cisco 642-637 exam - gratis exam · cisco 642-637 exam exam name: securing networks with cisco...

Cisco 642-637 Exam

Number: 642-637Passing Score: 800Time Limit: 60 minFile Version: 22.2

http://www.gratisexam.com/

Cisco 642-637 Exam

Exam Name: Securing Networks with Cisco Routers and Switches (SECURE) v1.0

For Full Set of Questions please visit: http://www. test-inside.com/642-637.htm

Sections1. Router Security2. Switch Security3. VPN4. Zone Based Firewall5. IPS6. Drag and Drop7. Simlet-VPN8. Lab-ZBFW9. User Feedback

Certkey

QUESTION 1You have configured a guest VLAN using 802.1X on a Cisco Catalyst switch. A client incapable of using 802.1Xhas accessed the port and has been assigned to the guest VLAN. What happens when a client capable ofusing 802.1Xjoins the network on the same port?

A. The client capable of using 802.1X is allowed access and proper security policies are applied to the client.B. EAPOL packets will not be allowed on the guest VLAN and the access attempt with fail.C. The port is put into the unauthorized state in the user-configured access VLAN, and authentication is

restarted.D. This is considered a security breach by the authentication server and all users on the access port will be

placed into the restricted VLAN.

Correct Answer: CSection: Switch SecurityExplanation

Explanation/Reference:

QUESTION 2Refer to the exhibit. Which two Cisco IOS WebVPN features are enabled with the partial configuration shown?(Choose two.)

A. The end-user CiscoAnyConnect VPN software will remain installed on the end system.B. If the CiscoAnyConnect VPN software fails to install on the end-user PC, the end user cannot use other

modes.C. Client based full tunnel access has been enabled.D. Traffic destined to the 10.0.0.0/8 network will not be tunneled and will be allowed access via a split tunnel.E. Clients will be assigned IP addresses in the 10.10.0.0/16 range.

Correct Answer: ACSection: VPNExplanation


QUESTION 3Which two of these are benefits of implementing a zone-based policy firewall in transparent mode? (Choosetwo.)

A. Less firewall management is needed.B. It can be easily introduced into an existing network.C. IP readdressing is unnecessary.D. It adds the ability tostatefully inspect non-IP traffic.E. It has less impact on data flows.

Correct Answer: BCSection: Zone Based FirewallExplanation


QUESTION 4When configuring a zone-based policy firewall, what will be the resulting action if you do not specify any zonepairs for a possible pair of zones?

A. All sessions will pass through the zone without being inspected.B. All sessions will be denied between these two zones by default.C. All sessions will have to pass through the router "self zone" for inspection before being allowed to pass to

the destination zone.D. This configuration statelessly allows packets to be delivered to the destination zone.

Correct Answer: BSection: Zone Based FirewallExplanation


QUESTION 5Refer to the exhibit. What can be determined from the output of this show command?

A. The IPsec connection is in an idle state.B. The IKE association is in the process of being set up.C. The IKE status is authenticated.D. The ISAKMP state is waiting for quick mode status to authenticate before IPsec parameters are passed

between peers

E. IKE Quick Mode is in the idle state, indicating a problem with IKE phase 1.

Correct Answer: CSection: VPNExplanation


QUESTION 6Which statement best describes inside policy based NAT?

A. Policy NAT rules are those that determine which addresses need to be translated per the enterprise securitypolicy

B. Policy NAT consists of policy rules based on outside sources attempting to communicate with insideendpoints.

C. These rules use source addresses as the decision for translation policies.D. These rules are sensitive to all communicating endpoints.

Correct Answer: ASection: Router SecurityExplanation


QUESTION 7Refer to the exhibit. What can be determined about the IPS category configuration shown?

A. All categories are disabled.B. All categories are retired.C. After all other categories were disabled, a custom category named "os ios" was createdD. Only attacks on the Cisco IOS system result in preventative actions.

Correct Answer: DSection: IPSExplanation


QUESTION 8Which two of these will match a regular expression with the following configuration parameters?[a-zA-Z][0-9][a-z] (Choose two.)

A. Q3hB. B4MnC. aaB132AAD. c7lmE. BBpjnrIT

Correct Answer: ADSection: IPSExplanation


QUESTION 9Which Cisco IOS IPS feature allows to you remove one or more actions from all active signatures based on theattacker and/or target address criteria, as well as the event risk rating criteria?

A. signature event action filtersB. signature event action overridesC. signature attack severity ratingD. signature event risk rating

Correct Answer: ASection: IPSExplanation


QUESTION 10You are troubleshooting reported connectivity issues from remote users who are accessing corporateheadquarters via an IPsec VPN connection. What should be your first step in troubleshooting these issues?


A. issue a show crypto isakmp policy command to verify matching policies of the tunnel endpointsB. ping the tunnel endpointC. run a traceroute to verify the tunnel pathD. debug the connection process and look for any error messages in tunnel establishment

Correct Answer: BSection: VPNExplanation


QUESTION 11Which of these is correct regarding the configuration of virtual-access interfaces?

A. They cannot be saved to the startup configuration.B. You must use static routes inside the tunnels.C. DVTI interfaces should be assigned a unique IP address range.D. The Virtual-Access 1 interface must be enabled in an up/up state administratively

Correct Answer: ASection: VPNExplanation


QUESTION 12Which action does the command private-vlan association 100,200 take?

A. configures VLANs 100 and 200 and associates them as a communityB. associates VLANs 100 and 200 with the primary VLANC. creates two private VLANs with the designation of VLAN 100 and VLAN 200D. assigns VLANs 100 and 200 as an association of private VLANs

Correct Answer: BSection: Switch SecurityExplanation


QUESTION 13Which of these allows you to add event actions globally based on the risk rating of each event, without havingto configure each signature individually?

A. event action summarizationB. event action filterC. event action overrideD. signature event action processor

Correct Answer: CSection: IPSExplanation


QUESTION 14When using Cisco Easy VPN, what are the three options for entering an XAUTH username and password forestablishing a VPN connection from the Cisco Easy VPN remote router? (Choose three.)

A. using an external AAA server

B. entering the information via the router crypto ipsec client ezvpn connect CLI command in privileged EXECmode

C. using the router local user databaseD. entering the information from the PC via a browserE. storing the XAUTH credentials in the router configuration file

Correct Answer: BCESection: Router SecurityExplanation

Explanation/Reference:This question has a trap : it is here ".... from the Cisco Easy VPN remote router?" This rules out using the usinga client PC - which is a legit method of entering in credentials.

C & E are clearly mentioned below so only B is the third possible choice.

Page 579 CCNP Security SECURE 642-637 Official Cert GuideBegin by configuring the local network AAA authorization list with the aaa authoriza-tion network command.This will tell the router to use only the locally configured userdatabase on the router for its authorization resource.C

Page 582 CCNP Security SECURE 642-637 Official Cert GuideIf XAUTH is being used, it must be decided where to store the authentication credentials:■ Store the XAUTH username and password in the configuration file on therouter: This option is typically used if the router is shared between many PCs andthe goal is to have the VPN tunnel up all the time.E■ Do not store the XAUTH username and password on the router: If this optionis used, a PC user who is connected to the router is presented with a web page thatallows the username and password to be manually entered.DPage 583 CCNP Security SECURE 642-637 Official Cert GuideEZVPN Remote connection profile using the crypto ipsec client ezvpn command■ Use the group command to specify the group name and group password to authenticateto the EZVPN Server as a part of a group.■ Use the username command to specify the stored username and password used toprovide additional authentication using XAUTH.B

QUESTION 15Which of these is true regarding tunnel configuration when deploying a Cisco ISR as a DMVPN hub router?

A. Only one tunnel can be created per tunnel source interface.B. Only one tunnel can be created and should be associated with a loopback interface for dynamic redundancyC. The GRE tunnel key is used to encrypt the traffic going through the tunnel through the hub.D. You can run multiple parallel DMVPNs on the hub router, but each tunnel requires a unique tunnel key.

Correct Answer: DSection: VPNExplanation


QUESTION 16Which two types of deployments can be implemented for a zone-based policy firewall? (Choose two.)

A. routed modeB. interzone modeC. fail open modeD. transparent modeE. inspection mode

Correct Answer: ADSection: Zone Based FirewallExplanation


QUESTION 17What is the result of configuring the command dotlx system-auth-control on a Cisco Catalyst switch?

A. enables the switch to operate as the 802.1X supplicantB. globally enables 802.1X on the switchC. globally enables 802.1X and defines ports as 802.1X-capableD. places the configuration sub-mode intodotix-auth mode, in which you can identify the authentication server

parameters

Correct Answer: BSection: Switch SecurityExplanation


QUESTION 18Which information is displayed when you enter the Cisco IOS command show epm session?

A. Enforcement Policy Module sessionsB. External Proxy Mappings, per authenticated sessionsC. Encrypted Policy Management sessionsD. Enhanced Protected Mode sessions



QUESTION 19Refer to the exhibit. Given the partial configuration shown, which two statements are correct? (Choose two.)

A. The tunnel will use the routing protocol configured for GigabitEthemet 1/1 for all tunnel communication withthe peer.

B. The IP route statement to reach the remote network behind the DMVPN peer is incorrect, it should be iproute 192.168.2.0 255.255.255.0 tunnel 0.

C. This is an example of a static point-to-point VTI tunnel.D. The tunnel will use esp-sha-hmac encryption in ESP tunnel mode.E. The tunnel will use 128-bit AES encryption in ESP tunnel mode.

Correct Answer: CESection: VPNExplanation


QUESTION 20You are troubleshooting a Cisco Easy VPN installation that is experiencing session establishment problems.You have verified that matching IKE and IPsec polices exist on both peers. The remote client has alsosuccessfully entered authentication credentials. What is the next step to take in troubleshooting this problem?

A. verify that the router is not denying traffic from the tunnelB. verify that the router is able to assign an IP address to the clientC. examine routing tablesD. issue a ping from the client to the router to verify reachability

Correct Answer: BSection: VPNExplanation


QUESTION 21You are troubleshooting a problem related to IPsec connectivity issues. You see that there is no ISAKMPsecurity association established between peers. You debug the connection process and see an error messageof 1d00h: ISAKMP (0:1): atts are not acceptable. Next payload is 0. What does this message indicate?

A. This indicates a policy mismatch.B. This indicates that the offered attributes did not contain a payload.C. IKE has failed initial attempts and will resend policy offerings to the peer router.D. The time stamp of the message shows that it is one day old. This could indicate a possible mismatch of

system clocks and invalidate the connection attempt.



QUESTION 22Refer to the exhibit. Given the output shown, what can be determined?

A. An attacker has sent a spoofed DHCP address.B. An attacker has sent a spoofed ARP response that violates a static mapping.C. The MAC address has matched a deny rule within the ACL.D. This is an invalid proxy ARP packet, as indicated by the 0000.0000.0000 MAC address on the destination

Correct Answer: CSection: Router SecurityExplanation

Explanation/Reference:You can create an extended ACL with MAC address mapping.

If you have a spoofed arp then the message will be different than ACL-DENY - it will be DHCP Snooping Deny.

http://www.cisco.com/en/US/docs/switches/datacenter/sw/4_1/nx-os/security/configuration/guide/sec_arpinspect.html#wp1125009

3550(config-arp-nacl)#permit ip host 192.168.69.25 mac host 000c.2957.6b39 logThis will permit a host with an IP of 192.168.69.25 and a Mac of 00-0c-29-57-6b-39 to arp on the network.

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------If Host 2 attempts to send an ARP request with the IP address 10.0.0.1, DAI drops the request and logs thefollowing system message:

00:18:08: %SW_DAI-4-DHCP_SNOOPING_DENY : 1 Invalid ARPs (Req) on Ethernet1/4, vlan 1.([0001.0001.0001/10.0.0.1/0000.0000.0000/0.0.0.0/01:53:21 UTC Fri Jun 13 2008])

00:12:08: %SW_DAI-4-DHCP_SNOOPING_DENY : 2 Invalid ARPs (Req) on Ethernet2/3, vlan 1.([0002.0002.0002/10.0.0.3/0000.0000.0000/0.0.0.0/02:42:35 UTC Fri Jul 13 2008])

QUESTION 23Which command will enable a SCEP interface when you are configuring a Cisco router to be a certificate

server?

A. seep enable (under interface configuration mode)B. cryptopki seep enableC. grant autoD. ip http server

Correct Answer: DSection: Router SecurityExplanation


QUESTION 24When 802.1X is implemented, how do the client (supplicant) and authenticator communicate?

A. RADIUSB. TACACS+C. MABD. EAPOL

Correct Answer: DSection: Switch SecurityExplanation


QUESTION 25Which of these is an implementation guideline when deploying the IP Source Guard feature in an environmentwith multiple switches?

A. Do not configure IP Source Guard on inter-switch links.B. Configure PACLs for DHCP-addressed end devices.C. IP Source Guard must be configured in the trunk sub-configuration mode to work on inter-switch links.D. Configure static IP Source Guard mapping for all access ports.

Correct Answer: ASection: Switch SecurityExplanation


QUESTION 26What does the command errdisable recovery cause arp-inspection interval 300 provide for?

A. It will disable a port when the ARP rate limit of 300 packets per second is received and wait a configuredinterval time before placing the port back in normal operation.

B. It will inspect for ARP-disabled ports every 300 seconds.C. It will recover a disabled port and limit ARP traffic to 300 packets per second to avoid potential ARP attacks

from reoccurring.D. It will recover a disabled port due to an ARP inspection condition in 5 minutes.



QUESTION 27You have configured Management Plane Protection on an interface on a Cisco router. What is the resultingaction on implementing MPP?

A. Inspection of protected management interfaces is automatically configured to ensure that managementprotocols comply with standards.

B. The router gives preference to the configured management interface. If that interface becomes unavailable,management protocols will be allowed on alternate interfaces.

C. Along with normal user data traffic, management traffic is also allowed only on the protected interface.D. Only management protocols are allowed on the protected interface.



QUESTION 28Refer to the exhibit. What can be determined from the configuration shown?

A. The community SNMP string is SNMP-MGMT-VIEW.B. All interfaces will be included in the SNMP GETs.C. This SNMP group will only allow read access to interface MIBs.D. The SNMP server group is using 128-bit SHA authentication.


Explanation/Reference:first line -- interfaces included specifies that this view is only allowed to see the interface MIB's

QUESTION 29When enabling the Cisco IOS IPS feature, which step should you perform to prevent rogue signature updatesfrom being installed on the router?

A. configure authentication and authorization for maintaining signature updatesB. install a known RSA public key that correlates to a private key used by CiscoC. manually import signature updates from Cisco to a secure server, and then transfer files from the secure

server to the routerD. use the SDEE protocol for all signature updates from a known secure management station

Correct Answer: BSection: IPSExplanation


QUESTION 30A user has requested a connection to an external website. After initiating the connection, a message appears inthe user's browser stating that access to the requested website has been denied by the company usage policy.What is the most likely reason for this message to appear?

A. An antivirus software program has blocked the session request due to potential malicious content.B. The network has been configured with a URL filtering service.C. The network has been configured for 802.1X authentication and the user has failed to authenticateD. The user's configured policy access level does not contain proper permissions

Correct Answer: BSection: Router SecurityExplanation


QUESTION 31Refer to the exhibit. Given the partial configuration shown, what can be determined.

A. This is an example of a dynamic policy PAT rule.B. This is an example of a static policy NAT rule.C. Addresses in the 10.10.30.0 network will be exempt from translation when destined for the 10.100.100.0

network.D. The extended access list provides for one-to-one translation mapping of the 10.10.30.0 network to the

10.100.100.0 network



QUESTION 32When is it most appropriate to choose IPS functionality based on Cisco IOS software?

A. when traffic rates are low and a complete signature is not requiredB. when accelerated, integrated performance is required using hardware ASIC-based IPS inspectionsC. when integrated policy virtualization is requiredD. when promiscuous inspection meets security requirements

Correct Answer: ASection: IPSExplanation


QUESTION 33You have enabled Cisco IOS IPS on a router in your network. However, you are not seeing expected events onyour monitoring system (such as Cisco IME). On the router, you see events being captured. What is the nextstep in troubleshooting the problem?

A. verify that syslog is configured to send events to the correct serverB. verify SDEE communicationsC. verify event action rulesD. verify that the IPS license is valid

Correct Answer: BSection: IPSExplanation


QUESTION 34Which two of these are potential results of an attacker performing a DHCP server spoofing attack? (Choosetwo.)

A. DHCP snoopingB. DoSC. confidentiality breachD. spoofed MAC addressesE. switch ports being converted to anuntrusted state

Correct Answer: BCSection: Router SecurityExplanation


QUESTION 35When Cisco IOS IPS signatures are being tuned, how is the Target Value Rating assigned?

A. It is calculated from the Event Risk Rating.B. It is calculated from a combination of the Attack Severity Rating and Signature Fidelity RatingC. It is manually set by the administrator.D. It is set based upon SEAP functions.

Correct Answer: C

Section: IPSExplanation


QUESTION 36Which of these should you do before configuring IP Source Guard on a Cisco Catalyst switch?

A. enable NTP for event correlationB. enable IP routing authenticationC. configure an access list with exempt DHCP-initiated IP address rangesD. turn DHCP snooping on at least 24 hours in advance



QUESTION 37What action will the parameter-map type ooo global command enable?

A. globally initiates tuning of the router's TCP normalizer parameters for out-of-order packetsB. globally classifies type ooo packets within the parameter map and subsequent policy mapC. enables a parameter map named oooD. configures a global parameter map for traffic destined to the router itself



QUESTION 38Which protocol is EAP encapsulated in for communications between the authenticator and the authenticationserver?

A. EAP-MD5B. IPsecC. EAPOLD. RADIUS



QUESTION 39Refer to the exhibit. Given the configuration shown, which of these statements is correct?

A. An external service is providing URL filtering via a subscription service.B. All HTTP traffic to websites with the name "Gambling" included in the URL will be reset.C. A service policy on the zone pair needs to be configured in the opposite direction or all return HTTP traffic

will be blocked by policyD. The URL filter policy has been configured in a fail-closed scenario.

Correct Answer: ASection: Zone Based FirewallExplanation


QUESTION 40Refer to the exhibit. Which two of these are most likely to have caused the issue with NHRP, given this outputof the show command? (Choose two.)

A. There was a network ID mismatch.B. The spoke router has not yet sent a request via Tunnel0.C. The spoke router received a malformed NHRP packet.D. There was an authentication key mismatch.E. The registration request was expecting a return request ID of 1201, but received an ID of 120.

Correct Answer: ADSection: VPNExplanation


QUESTION 41Refer to the exhibit. What can be determined from the information shown?

A. The user has been restricted to privilege level 1.B. The standard access list should be reconfigured as an extended access list to allow desired user

permissionsC. RBAC has been configured with restricted views.D. IP access list DMZ_ACL has not yet been configured with proper permissions.



QUESTION 42Refer to the exhibit. Assuming that all other supporting configurations are correct, what can be determined fromthe partial IP admission configuration shown?

A. The router will forward authentication requests toa AAA server for authentication and authorization.B. The user maint3nanc3 will have complete CLI command access once authenticated.C. After a period of 20 minutes, the user will again be required to provide authentication credentials.D. The authentication proxy will fail, because the router's HTTP server has not been enabled.E. All traffic entering interface GO/1 will be intercepted for authentication, but only Telnet traffic will be

authorized.



QUESTION 43What will the authentication event fail retry 0 action authorize vlan 300 command accomplish?

A. assigns clients that fail 802.1X authentication into the restricted VLAN 300B. assigns clients to VLAN 300 and attempts reauthorization

C. assigns a client to the guest VLAN 300 if it does not receive a response from the client to its EAPOLrequest/identity frame

D. locks out a user who fails an 802.1X authentication and does not allow the user to try to gain networkaccess again for 300 seconds

Correct Answer: ASection: Switch SecurityExplanation


QUESTION 44Which of these are the two types of keys used when implementing GET VPN?(Choose two)

A. public keyB. group encryption C. traffic encryption keyD. pre-shared keyE. key encryptionF. private key

Correct Answer: CESection: VPNExplanation


QUESTION 45Which Cisco IOS feature provides secure, on-demand meshed connectivity?

A. Easy VPNB. IPsec VPNC. mGRED. DMVPN



QUESTION 46You have configured a Cisco router to act a PKI certificate server. However,you are experiencing problemsstarting the server. You have verified that al CA parameters have been correctly configured. What is the nextstep you should take in troubleshooting this problem?

A. Disable and restart the router’s HTTP server functionB. Verify the RSA key pair and generate new keysC. Verify that correct time is being used and source are reachableD. Enable the SCEP interface

Correct Answer: C

Section: Router SecurityExplanation


QUESTION 47Which three of these are features of data plane security on a Cisco ISR? (Choose three.)

A. Routing protocol filteringB. FPMC. uRPFD. RBACE. CPPrF. Netflow export

Correct Answer: BCFSection: Router SecurityExplanation


QUESTION 48When configuring URL filtering with the Trend Micro filtering service. Which of these steps must you take toprepare for configuration?

A. Define blacklists and whitelistsB. Categorize traffic typesC. Synchronize clocks via NTP to ensure accuracy of URL filter updates from the serviceD. Install the appropriate root CA certificate on the router

Correct Answer: DSection: Zone Based FirewallExplanation


QUESTION 49Which of these correct regarding the functionally of DVTI tunnels?

A. DVTI tunnels are created dynamically from a preconfigured template as tunnels are established to the hubB. DVTI tunnels appear on the hub as tunnel interfacesC. The hub router needs a static DVTI tunnel to each spoke router in order to establish remote

communications from spoke to spokeD. Spoke router require a virtual template to clone the configuration on which the DVTI tunnel is established



QUESTION 50When you are configuring DHCP snooping, how should you classify access ports?

A. promiscuousB. trusted C. untrusedD. private

Correct Answer: CSection: Switch SecurityExplanation


QUESTION 51When implementing GET VPN, which of these is a characteristic of GDOI IKE?

A. GDOI IKE sessions are established between all peers in the networkB. GDOI IKE uses UDP port 500C. Security associations do not need to linger between members once a group member has authenticated to

the key server and obtained the group policyD. Each pair of peers has a private set of IPsec security associations that is only shared between the two

peers



QUESTION 52When you are configuring a DMVPN network,which tunnel mode should you use for the hub routerconfiguration?

A. GRE multipointB. Nonbroadcast multiaccessC. Classic point-to-point GRED. IPsec multipoint



QUESTION 53VPN Simlet # 1:

Type the name of the Router first you will type com mand in - ie R1# or R2#2 - leave a space and the type the command required to show the output you need to get thisinformation

(example - show XXXX XXXX XXXX)NB: remember the purpose is to familirize you with the show commands - actual test will differ fromthese configurations

Correct Answer: R1# show crypto gdoi -or- R2# show crypto gdoiSection: Simlet-VPNExplanation

Explanation/Reference:This command will show you the KS ip address and your registration - with time to re-key

R1#show crypto gdoiGROUP INFORMATION

Group Name : GETVPNGROUP Group Identity : 67890 Rekeys received : 0 IPSec SA Direction : Both Active Group Server : 192.168.1.2 Group Server list : 192.168.1.2

GM Reregisters in : 3434 secs Rekey Received : never

Rekeys received Cumulative : 0 After registration : 0

ACL Downloaded From KS 192.168.1.2: access-list permit ip 0.0.0.0 255.255.255.0 0.0 .0.0 255.255.255.0

TEK POLICY for the current KS-Policy ACEs Downloaded: FastEthernet0/0: IPsec SA: spi: 0x673C7398(1732015000)

transform: esp-aes esp-sha-hmac sa timing:remaining key lifetime (sec): (3571) Anti-Replay : Disabled




Correct Answer: R2# show crypto ipsec transform-setSection: Simlet-VPNExplanation


NB - only show runn commands accepted are show runn interfaces

R2#show crypto ipsec transform-setTransform set GETSET: { esp-sha-hmac } will negotiate = { Tunnel, }, { esp-256-aes } will negotiate = { Tunnel, },!


Type the name of the Router first you will type com mand in - ie R1# or R2#

2 - leave a space and the type the command required to show the output you need to get thisinformation

(example - show XXXX XXXX XXXX)This question will require you to use both R2 and t hen R1 - so three lines in totalNB: remember the purpose is to familirize you with the show commands - actual test will differ fromthese configurations

Correct Answer: R2# show crypto gdoi ks -or- R2# show crypto gdoi ks members -or- R1# show ip interfacebriefSection: Simlet-VPNExplanation


NB: it is assumed that only R1 is a member router and ISP is not a member

R1#show crypto gdoi ksTotal group members registered to this box: 0

Confirmed this is not the key server ----------------------------------------------------------------------------R2#show crypto gdoi ksTotal group members registered to this box: 2

Key Server Information For Group GETVPNGROUP: Group Name : GETVPNGROUP Group Identity : 67890 Group Members : 1 IPSec SA Direction : Both ACL Configured: access-list 101---------------------------------------------------------------------------R2#show crypto gdoi ks members

Group Member Information :

Number of rekeys sent for group GETVPNGROUP : 0

Group Member ID : 192.168.2.1Group ID : 67890Group Name : GETVPNGROUPKey Server ID : 0.0.0.0-----------------------------------------------------------------------------Confirm the IP address is associated with R1 and not ISP

R1#show ip interface briefInterface IP-Address OK? Method Status ProtocolFastEthernet0/0 192.168.2.1 YES manu al up up

All commands can be referenced herehttp://www.cisco.com/en/US/docs/ios/security/command/reference/sec_s3.html#wp1159252




Correct Answer: R2# show crypto gdoi group GETVPNGROUPSection: Simlet-VPNExplanation

Explanation/Reference:R2 is better as this is the KS

R2#show crypto gdoi group GETVPNGROUP Group Name : GETVPNGROUP (Multicast) Group Identity : 67890 Group Members : 2 IPSec SA Direction : Both Active Group Server : Local Group Rekey Lifetime : 86400 secs Rekey Retransmit Period : 10 secs Rekey Retransmit Attempts: 2

IPSec SA Number : 10 IPSec SA Rekey Lifetime: 3600 secs Profile Name : GETPROFILE Replay method : Count Based Replay Window Size : 64 SA Rekey Remaining Lifetime : 1998 secs ACL Configured : access-list 101

Group Server list : Local

NB: some other tests have 2 answers highlighted- the question does not ask for (Choose Two) and mustassume on one selection is correct.




Correct Answer: R1# show crypto map -or- R1# show crypto isakmp keySection: Simlet-VPNExplanation

Explanation/Reference:R1 is the only group member that you can access so it it is assumed this is the only group member

R1#show crypto mapCrypto Map "CMAP" 10 gdoi Group Name: GETVPNGROUP identity number 67890 server address ipv4 192.168.1.2 Interfaces using crypto map CMAP: FastEthernet0/1----------------------------------------------------------------------------------------------R1#show crypto isakmp key

Keyring Hostname/Address Preshared Key

default 192.168.1.2 GETVPNKEY

Exam B

QUESTION 1Drag and Drop #1

Select and Place:

Correct Answer:

Section: Switch SecurityExplanation

Explanation/Reference:Page 113 of the CCNP Secure guide

Gathering Input Parameters

Because 802.1X authentication requires several technologies to work together, up-front planning helps ensure the success of the deployment. Part of this planning involves gathering important input information:

■ Determine the list of LAN switches that currently allow unauthorized users full access to the network. Use this list to det ermine which of these devices should be configured with 802.1X and the feature avail ability on the switches.

■ Determine what authentication database (such as Windows AD) is being used for user credentials. This allows you to determine whether you can leverage the same one and make the 802.1X deployment transparent to your users.

■ Determine the types of clients being used on the network (platform and operating systems). This is required to choose a compatible supplicant and to configure it ap- propriately.

■ Determine the software distribution mechanism i n use by the organization. This will affect provisioning and supporting t he supplicant on current and future client workstations.

■ Determine whether the network path between the supplicant and the authentication server is trusted. A trusted network path allows an anonymous EAP-FAST implementation, whereas a nontrusted network path requires separate EAP-FAST credentials.

QUESTION 2Drag & Drop #3

Select and Place:

Correct Answer:

Section: VPNExplanation

Explanation/Reference:Verify cryptographic configs

outer# show crypto isakmp policy rotection suite priority 15

ncryption algorithm: DES - Data Encryption Standard (56 bit keys) ash algorithm: Message Digest 5

uthentication method: Rivest-Shamir-Adleman Signature iffie-Hellman Group: #2 (1024 bit)

ifetime: 5000 seconds, no volume limit rotection suite priority 20

ncryption algorithm: DES - Data Encryption Standard (56 bit keys) ash algorithm: Secure Hash Standard

authentication method: preshared Ke


Select and Place:

Correct Answer:



QUESTION 4Drag and Drop #5

Select and Place:

Correct Answer:

Section: Drag and DropExplanation



Select and Place:

Correct Answer:



QUESTION 6Drah & Drop #8

Select and Place:

Correct Answer:




Select and Place:

Correct Answer:



QUESTION 8Drag & Drop 11

Select and Place:

Correct Answer:


Explanation/Reference:http://www.slideshare.net/CiscoSystems/ccsp-effective-deployment-of-cisco-asa-access-control

Go to slide > 50/73


Select and Place:

Correct Answer:

Section: VPNExplanation



Select and Place:

Correct Answer:

Exam C

QUESTION 1Unknown question #1 - How do you check the status of a SSL VPN license?

A. # show webvpn licenseB. # show crypto vpn licenseC. # show webvpn gatewayD. # show webvpn session context

Correct Answer: ASection: User FeedbackExplanation


QUESTION 2Incomplete Question (Missing Output Image)Output is of a Show Version of the Router config which looks like from Rommon mode for show version:

What can you determine from the output of the following image?

A. this version of the IOS is not stored locally on the deviceB. this is a display of the RMON modeC. this version of the IOS is verified/signed with a certificateD. the Key 'A' reprensents that the IOS is a Advanced Version

Correct Answer: CSection: User FeedbackExplanation


QUESTION 3Incomplete Question : Missing output image


Cisco IOS - IPS : Output shows a running-config of an IPS configuration that would be completed using thecommands below.

A. the update packages are stored remotely on a Cisco serverB. the updates are stored in a local folder called 'Cisco'C. the updates will occur daily at 03.00D. the service will update weekly on a Sunday between midnight and 06.00

Correct Answer: CSection: User FeedbackExplanation

Explanation/Reference:Page 357 of the CCNP Secure manual

Task 2 : Configure Automatic Signature UpdatesThe second task illustrates how to configure the router to attempt to retrieve automaticsignature updates from Cisco.com or a local server.To do this , first configure the update URL using the ida-client server url command.

Use the https://www.cisco.com/cgi-bin/front.x/ids/l ocator/locator.pl URL. Next, create anauto-update profile using the ip ips auto-update command. Use the cisco command in-side the profile todesignate obtaining updates from Cisco.com. To control when the up-date attempts occur, use the occur-atcommand. Example 13-9 illustrates the setup of theconfiguration to retrieve automatic updates from the Cisco.com repository as well as toprovide the Cisco.com credentials that will be used for authentication through using theusername command. Example 13-10 illustrates the setup of the configuration to retrieveautomatic updates from a local staging server.

The following specifics are used in the example:■ Days of the week: 0-6 (Sunday–Saturday)■ Minutes: Minutes from the top of the hour (0)■ Hour: Hour of the day (3:00 a.m.)

Example 13-9 Configure Automatic Signature Updates from Cisco.com

Router(config)# ida-client server url https://www.cisco.com/cgi-bin/front.x/ids/locator/locator.plRouter(config)# ip ips auto-update ciscoRouter(config-ips-auto-update)# occur-at weekly 0-6 0 3Router(config-ips-auto-update)# username CCOUSERNAME password CCOPASSWORDRouter(config-ips-auto-update)# exitRouter(config)# password encryption aesRouter(config)# key config-key password-encryption

QUESTION 4Partial Question : What can be determined from the following output?

sh crypto isakmp profileEncryption 3DEShash sha-1authentication rsa-sigGroup 2................................................

A. The authentication parameter is Digital CertificatesB. the encyrption being used is DESC. This is using SHA2 Group encryptionD. 768 bit Diffe Hellman encryption is being used

Correct Answer: ASection: User FeedbackExplanation

Explanation/Reference:Needs more information to flesh out this question

QUESTION 5Missing Output image of a running-config of the interfaces

Zone based policy firewall - Transparent Configuration output.

Unique command is

Interface Fastethernet F0/1 bridge-group 1 zone-member INSIDE......................

A. This is a bridge mode firewall for non-IP trafficB. The two networks are bridged to support Intra-zone policiesC. ??This creates a DMZ bridge where inline inspection can occur??D. This is a configuration required for a transparent mode firewall where the interfaces are bridged

Correct Answer: DSection: User FeedbackExplanation

Explanation/Reference:Zones and Transparent Firewall

The Cisco IOS firewall supports transparent firewalls where the interfaces are placed in bridging mode andIP firewalling is performed on the bridged traffic.

To configure a transparent firewall, use the bridge command to enable the bridging of a specifiedprotocol in a specified bridge and the zone-member security command to attach an interface to a zone.The bridge command on the interface indicates that the interface is in bridging mode.

A bridged interface can be a member of a zone. In a typical case, the Layer 2 domain is partitioned in tozones and a policy is applied the same way as for L ayer 3 interfaces.

Transparent Firewall Restriction for P2P Inspection

A Cisco IOS Firewall uses Network Based Application Recognition (NBAR) for peer-to-peer (P2P) protocolclassification and policy enforcement. NBAR is not available for bridged packets; thus, all P2P packetinspection is not supported for firewalls with transparent bridging.

Exam D

QUESTION 1DRAG DROP

A. Router(config)# zone security INSIDERouter(config-sec-zone)#exitRouter(config)# zone security OUTSIDERouter(config-sec-zone)#exitRouter(config)# interface fa0/0/1Router(config-if)# no shutdownRouter(config-if)# zone-member security INSIDERouter(config-if)# exitRouter(config)# interface fa0/0/0Router(config-if)# no shutdownRouter(config-if)# zone-member security OUTSIDERouter(config-if)# exit

Router(config)# class-map type inspect match-any HT TP_POLICYRouter(config-cmap)# match protocol httpRouter(config-cmap)#exit

Router(config)# policy-map type inspect IN-TO-OUT-P OLICYRouter(config-pmap)# class type inspect HTTP_POLICYRouter(config-pmap-c)# inspectRouter(config-pmap-c)# exit

Router(config)# zone-pair security IN-TO-OUT source INSIDE destination OUTSIDERouter(config-sec-zone-pair)# service-policy type i nspect IN-TO-OUT-POLICYRouter(config-sec-zone-pair)# end

Router(config)# copy running-config startup-config

Correct Answer: A

Section: Lab-ZBFWExplanation

Explanation/Reference:1: we divide the network into 2 zones: INSIDE and O UTSIDE2: apply the interfaces to the appropiate Zone Memb ers INSIDE | OUTSIDE3: create a class-map with defined name HTTP_POLICY > match HTTP protocol4: create a policy-map name IN-TO-OUT-POLICY: - def ine the class-map and apply action > inspect5: create a zone-pair > specify direction with sour ce and destination6: apply policy to the zone-pair - policy created i n step 47: std: copy run start


cisco 642-637 exam - gratis exam · cisco 642-637 exam exam name: securing networks with cisco...

Documents