ccnp2 03-08-2010

8/7/2019 CCNP2 03-08-2010

1/141

Cisco_CertifyMe_642-825_v2010-08-03_234q_By-Jenifer

Number: 642-825Passing Score: 800Time Limit: 120 minFile Version: 2010-08-03

Exam - Cisco

Code - 642-825

Version - 2010-08-03

Few Questions modified...

Best of luck

By - Jenifer

8/7/2019 CCNP2 03-08-2010

2/141

Exam A

QUESTION 1Which two statements about common network attacks are true? (Choose two.) Select 2 response(s).

A. Access attacks can consist of password attacks, trust exploitation, port redirection, and man-in-the-middle attacks.

B. Access attacks can consist of password attacks, ping sweeps, port scans, and man-in-the-middleattacks.

C. Access attacks can consist of packet sniffers, ping sweeps, port scans, and man-in-the-middle attacks.

D. Reconnaissance attacks can consist of password attacks, trust exploitation, port redirection and Internetinformation queries.

E. Reconnaissance attacks can consist of packet sniffers, port scans, ping sweeps, and Internetinformation queries.

F. Reconnaissance attacks can consist of ping sweeps, port scans, man-in-middle attacks and Internetinformation queries.

Answer: AE

Section: (none)

Explanation/Reference:

QUESTION 2Which two statements about management protocols are true? (Choose two.) Select 2 response(s).

A. Syslog version 2 or above should be used because it provides encryption of the syslog messages.

B. NTP version 3 or above should be used because these versions support a cryptographic authenticationmechanism between peers.

C. SNMP version 3 is recommended since it provides authentication and encryption services formanagement packets.

D. SSH, SSL and Telnet are recommended protocols to remotely manage infrastructure devices.

E. TFTP authentication (username and password) is sent in an encrypted format, and no additionalencryption is required.

Answer: BC

Section: (none)


QUESTION 3Refer to the exhibit. Which two statements about the AAA configuration are true? (Choose two.)Select 2 response(s).

A. A good security practice is to have the none parameter configured as the final method used to ensurethat no other authentication method will be used.

B. If a TACACS+ server is not available, then a user connecting via the console port would not be able togain access since no other authentication method has been defined.

8/7/2019 CCNP2 03-08-2010

3/141

C. If a TACACS+ server is not available, then the user Bob could be able to enter privileged mode as longas the proper enable password is entered.

D. The aaa new-model command forces the router to override every other authentication method previouslyconfigured for the router lines.

E. To increase security, group radius should be used instead of group tacacs+.

F. Two authentication options are prescribed by the displayed aaa authentication command.

Answer: DF

Section: (none)


QUESTION 4What are the two main features of Cisco IOS Firewall? (Choose two.) Select 2 response(s).

A. TACACS+

B. AAA

C. Cisco Secure Access Control Server

D. Intrusion Prevention System

E. Authentication Proxy

Answer: DE

Section: (none)


QUESTION 5What three features does Cisco Security Device Manager (SDM) offer? (Choose three.) Select 3 response(s).

A. smart wizards and advanced configuration support for NAC policy features

B. single-step mitigation of Distributed Denial of Service (DDoS) attacks

C. one-step router lockdown

D. security auditing capability based upon CERT recommendations

E. multi-layered defense against social engineering

F. single-step deployment of basic and advanced policy settings

Answer: ACF

Section: (none)


QUESTION 6What are three objectives that the no ip inspect command achieves? (Choose three.) Select 3 response(s).

A. removes the entire CBAC configuration

B. removes all associated static ACLs

C. turns off the automatic audit feature in SDM

D. denies HTTP and Java applets to the inside interface but permits this traffic to the DMZ

E. resets all global timeouts and thresholds to the defaults

F. deletes all existing sessions

8/7/2019 CCNP2 03-08-2010

4/141

Answer: AEF

Section: (none)


QUESTION 7Which three features are benefits of using GRE tunnels in conjunction with IPsec for building site-to-siteVPNs? (Choose three.)Select 3 response(s).

A. allows dynamic routing over the tunnel

B. supports multi-protocol (non-IP) traffic over the tunnel

C. reduces IPsec headers overhead since tunnel mode is used

D. simplifies the ACL used in the crypto map

E. uses Virtual Tunnel Interface (VTI) to simplify the IPsec VPN configuration

Answer: ABD

Section: (none)


QUESTION 8Which three IPsec VPN statements are true? (Choose three.) Select 3 response(s).

A. IKE keepalives are unidirectional and sent every ten seconds.

B. IKE uses the Diffie-Hellman algorithm to generate symmetrical keys to be used by IPsec peers.

C. IPsec uses the Encapsulating Security Protocol (ESP) or the Authentication Header (AH) protocol forexchanging keys.

D. Main mode is the method used for the IKE phase two security association negotiations.

E. Quick mode is the method used for the IKE phase one security association negotiations.

F. To establish IKE SA, main mode utilizes six packets while aggressive mode utilizes only three packets.

Answer: ABF

Section: (none)


QUESTION 9Which three statements are true about Cisco IOS Firewall? (Choose three.) Select 3 response(s).

A. It can be configured to block Java traffic.

B. It can be configured to detect and prevent SYN-flooding denial-of-service (DoS) network attacks.

C. It can only examine network layer and transport layer information.

D. It can only examine transport layer and application layer information.

E. The inspection rules can be used to set timeout values for specified protocols.

F. The ip inspect cbac-name command must be configured in global configuration mode.

Answer: ABESection: (none)

8/7/2019 CCNP2 03-08-2010

5/141


QUESTION 10Refer to the exhibit. On the basis of the partial configuration, which two statements are true? (Choose two.)

Select 2 response(s).

A. A CBAC inspection rule is configured on router RTA.

B. A named ACL called SDM_LOW is configured on router RTA.

C. A QoS policy has been applied on interfaces Serial 0/0 and FastEthernet 0/1.

D. Interface Fa0/0 should be the inside interface and interface Fa0/1 should be the outside interface.

E. On interface Fa0/0, the ip inspect statement should be incoming.

F. The interface commands ip inspect SDM_LOW in allow CBAC to monitor multiple protocols.

Answer: AF

Section: (none)


QUESTION 11Which two statements describe the functions and operations of IDS and IPS systems? (Choose two.)Select 2 response(s).

8/7/2019 CCNP2 03-08-2010

6/141

A. A network administrator entering a wrong password would generate a true-negative alarm.

B. A false positive alarm is generated when an IDS/IPS signature is correctly identified.

C. An IDS is significantly more advanced over IPS because of its ability to prevent network attacks.

D. Cisco IDS works inline and stops attacks before they enter the network.

E. Cisco IPS taps the network traffic and responds after an attack.

F. Profile-based intrusion detection is also known as "anomaly detection".

Answer: BF

Section: (none)


QUESTION 12Refer to the exhibit. What statement is true about the interface S1/0 on router R1? Select the bestresponse.

A. Labeled packets can be sent over an interface.

B. MPLS Layer 2 negotiations have occurred.

C. IP label switching has been disabled on this interface.

D. None of the MPLS protocols have been configured on the interface.

Answer: D

Section: (none)


QUESTION 13Which two network attack statements are true? (Choose two.) Select 2 response(s).

A. Access attacks can consist of password attacks, trust exploitation, port redirection, and man-in-the-middle attacks.

B. Access attacks can consist of UDP and TCP SYN flooding, ICMP echo-request floods, and ICMPdirected broadcasts.

C. DoS attacks can be reduced through the use of access control configuration, encryption, and RFC 2827filtering.

D. DoS attacks can consist of IP spoofing and DDoS attacks.

E. IP spoofing can be reduced through the use of policy-based routing.

8/7/2019 CCNP2 03-08-2010

7/141

F. IP spoofing exploits known vulnerabilities in authentication services, FTP services, and web services togain entry to web accounts, confidential databases, and other sensitive information.

Answer: AD

Section: (none)


QUESTION 14What are the four steps, in their correct order, to mitigate a worm attack? Select the best response.

A. contain, inoculate, quarantine, and treat

B. inoculate, contain, quarantine, and treat

C. quarantine, contain, inoculate, and treat

D. preparation, identification, traceback, and postmortem

E. preparation, classification, reaction, and treat

F. identification, inoculation, postmortem, and reaction

Answer: A

Section: (none)


QUESTION 15If an edge Label Switch Router (LSR) is properly configured, which three combinations are possible?(Choose three.)Select 3 response(s).

A. A received IP packet is forwarded based on the IP destination address and the packet is sent as an IPpacket.

B. An IP destination exists in the IP forwarding table. A received labeled packet is dropped because thelabel is not found in the LFIB table.

C. There is an MPLS label-switched path toward the destination. A received IP packet is dropped becausethe destination is not found in the IP forwarding table.

D. A received IP packet is forwarded based on the IP destination address and the packet is sent as alabeled packet.

E. A received labeled IP packet is forwarded based upon both the label and the IP address.

F. A received labeled packet is forwarded based on the label. After the label is swapped, the newly labeled

packet is sent.

Answer: ADF

Section: (none)


QUESTION 16Which three techniques should be used to secure management protocols? (Choose three.) Select 3response(s).

A. Configure SNMP with only read-only community strings.B. Encrypt TFTP and syslog traffic in an IPSec tunnel.

8/7/2019 CCNP2 03-08-2010

8/141

C. Implement RFC 3704 filtering at the perimeter router when allowing syslog access from devices on theoutside of a firewall.

D. Synchronize the NTP master clock with an Internet atomic clock.

E. Use SNMP version 2.

F. Use TFTP version 3 or above because these versions support a cryptographic authenticationmechanism between peers.

Answer: ABC

Section: (none)


QUESTION 17Which statement describes Reverse Route Injection (RRI)? Select the best response.

A. A static route that points towards the Cisco Easy VPN server is created on the remote client.

B. A static route is created on the Cisco Easy VPN server for the internal IP address of each VPN client.

C. A default route is injected into the route table of the remote client.

D. A default route is injected into the route table of the Cisco Easy VPN server.

Answer: B

Section: (none)


QUESTION 18What are two possible actions an IOS IPS can take if a packet in a session matches a signature? (Choosetwo.)Select 2 response(s).

A. reset the connection

B. forward the packet

C. check the packet against an ACL

D. drop the packet

Answer: AD

Section: (none)


QUESTION 19Refer to the exhibit. Which two statements about the Network Time Protocol (NTP) are true? (Choose two.)Select 2 response(s).

8/7/2019 CCNP2 03-08-2010

9/141

A. Router RTA will adjust for eastern daylight savings time.

B. To enable authentication, the ntp authenticate command is required on routers RTA and RTB.

C. To enable NTP, the ntp master command must be configured on routers RTA and RTB.

D. Only NTP time requests are allowed from the host with IP address 10.1.1.1.

E. The preferred time source located at 130.207.244.240 will be used for synchronization regardless of the

other time sources.

Answer: AB

Section: (none)


QUESTION 20What is a reason for implementing MPLS in a network? Select the best response.

A. MPLS eliminates the need of an IGP in the core.B. MPLS reduces the required number of BGP-enabled devices in the core.

C. Reduces routing table lookup since only the MPLS core routers perform routing table lookups.

D. MPLS eliminates the need for fully meshed connections between BGP enabled devices.

Answer: B

Section: (none)


QUESTION 21Refer to the exhibit. The show mpls interfaces detail command has been used to display information aboutthe interfaces on router R1 that have been configured for label switching. Which statement is true about theMPLS edge router R1?

8/7/2019 CCNP2 03-08-2010

10/141

Select the best response.

A. Packets can be labeled and forwarded out interface Fa0/1 because of the MPLS operational status ofthe interface.

B. Because LSP tunnel labeling has not been enabled on interface Fa0/1, packets cannot be labeled andforwarded out interface Fa0/1.

C. Packets can be labeled and forwarded out interface Fa1/1 because MPLS has been enabled on thisinterface.

D. Because the MTU size is increased above the size limit, packets cannot be labeled and forwarded outinterface Fa1/1.

Answer: A

Section: (none)


QUESTION 22Refer to the exhibit. MPLS has been configured on all routers in the domain. In order for R2 and R3 toforward frames between them with label headers, what additional configuration will be required on devicesthat are attached to the LAN segment? Select the best response.

8/7/2019 CCNP2 03-08-2010

11/141

A. Decrease the maximum MTU requirements on all router interfaces that are attached to the LANsegment.

B. Increase the maximum MTU requirements on all router interfaces that are attached to the LAN segment.

C. No additional configuration is required. Interface MTU size will be automatically adjusted toaccommodate the larger size frames.

D. No additional configuration is required. Frames with larger MTU size will be automatically fragmentedand forwarded on all LAN segments.

Answer: B

Section: (none)


QUESTION 23Which three statements about IOS Firewall configurations are true? (Choose three.) Select 3 response(s).

A. The IP inspection rule can be applied in the inbound direction on the secured interface.

B. The IP inspection rule can be applied in the outbound direction on the unsecured interface.

C. The ACL applied in the outbound direction on the unsecured interface should be an extended ACL.

D. The ACL applied in the inbound direction on the unsecured interface should be an extended ACL.

E. For temporary openings to be created dynamically by Cisco IOS Firewall, the access-list for the returningtraffic must be a standard ACL.

F. For temporary openings to be created dynamically by Cisco IOS Firewall, the IP inspection rule must beapplied to the secured interface.

Answer: ABD

Section: (none)


QUESTION 24What are three features of the Cisco IOS Firewall feature set? (Choose three.) Select 3 response(s).

A. network-based application recognition (NBAR)

B. authentication proxy

C. stateful packet filtering

D. AAA servicesE. proxy server

F. IPS

8/7/2019 CCNP2 03-08-2010

12/141

Answer: BCF

Section: (none)


QUESTION 25Which statement describes the Authentication Proxy feature? Select the best response.

A. All traffic is permitted from the inbound to the outbound interface upon successful authentication of theuser.

B. A specific access profile is retrieved from a TACACS+ or RADIUS server and applied to an IOS Firewallbased on user provided credentials.

C. Prior to responding to a proxy ARP, the router will prompt the user for a login and password which areauthenticated based on the configured AAA policy.

D. The proxy server capabilities of the IOS Firewall are enabled upon successful authentication of the user.

Answer: BSection: (none)


QUESTION 26Which two statements about an IDS are true? (Choose two.) Select 2 response(s).

A. The IDS is in the traffic path.

B. The IDS can send TCP resets to the source device.

C. The IDS can send TCP resets to the destination device.D. The IDS listens promiscuously to all traffic on the network.

E. Default operation is for the IDS to discard malicious traffic.

Answer: BD

Section: (none)


QUESTION 27

Which statement about an IPS is true?Select the best response.

A. The IPS is in the traffic path.

B. Only one active interface is required.

C. Full benefit of an IPS will not be realized unless deployed in conjunction with an IDS.

D. When malicious traffic is detected, the IPS will only send an alert to a management station.

Answer: A

Section: (none)


8/7/2019 CCNP2 03-08-2010

13/141

QUESTION 28Which three categories of signatures can a Cisco IPS microengine identify? (Choose three.) Select 3response(s).

A. DDoS signatures

B. strong signatures

C. exploit signatures

D. numeric signatures

E. spoofing signatures

F. connection signatures

Answer: ACF

Section: (none)


QUESTION 29During the Easy VPN Remote connection process, which phase involves pushing the IP address, DomainName System (DNS), and split tunnel attributes to the client? Select the best response.

A. mode configuration

B. the VPN client establishment of an ISAKMP SA

C. IPsec quick mode completion of the connection

D. VPN client initiation of the IKE phase 1 process

Answer: A

Section: (none)


QUESTION 30When configuring the Cisco VPN Client, what action is required prior to installing Mutual GroupAuthentication?Select the best response.

A. Transparent tunneling must be enabled.

B. A valid root certificate must be installed.

C. A group pre-shared secret must be properly configured.

D. The option to "Allow Local LAN Access" must be selected.

Answer: B

Section: (none)


QUESTION 31When configuring the Cisco VPN Client with transparent tunneling, what is true about the IPSec over TCPoption?Select the best response.

A. The port number is negotiated automatically.

B. Clients will have access to the secured tunnel and local resources.

8/7/2019 CCNP2 03-08-2010

14/141

C. The port number must match the configuration on the secure gateway.

D. Packets are encapsulated using Protocol 50 (Encapsulating Security Payload, or ESP).

Answer: C

Section: (none)


QUESTION 32Which two statements are true about signatures in a Cisco IOS IPS? (Choose two.) Select 2 response(s).

A. The action of a signature can be enabled on a per-TCP-session basis.

B. Common signatures are hard-coded into the IOS image.

C. IOS IPS signatures are propagated with the SDEE protocol.

D. IOS IPS signatures are stored in the startup config of the router.

E. Selection of an SDF file should be based on the amount of RAM memory available on the router.

Answer: BE

Section: (none)


QUESTION 33Which two active response capabilities can be configured on an intrusion detection system (IDS) inresponse to malicious traffic detection? (Choose two.) Select 2 response(s).

A. the initiation of dynamic access lists on the IDS to prevent further malicious traffic

B. the configuration of network devices to prevent malicious traffic from passing through

C. the shutdown of ports on intermediary devices

D. the transmission of a TCP reset to the offending end host

E. the invoking of SNMP-sourced controls

Answer: BD

Section: (none)


QUESTION 34What two proactive preventive actions are taken by an intrusion prevention system (IPS) when malicioustraffic is detected? (Choose two.)Select 2 response(s).

A. The IPS shuts down intermediary ports.

B. The IPS invokes SNMP-enabled controls.

C. The IPS sends an alert to the management station.

D. The IPS enables a dynamic access list.

E. The IPS denies malicious traffic.

Answer: CESection: (none)

8/7/2019 CCNP2 03-08-2010

15/141


QUESTION 35Refer to the exhibit. What is the VPN IPv4 label for the network 172.16.13.0/24?


A. 17

B. 17, 12308

C. 12308

D. 11

Answer: C

Section: (none)


QUESTION 36Refer to the exhibit. What does the "26" in the first two hop outputs indicate?


A. the outer label used to determine the next hop

B. the IPv4 label for the destination network

C. the IPv4 label for the forwarding router

D. the IPv4 label for the destination router

Answer: B

Section: (none)


8/7/2019 CCNP2 03-08-2010

16/141

QUESTION 37How can virus and Trojan horse attacks be mitigated? Select the best response.

A. Disable port scan.

B. Deny echo replies on all edge routes.

C. Implement RFC 2827 filtering.

D. Use antivirus software.

E. Enable trust levels.

Answer: D

Section: (none)


QUESTION 38What are two ways to reduce the risk of an application-layer attack? (Choose two.) Select 2 response(s).

A. Disable port scans.

B. Deny echo replies on all edge routers.

C. Implement RFC 2827 filtering.

D. Use intrusion detection systems (IDS).

E. Read operating system and network log files.

Answer: DE

Section: (none)


QUESTION 39What three classifications reflect the different approaches used to identify malicious traffic? (Choose three.)Select 3 response(s).

A. platform based

B. signature based

C. policy based

D. regular-expression based

E. symbol based

F. anomaly based

Answer: BCF

Section: (none)


QUESTION 40Which Security Device Manager (SDM) feature expedites the deployment of the default intrusionpreventions system (IPS) settings and provides configuration steps for interface and traffic flow selection,

SDF location, and signature deployment? Select the best response.

A. IPS Edit menu

8/7/2019 CCNP2 03-08-2010

17/141

B. IPS Command wizard

C. IPS Policies wizard

D. IPS Signature Definition File (SDF) menu

Answer: C

Section: (none)


QUESTION 41What are three options for viewing Security Device Event Exchange (SDEE) messages in Security DeviceManager (SDM)? (Choose three.)Select 3 response(s).

A. to view SDEE status messages

B. to view SDEE keepalive messages

C. to view all SDEE messages

D. to view SDEE statistics

E. to view SDEE alerts

F. to view SDEE actions

Answer: ACE

Section: (none)


QUESTION 42What are three configurable parameters when editing signatures in Security Device Manager (SDM)?(Choose three.)Select 3 response(s).

A. AlarmSeverity

B. AlarmKeepalive

C. AlarmTraits

D. EventMedia

E. EventAlarm

F. EventAction

Answer: ACFSection: (none)


QUESTION 43Refer to the exhibit. Which order correctly identifies the steps to provision a cable modem to connect to aheadend as defined by the DOCSIS standard? Select the best response.

8/7/2019 CCNP2 03-08-2010

18/141

A. A, D, C, G, E, F, B

B. A, D, E, G, C, F, B

C. C, D, F, G, E, A, B

D. C, D, F, G, A, E, B

E. F, D, C, G, A, E, B

F. F, D, C, G, E, A, B

Answer: E

Section: (none)


QUESTION 44Refer to the exhibit. Which statement about the authentication process is true? Select the best response.

A. The LIST1 list will disable authentication on the console port.

8/7/2019 CCNP2 03-08-2010

19/141

B. Because no method list is specified, the LIST1 list will not authenticate anyone on the console port.

C. All login requests will be authenticated using the group tacacs+ method.

D. All login requests will be authenticated using the local database method.

E. The default login authentication will automatically be applied to all login connections.

Answer: A

Section: (none)


QUESTION 45Refer to the exhibit. A network administrator wishes to mitigate network threats. Given that purpose, whichtwo statements about the IOS firewall configuration that is revealed by the output are true? (Choose two.)


A. The command ip inspect FIREWALL_ACL out must be applied on interface FastEthernet 0/0.

B. The command ip inspect FIREWALL_ACL out must be applied on interface FastEthernet 0/1.

C. The command ip access-group FIREWALL_ACL in must be applied on interface FastEthernet 0/0.

D. The command ip access-group FIREWALL_ACL in must be applied on interface FastEthernet 0/1.

E. The configuration excerpt is an example of a CBAC list.

F. The configuration excerpt is an example of a reflexive ACL.

Answer: BE

Section: (none)


QUESTION 46Which two statements about the Security Device Manager (SDM) Intrusion Prevention System (IPS) Rulewizard are true? (Choose two.)

8/7/2019 CCNP2 03-08-2010

20/141


A. By default, the Use Built-In Signatures (as backup) checkbox is not selected.

B. Changes to the IPS rules can be made using the Configure IPS tab.

C. Changes to the IPS rules can be made using the Edit Firewall Policy/ACL tab.

D. Once all interfaces have rules applied to them, you can re-initiate the IPS Rule wizard to make changes.

E. Once all interfaces have rules applied to them, you cannot re-initiate the IPS Rule wizard to makechanges.

F. When using the wizard for the first time, you will be prompted to enable the Security Device EventExchange (SDEE).

Answer: DF

Section: (none)


QUESTION 47Refer to the exhibit. Which two statements about the SDF Locations window of the IPS Rule wizard aretrue? (Choose two.)Select 2 response(s).

A. An HTTP SDF file location can be specified by clicking the Add button.

B. If all specified SDF locations fail to load, the signature file that is named default.sdf will be loaded.

C. The Autosave feature automatically saves the SDF alarms if the router crashes.D. The Autosave feature is automatically enabled for the default built-in signature file.

E. The name of the built-in signature file is default.sdf.

8/7/2019 CCNP2 03-08-2010

21/141

F. The Use Built-In Signatures (as backup) check box is selected by default.

Answer: AF

Section: (none)


QUESTION 48Refer to the exhibit. On the basis of the information in the exhibit, which two statements are true? (Choosetwo.)Select 2 response(s).

A. Any traffic matching signature 1107 will generate an alarm, reset the connection, and be dropped.

B. Signature 1102 has been modified, but the changes have not been applied to the router.

C. Signature 1102 has been triggered because of matching traffic.

D. The Edit IPS window is currently displaying the Global Settings information.

E. The Edit IPS window is currently displaying the signatures in Details view.

F. The Edit IPS window is currently displaying the signatures in Summary view.

Answer: BE

Section: (none)


8/7/2019 CCNP2 03-08-2010

22/141

QUESTION 49Refer to the exhibit. On the basis of the information that is provided, which two statements are true?(Choose two.)


A. An IPS policy can be edited by choosing the Edit button.

B. Right-clicking on an interface will display a shortcut menu with options to edit an action or to set severitylevels.

C. The Edit IPS window is currently in Global Settings view.

D. The Edit IPS window is currently in IPS Policies view.

E. The Edit IPS window is currently in Signatures view.

F. To enable an IPS policy on an interface, click on the interface and deselect Disable.

Answer: AD

Section: (none)


QUESTION 50Refer to the exhibit. Based on the configuration, what will happen to the IPSec VPN between the Remoterouter and the Head-End router with IP address 172.31.1.100 if no dead-peer detection hello messages arereceived for 20 seconds?

8/7/2019 CCNP2 03-08-2010

23/141


A. The IPSec VPN will transition with no down-time to a peering relationship with the Head-End router at172.31.1.200.

B. The IPSec VPN will transition to a peering relationship with the Head-End router at 172.31.1.200, with a

down-time determined by the time required to tear-down and build the peerings.C. The IPSec VPN will not be affected.

D. The IPSec VPN will terminate but will rebuild with the same peer because 3 hello messages have not yetbeen missed.

Answer: C

Section: (none)


QUESTION 51Which four outbound ICMP message types would normally be permitted? (Choose four.) Select 4 response(s).

A. echo reply

B. time exceeded

C. echo

D. parameter problem

E. packet too big

F. source quench

Answer: CDEF

Section: (none)


8/7/2019 CCNP2 03-08-2010

24/141

QUESTION 52Refer to the exhibit. What information can be derived from the SDM firewall configuration that is shown?Select the best response.

A. Access-list 100 was configured for the trusted interface, and access-list 101 was configured for theuntrusted interface.

B. Access-list 101 was configured for the trusted interface, and access-list 100 was configured for theuntrusted interface.

C. Access-list 100 was configured for the inbound direction, and access-list 101 was configured for theoutbound direction on the trusted interface.

D. Access-list 100 was configured for the inbound direction, and access-list 101 was configured for theoutbound direction on the untrusted interface.

Answer: A

Section: (none)


QUESTION 53Which three statements about hybrid fiber-coaxial (HFC) networks are true? (Choose three.) Select 3response(s).

A. A tap produces a significantly larger output signal.

B. An amplifier divides the input RF signal power to provide subscriber drop connections.

C. Baseband sends multiple pieces of data simultaneously to increase the effective rate of transmission.D. Downstream is the direction of an RF signal transmission (TV channels and data) from the source

(headend) to the destination (subscribers).

8/7/2019 CCNP2 03-08-2010

25/141

E. The term CATV refers to residential cable systems.

F. Upstream is the direction from subscribers to the headend.

Answer: DEF

Section: (none)


QUESTION 54Which two statements about the transmission of signals over a cable network are true? (Choose two.)Select 2 response(s).

A. Downstream signals travel from the cable operator to the subscriber and use frequencies in the range of5 to 42 MHz.

B. Downstream signals travel from the cable operator to the subscriber and use frequencies in the range of50 to 860 MHz.

C. Downstream and upstream signals operate in the same frequency ranges.

D. Upstream signals travel from the subscriber to the cable operator and use frequencies in the range of 5to 42 MHz.

E. Upstream signals travel from the subscriber to the cable operator and use frequencies in the range of 50to 860 MHz.

Answer: BD

Section: (none)


QUESTION 55What are the four steps that occur with an IPsec VPN setup? Select the best response.

A. Step 1: Interesting traffic initiates the IPsec process.Step 2: AH authenticates IPsec peers and negotiates IKE SAs.Step 3: AH negotiates IPsec SA settings and sets up matching IPsec SAs in the peers.Step 4: Data is securely transferred between IPsec peers.

B. Step 1: Interesting traffic initiates the IPsec process.Step 2: ESP authenticates IPsec peers and negotiates IKE SAs.Step 3: ESP negotiates IPsec SA settings and sets up matching IPsec SAs in the peers.Step 4: Data is securely transferred between IPsec peers.

C. Step 1: Interesting traffic initiates the IPsec process.

Step 2: IKE authenticates IPsec peers and negotiates IKE SAs.Step 3: IKE negotiates IPsec SA settings and sets up matching IPsec SAs in the peers.Step 4: Data is securely transferred between IPsec peers.

D. Step 1: Interesting traffic initiates the IPsec process.Step 2: IKE negotiates IPsec SA settings and sets up matching IPsec SAs in the peers.Step 3: IKE authenticates IPsec peers and negotiates IKE SAs.Step 4: Data is securely transferred between IPsec peers.

Answer: C

Section: (none)


QUESTION 56

8/7/2019 CCNP2 03-08-2010

26/141

Which IOS command will display IPS default values that may not be displayed using the show running-config command?Select the best response.

A. show ip ips session

B. show ip ips interface

C. show ip ips statistics

D. show ip ips configuration

E. show ip ips running-config

Answer: D

Section: (none)


QUESTION 57Refer to the exhibit. Which of the configuration tasks would allow you to quickly deploy default signatures?


A. firewall and ACLs

B. security audit

8/7/2019 CCNP2 03-08-2010

27/141

C. routing

D. NAT

E. intrusion prevention

F. NAC

Answer: E

Section: (none)


QUESTION 58What are two possible actions Cisco IOS IPS can take if a packet in a session matches a signature?(Choose two.)Select 2 response(s).

A. drop the packet

B. forward the packet

C. quartile the packet

D. reset the connection

E. check the packet against an ACL

Answer: AD

Section: (none)


QUESTION 59A router interface is configured with an inbound access control list and an inspection rule. How will aninbound packet on this interface be processed? Select the best response.

A. It will be processed by the inbound ACL. If the packet is dropped by the ACL, then it will be processed bythe inspection rule.

B. It will be processed by the inbound ACL. If the packet is not dropped by the ACL, then it will beprocessed by the inspection rule.

C. It will be processed by the inspection rule. If the packet matches the inspection rule, the inbound ACLwill be invoked.

D. It will be processed by the inspection rule. If the packet does not match the inspection rule, the inboundACL will be invoked.

Answer: B

Section: (none)


QUESTION 60Which two features can be implemented using the Cisco SDM Advanced Firewall wizard? (Choose two.)Select 2 response(s).

A. DMZ support

B. custom rules

C. firewall signatures

D. application security

8/7/2019 CCNP2 03-08-2010

28/141

E. IP unicast reverse path forwarding

Answer: AB

Section: (none)


QUESTION 61Which two statements are true about the Cisco Classic (CBAC) IOS Firewall set? (Choose two.)Select 2 response(s).

A. It can be used to block bulk encryption attacks.

B. It can be used to protect against denial of service attacks.

C. Traffic originating from the router is considered trusted, so it is not inspected.

D. Based upon the custom firewall rules, an ACL entry is statically created and added to the existing ACLpermanently.

E. Temporary ACL entries that allow selected traffic to pass are created and persist for the duration of thecommunication session.

Answer: BE

Section: (none)


QUESTION 62Refer to the exhibit. Which Cisco SDM feature is illustrated? Select the best response.

A. ACL Editor

B. Easy VPN Wizard

C. Security Audit

D. Site-to-Site VPN

E. Inspection Rules

8/7/2019 CCNP2 03-08-2010

29/141

F. Reset to Factory Defaults

Answer: C

Section: (none)


QUESTION 63Which two statements about management protocols are true? (Choose two.) Select 2 response(s).

A. IGMP should be enabled on edge interfaces to allow remote testing.

B. NTP version 3 or later should be used because these versions support the use of a cryptographicauthentication mechanism between peers.

C. SNMP version 3 is recommended since it provides authentication and encryption services formanagement packets.

D. NTP version 3 or later should be used because these versions support the use of a RADIUS-basedauthentication mechanism between peers.

E. SNMP version 3 is recommended since it provides a RADIUS-based authentication mechanism betweenpeers.

Answer: BC

Section: (none)


QUESTION 64Which two of these are required in order to implement SSH on a router? (Choose two.) Select 2 response

(s).

A. the Cisco IPS Feature Set is installed on the router

B. the router is configured to perform authentication

C. the router is using the correct domain name for the network

D. the Cisco IOS Firewall Feature Set is installed on the router

E. an ACL is configured on the VTY lines to block Telnet access

Answer: BC

Section: (none)


QUESTION 65Refer to the exhibit. Routers RTB and RTC have established LDP neighbor sessions. Duringtroubleshooting, you discovered that labels are being distributed between the two routers but no labelswapping information is in the LFIB. What is the most likely cause of this problem? Select the bestresponse.

8/7/2019 CCNP2 03-08-2010

30/141

A. The IGP is summarizing the address space.

B. IP Cisco Express Forwarding has not been enabled on both RTB and RTC.

C. BGP neighbor sessions have not been configured on both routers.

D. LDP has been enabled on one router and TDP has been enabled on the other.



QUESTION 66Refer to the exhibit. The show mpls interfaces detail command has been used to display information aboutthe interfaces on MPLS edge router R1 that have been configured for label switching. Which statementabout R1 is true?

8/7/2019 CCNP2 03-08-2010

31/141


A. MPLS is not operating on Fa1/0, because the MTU size has exceeded the 1500 limit of Ethernet.

B. The router has established a TDP session with its neighbor on Fa0/1. Packets can be labeled andforwarded out that interface.

C. LSP tunnel labeling has not been enabled on either interface Fa0/0 or Fa1/1, therefore MPLS is notoperating on Fa0/1.

D. The router has established an LDP session with its neighbor on Fa1/1. However, packets cannot beforwarded out that interface because MPLS is not operational.

Answer: B

Section: (none)


QUESTION 67Refer to the exhibit. Which statement about this Cisco IOS Firewall configuration is true?

8/7/2019 CCNP2 03-08-2010

32/141


A. Outbound TCP sessions are blocked, preventing inside users from browsing the Internet.

B. INSIDEACL permits outbound HTTP sessions; INSIDEACL is applied to the outside interface in theinbound direction.

C. OUTSIDEACL permits inbound SMTP and HTTP; OUTSIDEACL is applied to the inside interface in theoutbound direction.

D. ICMP unreachable "packet-too-big" messages are rejected on all interfaces to prevent DDoS attacks.

E. The TCP inspection will automatically allow return traffic for the outbound HTTP sessions and inboundSMTP and HTTP sessions.

Answer: E

Section: (none)


QUESTION 68What is an MPLS forwarding equivalence class?Select the best response.

A. a set of destination networks forwarded from the same ingress router

B. a set of destination networks forwarded to the same egress router

C. a set of source networks forwarded from the same ingress router

D. a set of source networks forwarded to the same egress router

Answer: B

Section: (none)


8/7/2019 CCNP2 03-08-2010

33/141

QUESTION 69Which approach for identifying malicious traffic involves looking for a fixed sequence of bytes in a singlepacket or in predefined content?Select the best response.

A. policy-based

B. anomaly-based

C. honeypot-based

D. signature-based

E. regular-expression-based

Answer: D

Section: (none)


QUESTION 70Which Cisco SDM feature expedites the deployment of the default IPS settings and provides configurationsteps for interface and traffic flow selection, SDF location, and signature deployment?Select the best response.

A. IPS Edit menu

B. IPS Command wizard

C. IPS Policies wizard

D. IPS Signature wizard

Answer: C

Section: (none)


QUESTION 71In an MPLS VPN implementation, how are overlapping customer prefixes propagated? Select the bestresponse.

A. A unique route target is attached to each customer routing update.

B. Separate BGP sessions are established between each pair of customer edge LSRs.

C. Each customer is given a unique set of edge LSPs.

D. A route distinguisher is attached to each customer prefix.

E. Each customer is given a unique IGP instance.

Answer: D

Section: (none)


QUESTION 72In an MPLS VPN implementation, how are overlapping customer prefixes propagated? Select the best

response.

A. A separate instance of the core IGP is used for each customer.

8/7/2019 CCNP2 03-08-2010

34/141

B. Separate BGP sessions are established between each customer edge LSR.

C. Because customers have their own unique LSPs, address space is kept separate.

D. A route distinguisher is attached to each customer prefix.

E. Because customers have their own interfaces, distributed CEFs keep the forwarding tables separate.

Answer: D

Section: (none)


QUESTION 73Which two statements are true about the Data-over-Cable Service Interface Specifications? (Choose two.)Select 2 response(s).

A. DOCSIS is an international standard developed by CableLabs.

B. DOCSIS defines cable operations at Layer 1, Layer 2, and Layer 3 of the OSI model.

C. Cable operators employ DOCSIS to provide cable access over their existing IP infrastructures.D. DOCSIS defines a set of frequency allocation bands that are common to both U.S. and European cable

systems.

E. Compliance with DOCSIS has been mandated by the major governmental regulatory agencies in boththe U.S. and Europe.

F. Euro-DOCSIS requires the European cable channels to conform to PAL-based standards, whereasDOCSIS requires the North American cable channels to conform to the NTSC standard.

Answer: AF

Section: (none)


QUESTION 74Refer to the exhibit. What information can be derived from this show ip cef command output?


A. This router will use a label of "21" to reach the destination network of 150.1.12.16.

B. This router will use a PHP label to reach the destination network of 150.1.12.16.

C. This router will advertise a label of "19" for the destination network of 150.1.12.16.

D. This router will advertise a label of "21" for the destination network of 150.1.12.16.

Answer: D

Section: (none)

8/7/2019 CCNP2 03-08-2010

35/141


QUESTION 75Refer to the exhibit. Why does the third hop only have one label?


A. MPLS is not enabled on that link, so only the VPN label is needed.

B. MPLS is not enabled on that link, so only the LSP label is needed.

C. That link is directly connected to the customer, so only the VPN label is needed.

D. That link is directly connected to the customer, so only the LSP label is needed.

E. The PHP process on that link has removed the LSP label, leaving only the VPN label.

F. The PHP process on that link has removed the VPN label, leaving only the LSP label.

Answer: E

Section: (none)


QUESTION 76If you disable Cisco Express Forwarding on a P router in an MPLS network, what will the router do?Select the best response.

A. stop forwarding all traffic

B. stop advertising MPLS labels

C. start forwarding MPLS packets using process switching

D. start advertising all destination networks with an implicit null label valueE. start stripping the MPLS labels off of packets and forwarding them using the destination IP addresses

Answer: B

Section: (none)


QUESTION 77Refer to the exhibit. What type of high-availability option is being implemented? Select the best response.

8/7/2019 CCNP2 03-08-2010

36/141

A. IPsec stateful failover

B. IPsec dead peer detection

C. Hot Standby Router Protocol

D. GRE's Keepalive Mechanism

E. backing up a WAN connection with an IPsec VPN

Answer: B

Section: (none)


QUESTION 78Refer to the exhibit. What type of high-availability option is being implemented?


8/7/2019 CCNP2 03-08-2010

37/141

A. IPsec stateful failover

B. IPSec dead peer detection

C. Hot Standby Router Protocol

D. GRE's Keepalive Mechanism

E. backing up a WAN connection with an IPsec VPN

Answer: C

Section: (none)


QUESTION 79Which two of these would be classified as reconnaissance attacks? (Choose two.) Select 2 response(s).

A. port scans

B. ping sweepsC. port redirection

D. trust exploitation

E. denial of service attacks

F. man-in-the-middle attacks

Answer: AB

Section: (none)


QUESTION 80Which three of these would be classified as access attacks? (Choose three.) Select 3 response(s).

A. port scans

B. ping sweeps

C. port redirection

D. trust exploitation

E. denial of service attacks

F. man-in-the-middle attacks

Answer: CDFSection: (none)


QUESTION 81Refer to the exhibit. Which three statements about user access are true? (Choose three.)

8/7/2019 CCNP2 03-08-2010

38/141


A. The user was attempting to access this device via a VTY.

B. The user was attempting to access this device via the console port.

C. The user was validated against the local AAA database.

D. The user was validated against a remote AAA server database.

E. The user was denied user-level access to this device.

F. The user was granted user-level access to this device.

Answer: ACF

Section: (none)


QUESTION 82Refer to the exhibit. The ACL in this configuration is used to mitigate which of these?


A. DOS smurf attacks

B. ICMP message attacks

8/7/2019 CCNP2 03-08-2010

39/141

C. TCP SYN DOS attacks

D. IP address spoofing attacks

E. traceroute message attacks

Answer: D

Section: (none)


QUESTION 83Refer to the exhibit. Which type of attack does the ACL prevent the internal user from successfullylaunching?


A. DOS smurf attack

B. ICMP message attack

C. TCP SYN DOS attacks

D. IP address spoofing attack

E. traceroute message attacks

Answer: D

Section: (none)


QUESTION 84Which three of these are required before you can configure your routers for SSH server operations?(Choose three.)Select 3 response(s).

A. each of the target routers has a unique hostname

B. each of the target routers is configured to enable secret passwords

C. a user is define in either the local database or on a remote AAA server

D. each of the target routers has a password configured on the VTY interface

E. each of the target routers is using the correct domain name of your network

Answer: ACE

8/7/2019 CCNP2 03-08-2010

40/141

Section: (none)


QUESTION 85

Which two actions can a Cisco IOS Firewall take when the threshold for the number of half-opened TCPsessions is exceeded? (Choose two.) Select 2 response(s).

A. It can send a reset message to the endpoints of the oldest half-opened session.

B. It can send a reset message to the endpoints of the newest half-opened session.

C. It can send a reset message to the endpoints of a random half-opened session.

D. It can block all EST packets temporarily for the duration configured by the threshold value.

E. It can block all SYN packets temporarily for the duration configured by the threshold value.

F. It can block all reset packets temporarily for the duration configured by the threshold value.

Answer: AE

Section: (none)


QUESTION 86Refer to the exhibit. In this firewall implementation, inside users should be permitted to browse the Internet.However, users have indicated that all attempts fail. As a result of troubleshooting, you have determined thatthe issue is related to the firewall implementation.What corrective action should you take?


A. Add the global command line ip inspect name INSIDE www.

B. Add the global command line ip inspect name OUTSIDE www.

C. Add the ACL command line permit tcp any any eq 80 to INSIDEACL.

8/7/2019 CCNP2 03-08-2010

41/141

D. Add the ACL command line permit tcp any any eq 80 to OUTSIDEACL.

E. Change the access group on Fa0/0 from the inbound direction to the outbound direction.

F. Change the access group on Fa0/1 from the inbound direction to the outbound direction.

Answer: C

Section: (none)


QUESTION 87Refer to the exhibit. In this firewall implementation, outside clients should be allowed to communicate withthe SMTP server (200.1.2.1) located in the enterprise DMZ. However, users have indicated that all attemptsfail. As a result of troubleshooting, you have determined that the issue is related to the firewallimplementation.

What corrective action should you take?


A. Add the global command line ip inspect name INSIDE smtp.

B. Add the global command line ip inspect name OUTSIDE smtp.

C. Add the ACL command line permit tcp any host 200.1.2.1 eq 25 to DMZACL.

D. Add the ACL command line permit tcp any host 200.1.2.1 eq 25 to OUTSIDEACL.

E. Change the access group on Fa0/0 from the inbound direction to the outbound direction.

F. Change the access group on Fa0/2 from the inbound direction to the outbound direction.

Answer: D

Section: (none)


8/7/2019 CCNP2 03-08-2010

42/141

QUESTION 88Refer to the exhibit. FastEthernet0/0 has been assigned a network address of 200.0.1.2/24 and no ACL hasbeen applied to that interface. Serial0/0/0 has been assigned a network address of 200.0.0.1/30. Assumingthat there are no network-related problems, which ping will be successful?Select the best response.

A. from 200.0.0.1 to 200.0.0.2

B. from 200.0.0.2 to 200.0.0.1

C. from 200.0.0.2 to 200.0.1.1

D. from 200.0.0.2 to 200.0.1.2

E. from 200.0.1.1 to 200.0.0.2

F. from 200.0.1.2 to 200.0.0.2

Answer: A

Section: (none)


QUESTION 89Refer to the exhibit. Which three statements about this DMZ configuration are true? (Choose three.)Select 3 response(s).

8/7/2019 CCNP2 03-08-2010

43/141

A. The device being enabled is a web server.

B. The device being enabled is an FTP server.

C. The device being enabled is located in the DMZ.

D. The device being enabled has been assigned an IP address of 192.168.0.2.

E. FTP-based packets with a destination of 192.168.0.2 will be allowed through the DMZ to the web server

located on the untrusted network.

F. Web-based packets with a destination of 192.168.0.2 will be allowed through the DMZ to the web serverlocated on the trusted network.

Answer: ACD

Section: (none)


QUESTION 90

What is a possible way to prevent a worm attack on a host PC?

A. Enable SSH.

B. Enable encryption.

C. Implement TACACS+.

D. Keep the operating system current with the latest patches.

Answer: D

Section: (none)


QUESTION 91Refer to the exhibit

8/7/2019 CCNP2 03-08-2010

44/141

What is the result of the ACL configuration that is displayed?

A. Inbound packets to request a TCP session with the 10.10.10.0/24 network are allowed.

B. TCP responses from the outside network for TCP connections that originated on the inside network areallowed.

C. TCP responses from the inside network for TCP connections that originated on the outside network aredenied.

D. Any inbound packet with the SYN flag set to be routed is permitted.

Answer: B

Section: (none)


QUESTION 92Which two statements are true about the Cisco lOS Firewall set? (Choose two.)

A. protects against denial of service (DoS) attacks

B. An ACL entry is statically created and added to the existing, permanent ACL.

C. Traffic originating within the router is not inspected.

D. Temporary ACL entries are created and persist for the duration of the communication session.

Answer: AD

Section: (none)


QUESTION 93Which statement is true about the SDM Basic Firewall wizard?

A. The wizard applies predefined rules to protect the private and DMZ networks.

B. The wizard can configure multiple DMZ interfaces for outside users.C. The wizard permits the creation of a custom application security policy.

D. The wizard configures one outside interface and one or more inside interfaces.

8/7/2019 CCNP2 03-08-2010

45/141

Answer: D

Section: (none)


QUESTION 94Which three statements about frame-mode MPLS are true? (Choose three.)

A. MPLS has three distinct components consisting of the data plane, the forwarding plane, and the controlplane.

B. The control plane is a simple label-based forwarding engine that is independent of the type of routingprotocol or label exchange protocol.

C. The CEF FIB table contains information about outgoing interfaces and their corresponding Layer 2header.

D. The MPLS data plane takes care of forwarding based on either destination addresses or labels.

E. To exchange labels, the control plane requires protocols such as Tag Distribution Protocol (TDP) or

MPLS Label Distribution Protocol (LDP).

F. Whenever a router receives a packet that should be CEF-switched, but the destination is not in the FIB,the packet is dropped.

Answer: DEF

Section: (none)


QUESTION 95

Which three statements about the Cisco Easy VPN feature are true? (Choose three.)

A. It the VPN server is configured for Xauth, the VPN client waits for a username / password challenge.

B. The Cisco Easy VPN feature only supports transform sets that provide authentication and encryption.

C. The VPN client initiates aggressive mode (AAA) if a pre-shared key is used for authentication during theIKE phase 1 process.

D. The VPN client verifies a server username/password challenge by using a AAA authentication serverthat supports TACACS+ or RADIUS.

E. The VPN server can only be enabled on Cisco PIX Firewalls and Cisco VPN 3000 series concentrators.

F. When connecting with a VPN client, the VPN server must be configured for ISAKMP group 1.2 or 5.

Answer: ABC

Section: (none)


QUESTION 96Which two statements are true about the use of SDM to configure the Cisco Easy VPN feature on a router?(Choose two.)

A. An Easy VPN connection is a connection that is configured between two Easy VPN clients.

B. The Easy VPN server address must be configured when configuring the SDM Easy VPN Server wizard.

C. The SDM Easy VPN Sewer wizard displays a summary of the configuration before applying the VPNconfiguration.

8/7/2019 CCNP2 03-08-2010

46/141

D. The SDM Easy VPN Sewer wizard can be used to configure a GRE over IPSec site-to-site VPN or adynamic multipoint VPN (DMVPN).

E. The SDM Easy VPN Sewer wizard can be used to configure user XAuth authentication locally on therouter or externally with a RADIUS sewer.

F. The SDM Easy VPN Server wizard recommends using the Quick setup feature when configuring adynamic multipoint VPN.

Answer: CE

Section: (none)


QUESTION 97Which three statements are true when configuring Cisco 103 Firewall features using the SDM? (Choosethree.)

A. A custom application security policy can be configured in the Advanced Firewall Security Configuration

dialog box.B. An optional DMZ interface can be specified in the Advanced Firewall Interface Configuration dialog box.

C. Custom application policies for e-mail, instant messaging, HTTP, and peer-to-peer services can becreated using the Intermediate Firewall wizard.

D. Only the outside (untrusted) interface is specified in the Basic Firewall Interface Configuration dialogbox.

E. The outside interface that SDM can be launched from is configured in the Configuring Firewall forRemote Access dialog box.

F. The SDM provides a basic, intermediate, and advanced firewall wizard.

Answer: ABE

Section: (none)


QUESTION 98Which device is responsible for attaching a VPN label to a packet traversing an MPLS network?

A. the provider (P) router

B. the provider edge (PE) router

C. the customer edge (CE) router

D. the customer (C) router

Answer: B

Section: (none)


QUESTION 99Refer to the exhibit.

8/7/2019 CCNP2 03-08-2010

47/141

Given the partial tunnel configuration that is shown, which tunneling encapsulation is set?

A. GRE

B. GRE multipoint

C. cayman

D. DVMRP

Answer: A

Section: (none)


QUESTION 100Which statement is correct about Security Device Event Exchange (SDEE) messages?

A. SDEE messages can be viewed in real time using SDM.

B. SDEE messages displayed at the SDM window cannot be filtered.

C. SDFE messages are the SDM version of syslog messages.

D. SDEE specifies the IPS/IDS message exchange format between an IPS/IDS device and IPS themanagement/monitoring station.

E. For SDEE messages to be viewed, the show ip ips all or show logging commands must be given first.

Answer: D

Section: (none)


QUESTION 101Refer to the exhibit

8/7/2019 CCNP2 03-08-2010

48/141

What are the ramifications of Fail Closed being enabled under Engine Options?

A. The router will drop all packets that arrive on the affected interface.

B. If the IPS engine is unable to scan data, the router will drop all packets.

C. If the IPS detects any malicious traffic, it will cause the affected interlace to close any open TCPconnections.

D. The IPS engine is enabled to scan data and drop packets depending upon the signature of the flow.

Answer: B

Section: (none)



Assume that a signature can identity an IP address as the source of an attack. Which action wouldautomatically create an ACL that denies all traffic from an attacking IP address?

A. Alarm

B. Drop

C. Reset

8/7/2019 CCNP2 03-08-2010

49/141

D. Deny Flow ln line

E. denyattackerlnline

F. Deny-connection-inline

Answer: E

Section: (none)


QUESTION 103A site requires support for skinny and H.323 voice protocols. How is this configured on an lOS firewall usingthe SDM?

A. The Basic Firewall wizard is executed and the High Security Application policy is selected.

B. The Advanced Firewall wizard is executed and a custom Application Security policy is selected in placeof the default Application Security policies.

C. The Application Security tab is used to create a policy with voice support before the Firewall wizard isrun.

D. The Application Security tab is used to modify the SDM_High policy to add voice support prior to theFirewall wizard being run.

Answer: B

Section: (none)


QUESTION 104

Refer to the exhibit.

The Basic Firewall wizard has been used to configure a router. What is the purpose of the highlightedaccess list statement?

A. To prevent spoofing by blocking traffic entering interface Fa0/0 with a source address in the samesubnet as interface VLAN10

8/7/2019 CCNP2 03-08-2010

50/141

B. To prevent spoofing by blocking traffic entering Fa0/0 with a source address in the RFC 1916 privateaddress space

C. To establish a DMZ by preventing traffic from interface VLAN10 being sent out interface Fa0/0

D. To establish a DMZ by preventing traffic from interface Fa0/0 being sent out interface VLAN10

Answer: A

Section: (none)


QUESTION 105When establishing a VPN connection from the Cisco software VPN client to an Easy VPN server routerusing pre-shared key authentication, what is entered in the configuration GUI of the Cisco software VPNclient to identify the group profile that is associated with this VPN client?

A. Group name

B. Client name

C. Distinguished name

D. Organizational unit

Answer: A

Section: (none)



8/7/2019 CCNP2 03-08-2010

51/141

An lOS firewall has been configured to support skinny and H.323. Voice traffic is not passing through thefirewall as expected. What needs to be corrected in this configuration?

A. Access list 100 needs to permit skinny and H.323.

B. Access list 101 needs to permit skinny and H.323.

C. The ip inspect Voice in command on interface FastEthernet 0/1 should be applied in the outbounddirection.

D. The ip inspect Voice out command should be applied to interface FastEthernet 0/0.

Answer: C

Section: (none)


QUESTION 107

During the Easy VPN Remote connection process, which phase involves pushing the IP address, DomainName System (DNS), and split tunnel attributes to the client?

A. mode configuration

B. the VPN client establishment of an ISAKMP SA

C. IPsec quick mode completion of the connection

D. VPN client initiation of the IKE phase 1 process

Answer: A

Section: (none)


QUESTION 108When entering the Group Authentication information while configuring the Cisco VPN Client on aPC, what information is entered in the "Name" field?

A. login name of the user (such as "jsmith")

B. client name of the device (such as "jsmith-laptop")

C. IPsec group information (such as "Engineering")

D. the group pre-shared secret (such as "CiNl1iNFTW")

E. host name of the remote VPN device (such as "vpna.cisco.com")

Answer: C

Section: (none)

8/7/2019 CCNP2 03-08-2010

52/141


QUESTION 109What phrase best describes a Handler in a distributed denial of service (DDoS) attack?

A. Person who launches the attack

B. Host that generates a stream of packets that is directed toward the intended victim

C. Host running the attacker program

D. Host being attacked

Answer: C

Section: (none)


QUESTION 110Which PPPoA configuration statement is true?

A. The dsl operating-mode auto command is required if the default mode has been changed.

B. The encapsulation ppp command is required.

C. The ip mtu 1492 command must be applied on the dialer interface.

D. The ip mtu 1496 command must be applied on the dialer interface.

E. The ip mtu 1492 command must be applied on the Ethernet interface.

F. The ip mtu 1496 command must be applied on the Ethernet interface.

Answer: ASection: (none)


QUESTION 111What is a recommended practice for secure configuration management?

A. Disable port scan.

B. Use SSH or SSL.

C. Deny echo replies on all edge routers.D. Enable trust levels.

E. Use secure Telnet.

Answer: B

Section: (none)


QUESTION 112

Which IPsec VPN backup technology statement is true?

A. Each Hot Standby Routing Protocol (HSRP) standby group has two well-known MAC addresses and avirtual IP address.

8/7/2019 CCNP2 03-08-2010

53/141

B. Reverse Route Injection (RRI) is configured on at the remote site to inject the central site networks.

C. The crypto isakmp keepalive command is used to configure the Stateful Switchover (SSO) protocol.

D. The crypto isakmp keepalive command is used to configure stateless failover.

E. The reverse-route command should be applied directly to the outside interface.

Answer: D

Section: (none)


QUESTION 113Which three DSL technologies support an analog POTS channel and utilize the entire bandwidth of thecopper to carry data? (Choose three.)

A. ADSL

B. IDSL

C. SDSLD. RADSL

E. VDSL

Answer: ADE

Section: (none)


QUESTION 114

What actions can be performed by the Cisco IOS IPS when suspicious a tivity is detected? (Choose four.)

A. Send an alarm to a syslog server or a centralized management interface

B. Initiate antivirus software to clean the packet

C. Drop the packet

D. Reset the connection

E. Request packet to be resent

F. Deny traffic from the source IP address associated with the connection

Answer: ACDF

Section: (none)


QUESTION 115Internet Protocol Security (IPsec) is a suite of protocols for securing Internet Protocol (IP) communicationsby authenticating and encrypting each IP packet of a data stream. Which command can be used to showthe configurations used by the current IPsec security associations?

A. show crypto isakmp key

B. debug crypto isakmp sa

C. show crypto isakmp sa

D. show crypto ipsec sa

Answer: D

8/7/2019 CCNP2 03-08-2010

54/141

Section: (none)


QUESTION 116

Which two statements are true about the troubleshooting of VPN connectivity on a Cisco router?(Choose two.)

A. SDM can be used to provide statistical output that is related to IPsec SAs.

B. The debug crypto isakmp command output displays detailed IKE phase 1 and phase 2 negotiationprocesses.

C. SDM can be used to perform advance troubleshooting.

D. Knowledge of Cisco IOS CLI commands is required.

E. The Monitor Tunnel Operation page in SDM is the primary tool for troubleshooting VPN connectivity.

Answer: BD

Section: (none)


QUESTION 117Which statement about the aaa authentication enable default group radius enable command is true?

A. If the radius server returns an error, the enable password will be used.

B. If the radius server returns a 'failed' message, the enable password will be used.

C. The command login authentication group will associate the AAA authentication to a specified interface.

D. If the group database is unavailable, the radius server will be used.

Answer: A

Section: (none)


QUESTION 118DSL (Digital Subscriber Line) is a technology for bringing high- bandwidth information to homes and smallbusinesses over ordinary copper telephone lines. Which form of DSL technology is typically used to replaceT1 lines?

A. VDSL

B. HDSL

C. ADSL

D. SDSL

Answer: B

Section: (none)


QUESTION 119According to the following presented information, which two items are correct regarding user access?(Choose two.)

8/7/2019 CCNP2 03-08-2010

55/141

A. Telnet access to this device is not possible because login access has not been configured.

B. Access to the console port of this device may be gained by use of the "con2access" password.

C. A username and password are needed to log in to a Telnet session to this device.

D. A username and password are needed to log in to the console port of this device.

Answer: CD

Section: (none)


QUESTION 120What are two principles to follow when configuring ACLs with IOS Firewall? (Choose two.)

A. Prevent traffic that will be inspected by IOS Firewall from leaving the network through the firewall.B. Configure extended ACLs to prevent IOS Firewall return traffic from entering the network through the

firewall.

C. Configure an ACL to deny traffic from the protected networks to the unprotected networks.

D. Permit broadcast messages with a source address of 255.255.255.255.

E. Allow traffic that will be inspected by IOS Firewall to leave the network through the firewall.

Answer: BE

Section: (none)


QUESTION 121With MPLS, what is the function of the protocol ID (PID) in a Layer 2 header?

8/7/2019 CCNP2 03-08-2010

56/141

A. It specifies that the bottom-of-stack bit immediately follows.

B. It specifies that the payload starts with a label and is followed by an IP header.

C. It specifies that the receiving router use the top label only.

D. It specifies how many labels immediately follow.



QUESTION 122Which statement identifies a limitation in the way Cisco IOS Firewall tracks UDP connections versus TCPconnections?

A. It cannot track the source IP.

B. It cannot track the source port.

C. It cannot track the destination IP.

D. It cannot track the destination port.

E. It cannot track sequence numbers and flags.

F. It cannot track multicast or broadcast packets.

Answer: E

Section: (none)


QUESTION 123What are three methods of network reconnaissance? (Choose three.)

A. IP spoofing

B. One-time password

C. Dictionary attack

D. Packet sniffer

E. Ping sweep

F. Port scan

Answer: DEFSection: (none)


QUESTION 124PPPoE, Point-to-Point Protocol over Ethernet, is a network protocol for encapsulating Point-to-PointProtocol (PPP) frames inside Ethernet frames. What is the possible cause for the failure of theestablishment of the PPPoE client session?

8/7/2019 CCNP2 03-08-2010

57/141

A. The PPP LCP phase has failed because the correct DSL operating mode (DSL modulation) is notconfigured on the PG-CPE router.

B. The PPP authentication phase has failed at the PG-CPE.

C. The PPP LCP phase has failed because of excessive link noise.

D. The PPP NCP phase has failed because the local router cannot successfully initialize the DSLAM.

Answer: B

Section: (none)


QUESTION 125According to the following graphic, can you tell me which VPN IPv4 label is for the network 172.16.13.0/24?

A. 11

8/7/2019 CCNP2 03-08-2010

58/141

B. 17

C. 12308

D. 17, 12308

Answer: C

Section: (none)


QUESTION 126What are two ways to mitigate IP spoofing attacks? (Choose two.)

A. Disable ICMP echo.

B. Use RFC 3704 filtering (formerly know as RFC 2827).

C. Use encryption.

D. Configure trust levels.

E. Use NBAR.F. Use MPLS.

Answer: BC

Section: (none)


QUESTION 127What technology must be enabled as a prerequisite to running MPLS on a Cisco router?

A. Process switching

B. Routing-table driven switching

C. Cache driven switching

D. CEF switching

E. Fast switching

Answer: D

Section: (none)


QUESTION 128Which two of following belong to reconnaissance attacks? (Choose two.)

A. Port scans

B. Ping sweeps

C. Denial of service attacks

D. Man-in-the-middle attacks

Answer: AB

Section: (none)


8/7/2019 CCNP2 03-08-2010

59/141

QUESTION 129Refer to the exhibit. Which of these statements about the configured IPsec transform set is correct?


A. Only the data field of the packet will be hashed using SHA.

B. Only the address fields of the packet will be hashed using SHA.

C. Only the data field of the packet will be encrypted by the AES algorithm using a 256-bit key.

D. Only the address fields of the packet will be encrypted by the AES algorithm using a 256-bit key.

E. The data field of the packet will be encrypted by the AES algorithm using a 256-bit key, while theaddress fields of the packet will be hashed using SHA.

F. The address fields of the packet will be encrypted by the AES algorithm using a 256-bit key, while thedata field of the packet will be hashed using SHA.

Answer: ESection: (none)


QUESTION 130Which two statements about the AutoSecure feature are true? (Choose two.)

A. AutoSecure automatically disables the CDP feature.

B. If you enable AutoSecure, the minimum length of the login and enable passwords is set to 6 characters.

C. The auto secure full command automatically configures the management and forwarding planes withoutany user interaction.

D. To enable AutoSecure, the auto secure global configuration command must be used.

8/7/2019 CCNP2 03-08-2010

60/141

E. Once AutoSecure has been configured, the user can launch the SDM Web interface to perform asecurity audit.

Answer: AB

Section: (none)


QUESTION 131Refer to the exhibit. Host 1 cannot ping Server 1. In the course of troubleshooting, you have eliminated allnetwork issues. Based upon the partial configuration shown, what is the issue?

8/7/2019 CCNP2 03-08-2010

61/141


A. No routing protocol is running on R 1 and R 2.

B. An encryption algorithm has been configured on R 1 and R 2.

C. The tunnel destinations on R 1 and R 2 are not on the same subnet.

D. R 1 has the wrong tunnel source configured under the tunnel interface.

E. R 2 has the wrong tunnel source configured under the tunnel interface.F. The tunnel numbers (interface tunnel 0 and interface tunnel 1) on R 1 and R 2 do not match.

Answer: D

Section: (none)


QUESTION 132When configuring backup IPsec VPNs with Cisco IOS Release 12.2(8)T or later, what are the default

parameters?

A. Cisco IOS keepalives are sent every 10 seconds if there is no traffic to send.

B. Dead peer detection (DPD) hello messages are sent every 10 seconds if there is no traffic to send.

C. Cisco IOS keepalives are sent every 10 seconds if the router has traffic to send.

D. DPD hello messages are sent every 10 seconds if the router has traffic to send.

Answer: D

Section: (none)


QUESTION 133Observe the following exhibit carefully, the output is produced by which Cisco security feature?

8/7/2019 CCNP2 03-08-2010

62/141

A. CBAC

B. IPS

C. SSH

D. AutoSecure

Answer: D

Section: (none)


QUESTION 134CBAC provides advanced traffic filtering functionality and can be used as an integral part of your networkfirewall. Which two descriptions are correct about the Cisco Classic (CBAC) IOS Firewall set? (Choose two.)

A. It can block bulk encryption attacks.

B. It can protect against denial of service attacks.

C. Temporary ACL entries that allow selected traffic to pass are created and persist for the duration of thecommunication session.

D. Traffic originating from the router is considered trusted, so it is not inspected.

Answer: BD

Section: (none)


QUESTION 135Look at the following exhibit carefully, LDP neighbor sessions have been built between PG-RTB and PG-RTC. In the process of troubleshooting, it is found that labels are being distributed between the two routers,

8/7/2019 CCNP2 03-08-2010

63/141

however LFIB has no label swapping information. Why?

A. BGP neighbor sessions have not been established on both routers.

B. IP Cisco Express Forwarding has not been enabled on both PG-RTB and PG-RTC.

C. LDP has been enabled on one router and TDP has been enabled on the other.

D. The IGP is summarizing the address space.

Answer: B

Section: (none)


QUESTION 136What is the reason for the ping between the PG-HQ router and the 192.168.1.193 interface on the PG-Branch2 router failing?

8/7/2019 CCNP2 03-08-2010

64/141

A. The default route is missing from the PG-Branch2 router.

B. When running EIGRP over GRE tunnels, you must manually configure the neighbor address using the

eigrp neighbor ipaddress command.C. The tunnel numbers for the tunnel between the PG-HQ router and the PG-Branch2 router do not match.

D. The tunnel source is incorrect on the PG-Branch2 router. It should be serial 2/0.

E. The AS number for the EIGRP process on PG-Branch2 should be 1 and not 11.

Answer: E

Section: (none)


QUESTION 137What are two steps that must be taken when mitigating a worm attack? (Choose two.)

A. Inoculate systems by applying update patches.

B. Limit traffic rate.

C. Apply authentication.

D. Quarantine infected machines.

E. Enable anti-spoof measures

Answer: AD

Section: (none)


8/7/2019 CCNP2 03-08-2010

65/141

QUESTION 138To implement Easy VPN Remote capabilities, which requirement must be met?

A. The destination peer must be a Cisco Easy VPN Server or VPN Concentrator supporting Cisco EasyVPN Server.

B. The source peer must be a Cisco Easy VPN Server or VPN Concentrator supporting Cisco Easy VPN

Server.

C. The destination peer must be a Cisco Easy VPN Remote device.

D. The destination peer must support all available encryption and authentication types.

Answer: A

Section: (none)


QUESTION 139

At what size should the MTU on LAN interfaces be set in the implementation of MPLS VPNs with trafficengineering?

A. 1512 bytes

B. 1516 bytes

C. 1520 bytes

D. 1524 bytes

E. 1528 bytes

F. 1532 bytes

Answer: A

Section: (none)


QUESTION 140Which two devices serve as the main endpoint components in a DSL data service network? (Choose two.)

A. SOHO workstation

B. ATU-R

C. ATU-C

D. POTS splitterE. CO switch

Answer: B

Section: (none)

Explanation/Reference:I don't know the other choice.

QUESTION 141Which three protocols are available for local redundancy in a backup VPN scenario? (Choose three.)

A. VRRP

B. A routing protocol

8/7/2019 CCNP2 03-08-2010

66/141

C. RSVP

D. HSRP

E. Proxy ARP

F. GLBP

Answer: ADF

Section: (none)


QUESTION 142Which PPPoE configuration statement is true?

A. A PVC must be created before the pppoe enable command on the Ethernet interface is entered.

B. The dsl operating-mode auto command is required.

C. The encapsulation ppp command must be applied on the Ethernet interface.

D. The ip mtu 1492 command must be applied on the dialer interface.E. The ip mtu 1496 command must be applied on the Ethernet interface.

F. When the pppoe enable command is applied on the Ethernet interface, a PVC will be created.

Answer: D

Section: (none)


QUESTION 143

The Cisco SOHO 77 ADSL router provides an affordable, secure, multiuser digital subscriber line (DSL)access solution to small office/home office customers while reducing deployment and operational costs forservice providers. Refer to the exhibit, which shows a PPPoA diagram and partial SOHO77 configuration.Which command needs to be applied to the SOHO77 to complete the configuration?

8/7/2019 CCNP2 03-08-2010

67/141

A. Encapsulation aal5mux ppp dialer applied to the PVC

B. Encapsulation aal5ciscoppp applied to the PVC

C. Encapsulation aal5mux ppp dialer applied to the ATM0 interface

D. Encapsulation aal5ciscoppp applied to the ATM0 interface

Answer: A

Section: (none)


QUESTION 144Which three methods are of network reconnaissance? (Choose three.)

A. Packet sniffer

B. Ping Sweep

C. Dictionary attack

D. Port scan

Answer: ABD

Section: (none)


QUESTION 145In terms of the exhibit below. Router PassGuide-R is unable to establish an ADSL connection with its

8/7/2019 CCNP2 03-08-2010

68/141

provider. What action should be taken to correct this problem?

A. On the Dialer0 interface, add the pppoe enable command.

B. On the Ethernet 0/1 interface, add the dialer pool-member 0 command.

C. On the Ethernet 0/1 interface, add the dialer pool-member 1 command.

D. On the Dialer0 interface, change the MTU value to 1500 using the ip mtu 1500 command.

E. On the Ethernet 0/1 interface, add the pppoe-client dial-pool-number 0 command.F. On the Ethernet 0/1 interface, add the pppoe-client dial-pool-number 1 command.

Answer: F

Section: (none)


QUESTION 146You work as a network technician at PassGuide.com, study the exhibit carefully. What type of securitysolution will be provided for the inside network?

8/7/2019 CCNP2 03-08-2010

69/141

A. The router will intercept the traceroute messages. It will validate the connection requests beforeforwarding the packets to the inside network.

B. The router will reply to the TCP connection requests. If the three-way handshake completessuccessfully, the router will establish a TCP connection between itself and the server.

C. The TCP traffic that matches the ACL will be allowed to pass through the router and create a TCP

connection with the server.D. The TCP connection that matches the defined ACL will be reset by the router if the connection does not

complete the three-way handshake within the defined time period.

Answer: B

Section: (none)


QUESTION 147Which three descriptions are correct about frame-mode MPLS? (Choose three.)

A. MPLS has three distinct components consisting of the data plane, the forwarding plane, and the controlplane.

B. The MPLS data plane takes care of forwarding based on either destination addresses or labels.

C. To exchange labels, the control plane requires protocols such as Tag Distribution Protocol (TDP) orMPLS Label Distribution Protocol (LDP).

D. Whenever a router receives a packet that should be CEF-switched, but the destination is not in the FIB,the packet is dropped.

Answer: BCD

Section: (none)


8/7/2019 CCNP2 03-08-2010

70/141

QUESTION 148Authentication is the process of determining whether someone or something is, in fact, who or what it isdeclared to be. On the basis of the exhibit. Which two statements correctly describe the authenticationmethod used to authenticate users who want privileged access into PG-R1? (Choose two.)

A. All users will be authenticated using the RADIUS server. If the RADIUS server is unavailable, theauthentication process stops and no other authentication method is attempted.

B. All users will be authenticated using the RADIUS server. If the RADIUS server is unavailable, the router

will attempt to authenticate the user using its local database.C. All users will be authenticated using the RADIUS server. If the user authentication fails, the router will

attempt to authenticate the user using its local database.

D. All users will be authenticated using the RADIUS server. If the user authentication fails, theauthentication process stops and no other authentication method is attempted.

Answer: BD

Section: (none)


QUESTION 149You work as a network technician, refer to the exhibit. Which description is correct about the partial MPLSconfiguration that is shown?

A. The route-target both 100:2 command sets import and export route-targets for vrf2.

B. The route-target both 100:2 command change

ccnp2 03-08-2010

Documents