocol
D. GRE's Keepalive Mechanism
E. backing up a WAN connection with an IPsec VPN
Answer: E
Section: (none)
QUESTION 80
Which two of these would be classified as reconnaissance attacks? (Choose two.)
A. port scans
B. ping sweeps
C. port redirection
D. trust exploitation
E. denial of service attacks
F. man-in-the-middle attacks
Answer: AB
Section: (none)
QUESTION 81
Which three of these would be classified as access attacks? (Choose three.)
A. port scans
B. ping sweeps
C. port redirection
D. trust exploitation
E. denial of service attacks
F. man-in-the-middle attacks
Answer: CDF
Section: (none)
PassGuide 642-825
QUESTION 82
Refer to the exhibit. The ACL in this configuration is used to mitigate which of
these?
A. DOS smurf attacks
B. ICMP message attacks
C. TCP SYN DOS attacks
D. IP address spoofing attacks
E. traceroute message attacks
Answer: D
Section: (none)
QUESTION 83
Refer to the exhibit. Which type of attack does the ACL prevent the internal use
r from successfully
launching?
A. DOS smurf attack
B. ICMP message attack
C. TCP SYN DOS attacks
D. IP address spoofing attack
E. traceroute message attacks
PassGuide 642-825
Answer: D
Section: (none)
QUESTION 84
If you want to authenticate the NTP associations with other systems for security
purposes, which key type
algorithm or algorithms are supported?
A. MD5 only
B. MD7 only
C. plain text only
D. MD5 and MD7
E. plain text and MD5
F. plain text and MD7
Answer: A
Section: (none)
QUESTION 85
Which three of these are required before you can configure your routers for SSH
server operations?
(Choose three.)
A. each of the target routers has a unique hostname
B. each of the target routers is configured to enable secret passwords
C. a user is define in either the local database or on a remote AAA server
D. each of the target routers has a password configured on the VTY interface
E. each of the target routers is using the correct domain name of your network
Answer: ACE
Section: (none)
QUESTION 86
Which two actions can a Cisco IOS Firewall take when the threshold for the numbe
r of half-opened TCP
sessions is exceeded? (Choose two.)
A. It can send a reset message to the endpoints of the oldest half-opened sessio
n.
B. It can send a reset message to the endpoints of the newest half-opened sessio
n.
C. It can send a reset message to the endpoints of a random half-opened session.
D. It can block all EST packets temporarily for the duration configured by the t
hreshold value.
E. It can block all SYN packets temporarily for the duration configured by the t
hreshold value.
F. It can block all reset packets temporarily for the duration configured by the
threshold value.
Answer: AE
Section: (none)
QUESTION 87
Refer to the exhibit. In this firewall implementation, inside users should be pe
rmitted to browse the Internet.
However, users have indicated that all attempts fail. As a result of troubleshoo
ting, you have determined
that the issue is related to the firewall implementation.
What corrective action should you take?
PassGuide 642-825
A. Add the global command line ip inspect name INSIDE www.
B. Add the global command line ip inspect name OUTSIDE www.
C. Add the ACL command line permit tcp any any eq 80 to INSIDEACL.
D. Add the ACL command line permit tcp any any eq 80 to OUTSIDEACL.
E. Change the access group on Fa0/0 from the inbound direction to the outbound d
irection.
F. Change the access group on Fa0/1 from the inbound direction to the outbound d
irection.
Answer: C
Section: (none)
QUESTION 88
Refer to the exhibit. In this firewall implementation, outside clients should be
allowed to communicate with
the SMTP server (200.1.2.1) located in the enterprise DMZ. However, users have i
ndicated that all
attempts fail. As a result of troubleshooting, you have determined that the issu
e is related to the firewall
implementation.
What corrective action should you take?
PassGuide 642-825
A. Add the global command line ip inspect name INSIDE smtp.
B. Add the global command line ip inspect name OUTSIDE smtp.
C. Add the ACL command line permit tcp any host 200.1.2.1 eq 25 to DMZACL.
D. Add the ACL command line permit tcp any host 200.1.2.1 eq 25 to OUTSIDEACL.
E. Change the access group on Fa0/0 from the inbound direction to the outbound d
irection.
F. Change the access group on Fa0/2 from the inbound direction to the outbound d
irection.
Answer: D
Section: (none)
QUESTION 89
Refer to the exhibit. FastEthernet0/0 has been assigned a network address of 200
.0.1.2/24 and no ACL
has been applied to that interface. Serial0/0/0 has been assigned a network addr
ess of 200.0.0.1/30.
Assuming that there are no network-related problems, which ping will be successf
ul?
PassGuide 642-825
A. from 200.0.0.1 to 200.0.0.2
B. from 200.0.0.2 to 200.0.0.1
C. from 200.0.0.2 to 200.0.1.1
D. from 200.0.0.2 to 200.0.1.2
E. from 200.0.1.1 to 200.0.0.2
F. from 200.0.1.2 to 200.0.0.2
Answer: A
Section: (none)
QUESTION 90
Refer to the exhibit. FastEthernet0/0 has been assigned a network address of 200
.0.1.2/24 and no ACL
has been applied to the interface. Serial0/0/0 has been assigned a network addre
ss of 200.0.0.1/30. An
inspection rule of ip inspect name OUTBOUND tcp has been applied to Serial 0/0/0
.
Assuming that there are no network-related issues, which of the following traffi
c will be successful?
(Choose two.)
PassGuide 642-825
A. a ping from 200.0.1.1 to 200.0.0.2
B. a ping from 200.0.0.2 to 200.0.1.1
C. a ping from 200.0.0.1 to 200.0.0.2
D. a ping from 200.0.1.2 to 200.0.0.1
E. a Telnet from 200.0.1.1 to 200.0.0.2
F. a Telnet from 200.0.0.2 to 200.0.1.1
Answer: CE
Section: (none)
QUESTION 91
Refer to the exhibit. Which three statements about this DMZ configuration are tr
ue? (Choose three.)
PassGuide 642-825
A. The device being enabled is a web server.
B. The device being enabled is an FTP server.
C. The device being enabled is located in the DMZ.
D. The device being enabled has been assigned an IP address of 192.168.0.2.
E. FTP-based packets with a destination of 192.168.0.2 will be allowed through t
he DMZ to the web server
located on the untrusted network.
F. Web-based packets with a destination of 192.168.0.2 will be allowed through t
he DMZ to the web
server located on the trusted network.
Answer: ACD
Section: (none)
QUESTION 92
which Security Device Manager(SDM) action is used to customize the intrusion pre
vention services(IPS)
signature options ?choose one
A. Click the Security Audit task .
B. Click the Launch IPS Rule Wizard button .
C. Click the Edit IPS tab.
D. Click the Firewall and ACL task .
Answer: C
Section: (none)
QUESTION 93
Access-list 101 permit tcp any eq 20 10.2.1.0 0.0.0.255 gt 1023 what is the effe
ct of the access list ?
A. to permit FTP commands originating from hosts on the 10.2.1.0/24 network .
B. to permit FTP commands that are destined for the 10.2.1.0/24 network.
C. to permit initial packets from the FTP date sessions so that FTP clients in t
he 10.2.1.0/24 network can
use FTP .
PassGuide 642-825
D. to permit initial packets from the FTP data sessions so that FTP clients can
access servers in the
10.2.1.0/24 network .
Answer: C
Section: (none)
QUESTION 94
Which two features can be implemented using the Cisco SDM Advanced Firewall wiza
rd? (Choose two.)
A. DMZ support
B. custom rules
C. firewall signatures
D. application security
E. IP unicast reverse path forwarding
Answer: AB
Section: (none)
QUESTION 95
What three classifications reflect the different approaches used to identify mal
icious traffic? (Choose three.)
A. platform based
B. signature based
C. policy based
D. regular-expression based
E. symbol based F. anomaly based
Answer: BC
Section: (none)
QUESTION 96
Which action can be taken by Cisco IOS IPS when a packet matches a signature pat
tern?
A. drop the packet
B. reset the UDP connection
C. block all traffic from the destination address for a specified amount of time
D. perform a reverse path verification to determine if the source of the malicio
us packet was spoofed
E. forward the malicious packet to a centralized NMS where further analysis can
be taken
Answer: A
Section: (none)
QUESTION 97
Which statement is true about an IPsec/GRE tunnel?
A. The GRE tunnel source and destination addresses are specified within the IPse
c transform set.
B. An IPsec/GRE tunnel must use IPsec tunnel mode.
C. GRE encapsulation occurs before the IPsec encryption process.
D. Crypto map ACL is not needed to match which traffic will be protected.
Answer: C
Section: (none)
PassGuide 642-825
QUESTION 98
During the Easy VPN Remote connection process, which phase involves pushing the
IP address, DNS,
and split tunnel attributes to the client?
A. mode configuration
B. the VPN client establishment of an ISAKMP SA
C. IPsec quick mode completion of the connection
D. VPN client initiation of the IKE phase 1 process
Answer: A
Section: (none)
QUESTION 99
What should a security administrator who uses SDM consider when configuring the
firewall on an interface
that is used in a VPN connection?
A. The firewall must permit traffic going out of the local interface only.
B. The firewall must permit traffic to a VPN concentrator only.
C. The firewall must permit encrypted traffic between the local and remote VPN p
eers.
D. The firewall cannot be configured in conjunction with a VPN.
Answer: C
Section: (none)
QUESTION 100
Refer to the exhibit.
PassGuide 642-825
An IOS firewall has been configured to support skinny and H.323. Voice traffic i
s not passing through the
firewall as expected. What needs to be corrected in this configuration?
A. Access list 100 needs to permit skinny and H.323.
B. Access list 101 needs to permit skinny and H.323.
C. The ip inspect Voice in command on interface FastEthernet 0/1 should be appli
ed in the outbound
direction.
D. The ip inspect Voice out command should be applied to interface FastEthernet
0/0.
Answer: C
Section: (none)
QUESTION 101
Which Cisco SDM feature is illustrated?
A. ACL Editor
B. Easy VPN Wizard
C. Security Audit
D. Site-to-Site VPN
E. Inspection Rules
F. Reset to Factory Defaults
Answer: C
Section: (none)
QUESTION 102
Which defined peer IP address and local subnet belong to Crete?(Choose two.)
A. peer address 192.168.55.159
B. peer address 192.168.77.120
C. peer address 192.168.167.85
D. subnet 10.5.15.0/24
E. subnet 10.8.28.0/24
F. subnet 10.5.33.0/24
Answer: AD
Section: (none)
PassGuide 642-825
QUESTION 103
Which IPSec rule is used for the Olympia branch and what does it define?(Choose
two.)
A. 102
B. 116
C. 127
D. IP traffic sourced from 10.10.10.0/24 destined to 10.5.15.0/24 will use the V
PN.
E. IP traffic sourced from 10.10.10.0/24 destined to 10.8.28.0/24 will use the V
PN.
F. IP traffic sourced from 10.10.10.0/24 destined to 10.5.33.0/24 will use the V
PN.
Answer: BE
Section: (none)
QUESTION 104
Which algorithm as defined by the transform set is used for providing data confi
dentiality when connected
to Tyre?
A. ESP-3DES-SHA
B. ESP-3DES-SHA1
C. ESP-3DES-SHA2
D. ESP-3DES
E. ESP-SHA-HMAC
Answer: D
Section: (none)
QUESTION 105
Which peer authentication method and Which IPSec mode is used to connect to the
branch locations?
(Choose two.)
A. Digital Certificate
B. Pre-shared Key
C. Transport Mode
D. Tunnel Mode
E. GRE/IPSEC Transport Mode
F. GRE/IPSEC Tunnel Mode
Answer: BD
Section: (none)
QUESTION 106
Drag and drop the Cisco IOS commands that would be used to configure the physica
l interface portion of a
PPPoE client configuration. Drag and Drop question, drag each item to its proper
location.
Answer & Explanation Correct Answer Explanations No more information available
PassGuide 642-825
A.
Answer: A
Section: (none)
QUESTION 107
Drag the correct statements about MPLS-based VPN on the left to the boxes on the
right.(Not all
statements will be used)
PassGuide 642-825
A.
Answer: A
Section: (none)
PassGuide 642-825
QUESTION 108
Drag the IPsec protocol description from the above to the correct protocol type
on the below.(Not all
descriptions will be used) Drag and Drop question, drag each item to its proper
location.
PassGuide 642-825
A.
Answer: A
Section: (none)
QUESTION 109
Drag and drop each management protocol on the above to the correct category on t
he below. Answer &
Explanation Correct Answer Explanations No more information available
PassGuide 642-825
A.
Answer: A
Section: (none)
QUESTION 110
Drag and drop each function on the above to the hybrid fiber-coaxial architectur
e component that it
describes on the below.
PassGuide 642-825
A.
Answer: A
Section: (none)
QUESTION 111
Drag the DSL technologies on the left to their maximum(down/up) data rate values
on the below. Answer &
PassGuide 642-825
A.
Answer: A
Section: (none)
QUESTION 112
Drag the DSL local loop topic on the left to the correct descriptions on the rig
ht. Answer & Explanation
Correct Answer Explanations No more information available
PassGuide 642-825
A.
Answer: A
Section: (none)
QUESTION 113
Drag the IOS commands from the left that would be used to implement a GRE tunnel
using the 10.1.1.0.30
network on interface serial 0/0 to the correct target area on the right. Answer
& Explanation Correct Answer
Explanations No more information available
PassGuide 642-825
A.
Answer: A
Section: (none)
PassGuide 642-825
QUESTION 114
Identify the recommended steps for worm attack mitigation by dragging and droppi
ng them into the target
area in the correct order.
PassGuide 642-825
A.
Answer: A
Section: (none)
PassGuide 642-825
QUESTION 115
Drag and drop the xDSL type on the above to the appropriate xDSL description on
the below. Answer &
A.
Answer: A
Section: (none)
PassGuide 642-825
QUESTION 116
Match the xDSL type on the above to the most appropriate implementation on the b
elow. Answer &
A.
Answer: A
Section: (none)
PassGuide 642-825
QUESTION 117
Drag each element of the Cisco IOS Firewall Feature Set from the above and drop
onto its description on
the below.
A.
Answer: A
Section: (none)
PassGuide 642-825
QUESTION 118
Drag the protocols that are used to distribute MPLS labels from the above to the
target area on the below.
(Not all options will be used)
A.
Answer: A
Section: (none)
PassGuide 642-825
QUESTION 119
Drag and drop question. The upper gives the MPLS functions, the bottom describes
the planes. Drag the
above items to the proper location at the below. Answer & Explanation Correct An
swer Explanations No
more information available
A.
Answer: A
Section: (none)
PassGuide 642-825
QUESTION 120
Drag and drop question. The left gives some blank boxes for Ipsec VPN, the right
gives some IPsec VPN
descriptions, drag the correct descriptions on the right to the left boxes. Answ
er & Explanation Correct
Answer Explanations No more information available
A.
Answer: A
Section: (none)
QUESTION 121
Drag and drop question. The left gives some blank boxes for ADSL POTS splitter,
the right gives some
ADSL POTS splitter descriptions, drag the correct descriptions on the right to t
he left boxes. Answer &
A.
Answer: A
Section: (none)
PassGuide 642-825
QUESTION 122
Drag and drop question. Drag the ordered steps below to the correct DSL ATM inte
rface configuration
sequence above Answer & Explanation Correct Answer Explanations No more informat
ion available
A.
Answer: A
Section: (none)
PassGuide 642-825
QUESTION 123
Drag and drop question. Drag the above Cisco IOS commands to the proper location
to implement a two
interface IOS firewall at the below. Answer & Explanation Correct Answer Explana
tions No more
information available
A.
Answer: A
Section: (none)
PassGuide 642-825
QUESTION 124
Drag each description to the correct IPsec security feature. Answer & Explanatio
n Correct Answer
A.
Answer: A
Section: (none)
PassGuide 642-825
QUESTION 125
Drag each type of attack on the left to the description on the left. Answer & Ex
planation Correct Answer
A.
Answer: A
Section: (none)
QUESTION 126
Drag the worm attack mitigation step on the left to the description on the right
. Answer & Explanation
Correct Answer Explanations No more information available
A.
Answer: A
Section: (none)
PassGuide 642-825
QUESTION 127
Drag and drop the Cisco IOS commands that would be used to configure the dialer
Interface portion of a
PPPoE client implementation where the client is facing the internet and private
IP addressing is used on
the internal network. Answer & Explanation Correct Answer Explanations No more i
nformation available
A.
Answer: A
Section: (none)
PassGuide 642-825
QUESTION 128
certways is a small export company .
This firm has an existing enterprise network that is made up exclusively of rout
ers that are using EIGRP as
the IGP.
Its network is up and operating normally. As part of its network expansion, cert
ways has decided to
connect to the internet by a broadband cable ISP.
Your task is to enable this connection by use of the information below. Connecti
on Encapsulation: PPP
Connection Type: PPPoE client Connection Authentication: None Connection MTU: 14
92 bytes
Address: Dynamically assigned by the ISP Outbound
Interface: E0/0
You will know that the connection has been successfully enabled when you can pin
g the simulated Internet
address of 172.16.1.1
Note: Routing to the ISP: Manually configured default route PassGuide-R# show ip
route .... Gateway of
last resort is not set 192.168.1.0/27 is subnetted, 7 subnets C 192.168.1.0 is d
irectly connected,
Ethernet0/1 D 192.168.1.32 [90/307200] via 192.168.1.2, 00:02:16,
Ethernet0/1 D 192.168.1.64 [90/307200] via 192.168.1.2, 00:02:17,
Ethernet0/1 D 192.168.1.96 [90/307200] via 192.168.1.2, 00:02:17,
Ethernet0/1 D 192.168.1.128 [90/307200] via 192.168.1.3, 00:02:17,
Ethernet0/1 D 192.168.1.192 [90/307200] via 192.168.1.3, 00:02:17,
Ethernet0/1 D 192.168.1.224 [90/307200] via 192.168.1.3, 00:02:17,
Ethernet0/1 PassGuide-R# show run .... no service password-encryption
! hostname PassGuide-R
! boot-start-marker boot-end-marker
! no aaa new-model resource policy clock timezone PST 0 ip subnet-zero no ip dhc
p use vrf connected
! interface Ethernet0/0 description link to cable modem no ip address shutdown
! interface Ethernet0/1 description link to corporate nework ip address 192.168.
1.1 255.255.255.224
! interface Ethernet0/2 no ip address
! interface Ethernet0/3 no ip address shutdown
! router eigrp 1 network 192.168.1.0 auto-summary
! line con 0 line vty 0 15 end Click here to input the answer.
Answer & Explanation Correct Answer Configuration sequence:
A. PassGuide-R(config)#int e0/0
PassGuide-R(config-if)#pppoe enable
PassGuide-R(config-if)#pppoe-client dial-pool-number 1
PassGuide-R(config-if)#no sh
PassGuide-R(config-if)#exit
PassGuide-R(config)#vpdn enable
PassGuide-R(config)#vpdn-group 1
PassGuide-R(config-vpdn)#request-dialin
PassGuide-R(config-vpdn-req-in)#protocol pppoe
PassGuide-R(config-vpdn-req-in)#exit
PassGuide-R(config-vpdn)#exit
PassGuide-R(config)#dialer-list 1 protocol ip permit
PassGuide-R(config)#int dialer 1
PassGuide-R(config-if)#encapsulation ppp
PassGuide-R(config-if)#ip address negotiated
PassGuide-R(config-if)#dialer pool 1
PassGuide-R(config-if)#dialer-group 1
PassGuide-R(config-if)#ip mtu 1492
PassGuide-R(config-if)#exit Explanations No more information available
Answer: A
Section: (none)
QUESTION 129
Click here to input the answer.
A. PassGuide-R1> enable
PassGuide-R1# conf t
PassGuide-R1(config)#aaa new-model
PassGuide-R1(config)#username BDnet1 password Wer#1
PassGuide-R1(config)#tacacs-server host 10.6.6.254 key training
PassGuide-R1(config)#aaa authentication login default local
PassGuide-R1(config)#aaa authentication login vty group tacacs+
PassGuide-R1(config)#aaa authorization exec vty group tacacs+
PassGuide-R1(config)#line vty 0 4
PassGuide-R1(config)#authorization exec vty
PassGuide-R1(config)# login authentication vty
PassGuide-R1(config)#end
PassGuide-R1#copy run start Test:
PassGuide-R2#ssh 10.2.1.1 -l cisco Enter password: Cisco123 Explanations No more
information
available
Answer: A
Section: (none)
QUESTION 130
A.
Answer: A
Section: (none)
QUESTION 131
Which statement is true about a worm attack?
A. Human interaction is required to facilitate the spread.
B. The worm executes arbitrary code and installs copies of itself in the memory
of the infected computer.
C. Extremely large volumes of requests are sent over a network or over the Inter
net.
D. Data or commands are injected into an existing stream of data. That stream is
passed between a client
and server application.
Answer: B
Section: (none)
PassGuide 642-825
QUESTION 132
What are two steps that must be taken when mitigating a worm attack? (Choose two
.)
A. Inoculate systems by applying update patches.
B. Limit traffic rate.
C. Apply authentication.
D. Quarantine infected machines.
E. Enable anti-spoof measures.
Answer: AD
Section: (none)
QUESTION 133
What is a recommended practice for secure configuration management?
A. Disable port scan.
B. Use SSH or SSL.
C. Deny echo replies on all edge routers.
D. Enable trust levels.
E. Use secure Telnet.
Answer: B
Section: (none)
QUESTION 134
Which statement is true about the management protocols?
A. TFTP data is sent encrypted.
B. Syslog data is sent encrypted between the server and device.
C. SNMP v1/v2 can be compromised because the community string information for au
thentication is sent
in clear text.
D. NTP v.3 does not support a cryptographic authentication mechanism between pee
rs.
Answer: C
Section: (none)
QUESTION 135
At what size should the MTU on LAN interfaces be set in the implementation of MP
LS VPNs with traffic
engineering?
A. 1512 bytes
B. 1516 bytes
C. 1520 bytes
D. 1524 bytes
E. 1528 bytes
F. 1532 bytes
Answer: A
Section: (none)
QUESTION 136
With MPLS, what is the function of the protocol ID (PID) in a Layer 2 header?
PassGuide 642-825
A. It specifies that the bottom-of-stack bit immediately follows.
B. It specifies that the payload starts with a label and is followed by an IP he
ader.
C. It specifies that the receiving router use the top label only.
D. It specifies how many labels immediately follow.
Answer: B
Section: (none)
QUESTION 137
What phrase best describes a Handler in a distributed denial of service (DDoS) a
ttack?
A. person who launches the attack
B. host that generates a stream of packets that is directed toward the intended
victim
C. host running the attacker program
D. host being attacked
Answer: C
Section: (none)
QUESTION 138
Which PPPoA configuration statement is true?
A. The dsl operating-mode auto command is required if the default mode has been
changed.
B. The encapsulation ppp command is required.
C. The ip mtu 1492 command must be applied on the dialer interface.
D. The ip mtu 1496 command must be applied on the dialer interface.
E. The ip mtu 1492 command must be applied on the Ethernet interface.
F. The ip mtu 1496 command must be applied on the Ethernet interface.
Answer: A
Section: (none)
QUESTION 139
Which PPPoE configuration statement is true?
A. A PVC must be created before the pppoe enable command on the Ethernet interfa
ce is entered.
B. The dsl operating-mode auto command is required.
C. The encapsulation ppp command must be applied on the Ethernet interface.
D. The ip mtu 1492 command must be applied on the dialer interface.
E. The ip mtu 1496 command must be applied on the Ethernet interface.
F. When the pppoe enable command is applied on the Ethernet interface, a PVC wil
l be created.
Answer: D
Section: (none)
QUESTION 140
What are three methods of network reconnaissance? (Choose three.)
A. IP spoofing
B. one-time password
PassGuide 642-825
C. dictionary attack
D. packet sniffer
E. ping sweep
F. port scan
Answer: DEF
Section: (none)
QUESTION 141
Which statement about a worm attack is true?
A. Human interaction is required to facilitate the spread.
B. The worm executes arbitrary code and installs copies of itself in the memory
of the infected computer.
C. Extremely large volumes of requests are sent over a network or over the Inter
net.
D. Data or commands are injected into an existing stream of data. That stream is
passed between a client
and server application.
Answer: B
Section: (none)
QUESTION 142
How can Trojan horse attacks be mitigated?
A. Use antivirus software.
B. Implement RFC 2827 filtering.
C. Use a firewall to block port scans
D. Enable trust levels on edge routers.
E. Disable echo replies on all edge routes.
Answer: A
Section: (none)
QUESTION 143
You work as a network engineer, study the exhibit carefully. Do you know which C
isco feature generated
the configuration?
PassGuide 642-825
A. TACACS+
B. IOS Firewall
C. AutoSecure
D. IOS IPS
Answer: C
Section: (none)
QUESTION 144
On the basis of the information provided in the exhibit, Which configuration opt
ion would correctly configure
router certways-R to mitigate a range of threats?
PassGuide 642-825
A. Company-R(config)# interface Fa0/0
Company-R (config-if)# ip access-group 150 in
B. Company-R (config)# interface Fa0/0
Company-R (config-if)# ip access-group 150 out
C. Company-R (config)# interface Fa0/1
Company-R (config-if)# ip access-group 150 in
D. Company-R (config)# interface Fa0/1
Company-R (config-if)# ip access-group 150 out
Answer: C
Section: (none)
QUESTION 145
Configure Router Companay-R ACL 150 to mitigate against a range of common threat
s. Based on the
information shown in the exhibit, which statement is correct?
A. The ip access-group 150 command should have been applied to interface FastEth
ernet 0/0 in an
outbound direction.
B. Interface Fa0/0 and interface Fa0/1 should have been configured with the IP a
ddresses
10.1.1.1 and 10.2.1.1, respectively.
C. The ip access-group 150 command should have been applied to interface FastEth
ernet 0/0 in an
inbound direction.
D. ACL 150 will mitigate common threats.
Answer: D
Section: (none)
QUESTION 146
Study the exhibit carefully.
On the basis of the configuration, what will happen to the IPSec VPN between the
Remote router and the
Head-End router with IP address 172.31.1.100 if receiving no dead-peer detection
hello messages for 20
seconds?
A. The IPSec VPN will transition to a peering relationship with the Head-End rou
ter at 172.31.1.200, with a
down-time determined by the time required to tear-down and build the peerings.
B. The IPSec VPN will terminate but will rebuild with the same peer because 3 he
llo messages have not
yet been missed.
C. The IPSec VPN will not be affected.
D. The IPSec VPN will transition with no down-time to a peering relationship wit
h the Head-End router at
172.31.1.200.
Answer: C
Section: (none)
QUESTION 147
Which command sequence is an example of a correctly configured AAA configuration
PassGuide 642-825
that uses the local database?
A. RTA(config)# username Bob password cisco
RTA(config)# aaa new-model
RTA(config)# aaa authentication login LOCAL_AUTH local RTA(config)# line con 0
RTA(config-line)# login authentication LOCAL_AUTH
B. RTA(config)# username Bob password cisco
RTA(config)# aaa new-model
RTA(config)# aaa authentication login LOCAL_AUTH local RTA(config)# line con 0
RTA(config-line)# login authentication default
C. RTA(config)# aaa new-model
RTA(config)# tacacs-server host 10.1.1.10
RTA(config)# tacacs-server key cisco 123
RTA(config)# aaa authentication login LOCAL_AUTH group tacacs+ RTA(config)# line
con 0
RTA(config-line)# login authentication default
D. RTA(config)# aaa new-model
RTA(config)#tacacs-server host 10.1.1.10
RTA(config)# tacacs-server key cisco 123
RTA(config)# aaa authentication login LOCAL_AUTH group tacacs+ RTA(config)# line
con 0
RTA(config-line)# login authentication LOCAL AUTH
Answer: A
Section: (none)
QUESTION 148
Refer to the exhibit
What two types of attacks does the lOS firewall configuration prevent? (Choose t
wo.)
A. Java applets
B. SYN flood
C. Trojan horse
D. DDOS
E. packet sniffers
Answer: BD
Section: (none)
QUESTION 149
What are three options for viewing Security Device Event Exchange (SDEE) message
s in Security Device
Manager (SDM)? (Choose three.)
A. To view SDEE status messages
B. To view SDEE keepalive messages
C. To view all SDEE messages
D. To view SDEE statistics
E. To view SDEE alerts
F. To view SDEE actions
Answer: ACE
Section: (none)
QUESTION 150
What are the four steps that occur with an IPsec VPN setup?
A. Step 1: Interesting traffic initiates the IPsec process.
Step 2: AH authenticates IPsec peers and negotiates IKE SAs.
Step 3: AH negotiates IPsec SA settings and sets up matching IPsec SAs in the pe
ers.
Step 4: Data is securely transferred between IPsec peers.
B. Step 1: Interesting traffic initiates the IPsec process.
Step 2: ESP authenticates IPsec peers and negotiates IKE SAs.
Step 3: ESP negotiates IPsec SA settings and sets up matching IPsec SAs in the p
eers.
C. Step 1: Interesting traffic initiates the IPsec process.
Step 2: IKE authenticates IPsec peers and negotiates IKE SAs.
Step 3: IKE negotiates IPsec SA settings and sets up matching IPsec SAs in the p
eers.
D. Step 1: Interesting traffic initiates the IPsec process.
Step 2: IKE negotiates IPsec SA settings and sets up matching IPsec SAs in the p
eers.
Step 3: IKE authenticates IPsec peers and negotiates IKE SAs.
Answer: C
Section: (none)
QUESTION 151
What actions can be performed by the Cisco IOS IPS when suspicious a tivity is d
etected? (Choose four.)
A. Send an alarm to a syslog server or a centralized management interface
B. Initiate antivirus software to clean the packet
C. Drop the packet
D. Reset the connection
E. Request packet to be resent
F. Deny traffic from the source IP address associated with the connection
Answer: ACDF
Section: (none)
QUESTION 152
Which three statements are true about Cisco Intrusion Detection System (IDS) and
Cisco Intrusion
Prevention System (IPS) functions? (Choose three.)
Only IDS systems provide real-time monitoring that includes packet capture and a
nalysis of network
packets.
A. Both IDS and IPS systems provide real-time monitoring that involves packet ca
pture and analysis of
network packets.
B. The signatures on the IDS devices are configured manually whereas the signatu
re on the IPS devices
are configured automatically.
C. IDS can detect misuse, abuse, and unauthorized access to networked resources
but can only respond
after an attack is detected.
D. IPS can detect misuse, abuse, and unauthorized access to networked resources
and respond before
network security can be compromised.
E. IDS can deny malicious traffic from the inside network whereas IPS can deny m
alicious traffic from
outside the network.
Answer: BDE
Section: (none)
QUESTION 153
What is required when configuring IOS Firewall using the CLI?
A. IOS IPS enabled on the untrusted interface
B. NBAR enabled to perform protocol discovery and deep packet inspection
C. Route-map to define the trusted outgoing traffic
D. Route-map to define the application inspection rules
E. An inbound extended ACL applied to the untrusted interface
Answer: E
Section: (none)
QUESTION 154
Which statement is true when ICMP echo and echo-reply are disabled on edge devic
es?
A. Pings are allowed only to specific devices.
B. CDP information is not exchanged.
C. Port scans can no longer be run.
D. Some network diagnostic data is lost.
E. Wireless devices need to be physically connected to the edge device.
F. OSPF routing needs the command ip ospf network non-broadcast enabled.
Answer: D
Section: (none)
QUESTION 155
Which three statements are true when configuring Cisco IOS Firewall features usi
ng the SDM? (Choose
three.)
A. A custom application security policy can be configured in the Advanced Firewa
ll Security Configuration
dialog box.
B. An optional DMZ interface can be specified in the Advanced Firewall Interface
Configuration dialog box.
C. Custom application policies for e-mail, instant messaging, HTTP, and peer-to-
peer services can be
created using the Intermediate Firewall wizard.
D. Only the outside (untrusted) interface is specified in the Basic Firewall Int
erface Configuration dialog
box.
E. The outside interface that SDM can be launched from is configured in the Conf
iguring Firewall for
Remote Access dialog box.
F. The SDM provides a basic, intermediate, and advanced firewall wizard.
Answer: ABE
Section: (none)
QUESTION 156
Which two mechanisms can be used to detect IPsec GRE tunnel failures? (Choose tw
o).
A. Dead Peer Detection (DPD)
B. CDP
C. isakmp keepalives
D. GRE keepalive mechanism
E. The hello mechanism of the routing protocol across the IPsec tunnel
Answer: AE
Section: (none)
QUESTION 157
What is a reason for implementing MPLS in a network?
A. MPLS eliminates the need of an IGP in the core.
B. MPLS reduces the required number of BGP-enabled devices in the core.
C. Reduces routing table lookup since only the MPLS core routers perform routing
table lookups.
D. MPLS eliminates the need for fully meshed connections between BGP enabled dev
ices.
Answer: B
Section: (none)
QUESTION 158
When establishing a VPN connection from the Cisco software VPN client to an Easy
VPN server router
using pre-shared key authentication, what is entered in the configuration GUI of
the Cisco software VPN
client to identify the group profile that is associated with this VPN client?
A. Group name
B. Client name
C. Distinguished name
D. Organizational unit
Answer: A
Section: (none)
QUESTION 159
Assume that a signature can identity an IP address as the source of an attack. W
hich action would
automatically create an ACL that denies all traffic from an attacking IP address
?
A. Alarm
B. Drop
C. Reset
D. Deny Flow ln line
E. denyattackerlnline
F. Deny-connection-inline
Answer: E
Section: (none)
QUESTION 160
Which statement is true about the SDM IPS Policies wizard?
A. In order to configure the lPS, the wizard requires that customized signature
files be created.
B. The lPS Policies wizard only allows the use of default signatures which canno
t be modified.
C. The lPS Policies wizard can be used to modify, delete, or disable signatures
that have been deployed
on the router.
D. When initially enabling the IPS Policies wizard, SDM automatically checks and
downloads updates of
default signatures available from CCO (cisco.com).
E. The wizard verifies whether the command is correct but does not verify availa
ble router resources
before the signatures are deployed to the router.
Answer: C
Section: (none)
QUESTION 161
Case Study#1
Scenerio:
This item involves some questions that you need to answer. You can click on the
Questions button to the
left to view these question. Change questions by clicking the numbers to the lef
t of each question. In order
to finish the questions, you will need to refer to the SDM and the topology, nei
ther of which is currently
visible. In order to gain access to either the topology or the SDM, click on the
button to left side of the
screen that corresponds to the section you wish to access.
When you have completed viewing the topology or the SDM, you can return to your
questions by clicking
on the Questions button to the left. Cruising industries is a large worldwide di
ving charter. Recently, this
firm has upgraded its internet connectivity. As a new network technician, you ha
ve been tasked with
documenting the active Firewall configurations on the P4S-R router using the Cis
co Router and Security
Device Manager (SDM) utility. Using the SDM output from Firewall and ACL Tasks u
nder the Configure
tab, answer the following questions:
Topology:
A.
Case Study# 1 (Questions)
Question: 1
Which option is Correct?
A. Both FastEthernet 0/0 and Serial 0/0/0 are trusted interface.
B. Both FastEthernet 0/0 and Serial 0/0/0 are untrusted interface.
C. FastEthernet 0/0 is a trusted interface and Serial 0/0/0 is an untrusted inte
rface.
D. FastEthernet 0/0 is an untrusted interface and Serial 0/0/0 is a trusted inte
rface.
Answer: C
Question: 2
Which two statements best describe a permissible incoming TCP packet on an untru
sted interface in
this configuration?(Choose two)
A. The packet has a source address of 172.16.29.12
B. The packet has a source address of 10.94.61.29
C. The session originated from a trusted interface.
D. The application is not specified within the inspection rule SDM_LOW.
E. The packet has a source address of 198.133.219.144
Answer: C, E
Question: 3
Which two statements would specify a permissible incoming TCP packet a trusted i
nterface in this
configuration?(choose two)
A. The packet has a source address of 10.94.61.118
B. The packet has a source address of 172.16.29.12
C. The packet has a source address of 198.133.219.16
D. The destination address is not specified within the inspection rule SDM_LOW.
E. The destination address is specified within the inspection rule SDM_LOW.
Answer: A, C
Answer: A
Section: (none)
QUESTION 162
Which two statements about the Cisco AutoSecure feature are true? (Choose two.)
A. All passwords entered during the AutoSecure configuration must be a minimum o
f 8 characters in
length.
B. Cisco123 would be a valid password for both the enable password and the enabl
e secret commands.
C. The auto secure command can be used to secure the router login as well as the
NTP and SSH
protocols.
D. For an interactive full session of AutoSecure, the auto secure login command
should be used.
E. If the SSH server was configured, the 1024 bit RSA keys are generated after t
he auto secure command
is enabled.
Answer: CE
Section: (none)
QUESTION 163
Refer to the exhibit. Which two statements about the Network Time Protocol (NTP)
A. Router RTA will adjust for eastern daylight savings time.
B. To enable authentication, the ntp authenticate command is required on routers
RTA and RTB.
C. To enable NTP, the ntp master command must be configured on routers RTA and R
TB.
D. Only NTP time requests are allowed from the host with IP address 10.1.1.1.
E. The preferred time source located at 130.207.244.240 will be used for synchro
nization regardless of the
other time sources.
Answer: AB
Section: (none)
QUESTION 164
Which three categories of signatures can a Cisco IPS microengine identify? (Choo
se three.)
A. DDoS signatures
B. strong signatures
C. exploit signatures
D. numeric signatures
E. spoofing signatures
F. connection signatures
Answer: ACF
Section: (none)
QUESTION 165
Refer to the exhibit. On the basis of the information that is provided, which tw
o statements are true?
(Choose two.)
PassGuide 642-825
A. An IPS policy can be edited by choosing the Edit button.
B. Right-clicking on an interface will display a shortcut menu with options to e
dit an action or to set severity
levels.
C. The Edit IPS window is currently in Global Settings view.
D. The Edit IPS window is currently in IPS Policies view.
E. The Edit IPS window is currently in Signatures view.
F. To enable an IPS policy on an interface, click on the interface and deselect
Disable.
Answer: AD
Section: (none)
QUESTION 166
Which two devices serve as the main endpoint components in a DSL data service ne
twork? (Choose two.)
A. SOHO workstation
B. ATU-R
PassGuide 642-825
C. ATU-C
D. POTS splitter
E. CO switch
Answer: BC
Section: (none)

Untitled

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Untitled

Uploaded by

Copyright:

Available Formats

Cisco 642-825

Implementing Secure Converged Wide Area Networks

You might also like