Category: Cisco
New VCE and PDF – You can prepare Cisco 642-618 exam in an easy way with Cisco 642-618 questions and answers. By training our Cisco 642-618 vce dumps with all the latest questions, you can pass the exam in the first attempt.
Exam A
QUESTION 1
By default, which traffic can pass through a Cisco ASA that is operating in transparent mode without explicitly allowing it using an ACL?
A. ARP
B. BPDU
C. CDP
D. OSPF multicasts
E. DHCP
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 2
Which three Cisco ASA configuration commands are used to enable the Cisco ASA to log only the debug output to syslog? (Choose three.)
A. logging list test message 711001
B. logging debug-trace
C. logging trap debugging
D. logging message 711001 level 7
E. logging trap test
Correct Answer: ABE Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 3
By default, how does the Cisco ASA authenticate itself to the Cisco ASDM users?
A. The administrator validates the Cisco ASA by examining the factory built-in identity certificate thumbprint of the Cisco ASA.
B. The Cisco ASA automatically creates and uses a persistent self-signed X.509 certificate to authenticate itself to the administrator.
C. The Cisco ASA automatically creates a self-signed X.509 certificate on each reboot to authenticate itself to the administrator.
D. The Cisco ASA and the administrator use a mutual password to authenticate each other.
E. The Cisco ASA authenticates itself to the administrator using a one-time password.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 4
When will a Cisco ASA that is operating in transparent firewall mode perform a routing table lookup instead of a MAC address table lookup to determine the outgoing interface of a packet?
A. if multiple context mode is configured
B. if the destination MAC address is unknown
C. if the destination is more than a hop away from the Cisco ASA
D. if NAT is configured
E. if dynamic ARP inspection is configured
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 5
Which Cisco ASA feature is implemented by the ip verify reverse-path interface interface_name command?
A. uRPF
B. TCP intercept
C. botnet traffic filter
D. scanning threat detection
E. IPS (IP audit)
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 6
In one custom dynamic application, the inside client connects to an outside server using TCP port 4444 and negotiates return client traffic in the port range of 5000 to 5500. The server then starts streaming UDP data to the client on the negotiated port in the specified range. Which Cisco ASA feature or command supports this custom dynamic application?
A. TCP normalizer
B. TCP intercept
C. ip verify command
D. established command
E. tcp-map and tcp-options commands
F. set connection advanced-options command
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 7
Refer to the exhibit.
Which statement about the Telnet session from 10.0.0.1 to 172.26.1.200 is true?
A. The Telnet session should be successful.
B. The Telnet session should fail because the route lookup to the destination fails.
C. The Telnet session should fail because the inside interface inbound access list will block it.
D. The Telnet session should fail because no matching flow was found.
E. The Telnet session should fail because inside NAT has not been configured.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 8
Refer to the exhibit.
On Cisco ASA Software Version 8.3 and later, which two sets of CLI configuration commands result from this Cisco ASDM configuration? (Choose two.)
A. nat (inside) 1 10.1.1.10 global (outside) 1 192.168.1.1
B. nat (outside) 1 192.168.1.1 global (inside 1 10.1.1.10
C. static(inside,outside) 192.168.1.1 10.1.1.10 netmask 255.255.255.255 tcp 0 0 udp 0
D. static(inside,outside) tcp 192.168.1.1 80 10.1.1.10 80
E. object network 192.168.1.1 nat (inside,outside) static 10.1.1.10
F. object network 10.1.1.10 nat (inside,outside) static 192.168.1.1
G. access-list outside_access_in line 1 extended permit tcp any object 10.1.1.10 eq http access-group outside_access_in in interface outside
H. access-list outside_access_in line 1 extended permit tcp any object 192.168.1.1 eq http access-group outside_access_in in interface outside
Correct Answer: FG Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 9
Refer to the exhibit.
Which corresponding Cisco ASA Software Version 8.3 command accomplishes the same Cisco ASA Software Version 8.2 NAT configuration?
A. nat (any,any) dynamic interface
B. nat (any,any) static interface
C. nat (inside,outside) dynamic interface
D. nat (inside,outside) static interface
E. nat (outside,inside) dynamic interface
F. nat (outside,inside) static interface
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 10
Refer to the exhibit.
Which traffic is permitted on the inside interface without any interface ACLs configured?
A. any IP traffic input to the inside interface
B. any IP traffic input to the inside interface destined to any lower security level interfaces
C. only HTTP traffic input to the inside interface
D. only HTTP traffic output from the inside interface E. No input traffic is permitted on the inside interface. F. No output traffic is permitted on the inside interface.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 11
On Cisco ASA Software Version 8.4.1 and later, when you configure the Cisco ASA appliance in transparent firewall mode, how is the Cisco ASA management IP address configured?
A. using the IP address global configuration command
B. using the IP address GigabitEthernet 0/x interface configuration command
C. using the IP address BVI x interface configuration command
D. using the bridge-group global configuration command
E. using the bridge-group GigabitEthernet 0/x interface configuration command
F. using the bridge-group BVI x interface configuration command
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 12
Refer to the exhibit.
Which Cisco ASA CLI nat command is generated based on this Cisco ASDM NAT configuration?
A. nat (dmz, outside) 1 source static any any
B. nat (dmz, outside) 1 source static any outside
C. nat (dmz,outside) 1 source dynamic any interface
D. nat (dmz, outside) 1 source static any interface destination static any any
E. nat (dmz, outside) 1 source dynamic any outside destination static any any
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 13
Refer to the exhibit.
Which additional Cisco ASA Software Version 8.3 NAT configuration is needed to meet the following requirements?
When any host in the 192.168.1.0/24 subnet behind the inside interface accesses any destinations in the 10.10.1.0/24 subnet behind the outside interface, PAT them to the outside interface. Do not change the destination IP in the packet.
A. nat (inside,outside) source static inside-net interface destination static outhosts outhosts
B. nat (inside,outside) source dynamic inside-net interface destination static outhosts outhosts
C. nat (outside,inside) source dynamic inside-net interface destination static outhosts outhosts
D. nat (outside,inside) source static inside-net interface destination static outhosts outhosts
E. nat (any, any) source dynamic inside-net interface destination static outhosts outhosts
F. nat (any, any) source static inside-net interface destination static outhosts outhosts
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 14
On Cisco ASA Software Version 8.3 and later, which two statements correctly describe the NAT table or NAT operations? (Choose two.)
A. The NAT table has four sections.
B. Manual NAT configurations are found in the first (top) and/or the last (bottom) section(s) of the NAT table.
C. Auto NAT also is referred to as Object NAT.
D. Auto NAT configurations are found only in the first (top) section of the NAT table.
E. The order of the NAT entries in the NAT table is not relevant to how the packets are matched against the NAT table.
F. Twice NAT is required for hosts on the inside to be accessible from the outside.
Correct Answer: BC Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 15
The Cisco ASA software image has been erased from flash memory. Which two statements about the process to recover the Cisco ASA software image are true? (Choose two.)
A. Access to the ROM monitor mode is required.
B. The Cisco ASA appliance must have connectivity to the TFTP server where the Cisco ASA image is stored through the Management 0/0 interface.
C. The copy tftp flash command is necessary to start the TFTP file transfer.
D. The server command is necessary to set the TFTP server IP address.
E. Cisco ASA password recovery must be enabled.
Correct Answer: AD Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 16
Which two Cisco ASA licensing features are correct with Cisco ASA Software Version 8.3 and later? (Choose two.)
A. Identical licenses are not required on the primary and secondary Cisco ASA appliance.
B. Cisco ASA appliances configured as failover pairs disregard the time-based activation keys.
C. Time-based licenses are stackable in duration but not in capacity.
D. A time-based license completely overrides the permanent license, ignoring all permanently licensed features until the time-based license is uninstalled.
Correct Answer: AC Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 17
For which purpose is the Cisco ASA CLI command aaa authentication match used?
A. Enable authentication for SSH and Telnet connections to the Cisco ASA appliance.
B. Enable authentication for console connections to the Cisco ASA appliance.
C. Enable authentication for connections through the Cisco ASA appliance.
D. Enable authentication for IPsec VPN connections to the Cisco ASA appliance.
E. Enable authentication for SSL VPN connections to the Cisco ASA appliance.
F. Enable authentication for Cisco ASDM connections to the Cisco ASA appliance.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 18
Which option is one requirement before a Cisco ASA appliance can be upgraded from Cisco ASA Software Version 8.2 to 8.3?
A. Remove all the pre 8.3 NAT configurations in the startup configuration.
B. Upgrade the memory on the Cisco ASA appliance to meet the memory requirement of Cisco ASA Software Version 8.3.
C. Request new Cisco ASA licenses to meet the 8.3 licensing requirement.
D. Upgrade Cisco ASDM to version 6.2.
E. Migrate interface ACL configurations to include interface and global ACLs.
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 19
Refer to the partial Cisco ASA configuration and the network topology shown in the exhibit.
Which two Cisco ASA configuration commands are required so that any hosts on the Internet can HTTP to the WEBSERVER using the 192.168.1.100 IP address? (Choose two.)
A. nat (inside,outside) static 192.168.1.100
B. nat (inside,outside) static 172.31.0.100
C. nat (inside,outside) static interface
D. access-list outside_access_in extended permit tcp any object 172.31.0.100 eq http
E. access-list outside_access_in extended permit tcp any object 192.168.1.100 eq http
F. access-list outside_access_in extended permit tcp any object 192.168.1.1 eq http
Correct Answer: AD Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 20
Which two statements about Cisco ASA 8.2 NAT configurations are true? (Choose two.)
A. NAT operations can be implemented using the NAT, global, and static commands.
B. If nat-control is enabled and a connection does not need a translation, then an identity NAT configuration is required.
C. NAT configurations can use the any keyword as the input or output interface definition.
D. The NAT table is read and processed from the top down until a translation rule is matched.
E. Auto NAT links the translation to a network object.
Correct Answer: AB Section: (none) Explanation
Explanation/Reference:
Cisco 642-618 Questions and Answers Products basically comprise of the simulated Cisco 642-618 exam questions AND their most correct answers,accompanied with a methodical elucidation of the Cisco 642-618 answers and the probable wrong answers.The extent to which Cisco 642-618 Questions and Answers Products cover their Cisco subject is so thorough,that once you are done with a Cisco product, passing the Cisco 642-618 exam in first attempt should be a piece of cake.
100% Pass!Do you want to pass Cisco 642-618 exam quickly? Go to flydumps.com to get more free exam dumps.All the Cisco 642-618 exam dumps are timely updated by the professional experts.Also we guarantee 100% pass and money back guarante
Exam A
QUESTION 1
On the Cisco ASA, tcp-map can be applied to a traffic class using which MPF CLI configuration command?
A. nspect
B. sysopt connection
C. tcp-options
D. parameters
E. set connection advanced-options
Correct Answer: E Section: (none) Explanation
Explanation/Reference:
QUESTION 2
By default, which traffic can pass through a Cisco ASA that is operating in transparent mode without explicitly allowing it using an ACL?
A. ARP
B. BPDU
C. CDP
D. OSPF multicasts
E. DHCP
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
QUESTION 3
When enabling a Cisco ASA to send syslog messages to a syslog server, which syslog level will produce the most messages?
A. notifications
B. informational
C. alerts
D. emergencies
E. errors
F. debugging
Correct Answer: F Section: (none) Explanation
Explanation/Reference:
QUESTION 4
What can be determined about the connection status?
A. The output is showing normal activity to the inside 10.1.1.50 web server.
B. Many HTTP connections to the 10.1.1.50 web server have successfully completed the threeway TCP handshake.
C. Many embryonic connections are made from random sources to the 10.1.1.50 web server.
D. The 10.1.1.50 host is triggering SYN flood attacks against random hosts on the outside.
E. The 10.1.1.50 web server is terminating all the incoming HTTP connections.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
QUESTION 5
What mechanism is used on the Cisco ASA to map IP addresses to domain names that are contained in the botnet traffic filter dynamic database or local blacklist?
A. HTTP inspection
B. DNS inspection and snooping
C. WebACL
D. dynamic botnet database fetches (updates)
E. static blacklist
F. static whitelist
Correct Answer: B Section: (none) Explanation
Explanation/Reference: QUESTION 6
Which statement about the policy map named test is true?
A. Only HTTP inspection will be applied to the TCP port 21 traffic.
B. Only FTP inspection will be applied to the TCP port 21 traffic.
C. both HTTP and FTP inspections will be applied to the TCP port 21 traffic.
D. No inspection will be applied to the TCP port 21 traffic, because the http class map configuration conflicts with the ftp class map.
E. All FTP traffic will be denied, because the FTP traffic will fail the HTTP inspection.
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
QUESTION 7
Which Cisco ASA feature can be configured using this Cisco ASDM screen?
A. Cisco ASA command authorization using TACACS+
B. AAA accounting to track serial, ssh, and telnet connections to the Cisco ASA
C. Exec Shell access authorization using AAA
D. cut-thru proxy
E. AAA authentication policy for Cisco ASDM access
Correct Answer: D Section: (none) Explanation
Explanation/Reference: QUESTION 8
Which command enables the stateful failover option?
A. failover link MYFAILOVER GigabitEthernet0/2
B. failover lan interface MYFAILOVER GigabitEthernet0/2
C. failover interface ip MYFAILOVER 172.16.5.1 255.255.255.0 standby 172.16.5.10
D. preempt
E. failover group 1 primary
F. failover lan unit primary
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
QUESTION 9
In which type of environment is the Cisco ASA MPF set connection advanced-options tcp-statebypass option the most useful?
A. SIP proxy
B. WCCP
C. BGP peering through the Cisco ASA
D. asymmetric traffic flow
E. transparent firewall
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
QUESTION 10
Which statement about the MPF configuration is true?
A. Any non-RFC complaint FTP traffic will go through additional deep FTP packet inspections.
B. FTP traffic must conform to the FTP RFC, and the FTP connection will be dropped if the PUT command is used.
C. FTP traffic must conform to the FTP RFC, and the FTP connection will be dropped if the PUT command is used.
D. The ftp-pm policy-map type should be type inspect.
E. Due to a configuration error, all FTP connections through the outside interface will not be permitted.
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
QUESTION 11
What is a reasonable conclusion?
A. The maximum number of TCP connections that the 10.1.1.99 host can establish will be 146608.
B. All the connections from the 10.1.1.99 have completed the TCP three-way handshake.
C. The 10.1.1.99 hosts are generating a vast number of outgoing connections, probably due to a virus.
D. The 10.1.1.99 host on the inside is under a SYN flood attack.
E. The 10.1.1.99 host operations on the inside look normal.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
QUESTION 12
By default, how does the Cisco ASA authenticate itself to the Cisco ASDM users?
A. The administrator validates the Cisco ASA by examining the factory built-in identity certificate thumbprint of the Cisco ASA.
B. The Cisco ASA automatically creates and uses a persistent self-signed X.509 certificate to authenticate itself to the administrator.
C. The Cisco ASA automatically creates a self-signed X.509 certificate on each reboot to authenticate itself to the administrator.
D. The Cisco ASA and the administrator use a mutual password to authenticate each other.
E. The Cisco ASA authenticates itself to the administrator using a one-time password.
Correct Answer: C Section: (none) Explanation
Explanation/Reference: QUESTION 13
When will a Cisco ASA that is operating in transparent firewall mode perform a routing table lookup instead of a MAC address table lookup to determine the outgoing interface of a packet?
A. if multiple context mode is configured
B. if the destination MAC address is unknown
C. if the destination is more than a hop away from the Cisco ASA
D. if NAT is configured
E. if dynamic ARP inspection is configured
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
QUESTION 14
Which flag shown in the output of the show conn command is used to indicate that an initial SYN packet is from the outside (lower security-level interface)?
A. B
B. D
C. b
D. A
E. a
F. i
G. I
H. O
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
QUESTION 15
Which statement about the default ACL logging behavior of the Cisco ASA is true?
A. The Cisco ASA generates system message 106023 for each denied packet when a deny ACE is configured.
B. The Cisco ASA generates system message 106023 for each denied packet when a deny ACE is configured.
C. The Cisco ASA generates system message 106100 only for the first packet that matched an ACE.
D. The Cisco ASA generates system message 106100 for each packet that matched an ACE.
E. No ACL logging is enabled by default.
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
QUESTION 16
Which Cisco ASA feature enables the ASA to do these two things? 1) Act as a proxy for the server and generate a SYN-ACK response to the client SYN request. 2) When the Cisco ASA receives an ACK back from the client, the Cisco ASA authenticates the client and allows the connection to the server.
A. TCP normalizer
B. TCP normalizer
C. TCP intercept
D. basic threat detection
E. advanced threat detection
F. botnet traffic filter
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
QUESTION 17
Which option is not supported when the Cisco ASA is operating in transparent mode and also is using multiple security contexts?
A. NAT
B. shared interface
C. security context resource management
D. Layer 7 inspections
E. failover
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
QUESTION 18
What does the * next to the CTX security context indicate?
A. The CTX context is the active context on the Cisco ASA.
B. The CTX context is the standby context on the Cisco ASA.
C. The CTX context contains the system configurations.
D. The CTX context has the admin role.
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
QUESTION 19
Which Cisco ASA feature is implemented by the ip verify reverse-path interface interface_name command?
A. uRPF
B. TCP intercept
C. botnet traffic filter
D. scanning threat detection
E. IPS (IP audit)
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
QUESTION 20
In one custom dynamic application, the inside client connects to an outside server using TCP port 4444 and negotiates return client traffic in the port range of 5000 to 5500. The server then starts streaming UDP data to the client on the negotiated port in the specified range. Which Cisco ASA feature or command supports this custom dynamic application?
A. TCP normalizer
B. TCP intercept
C. ip verify command
D. established command
E. tcp-map and tcp-options commands
F. set connection advanced-options command
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Cisco 642-618 Interactive Testing Engine is an engine that can be downloaded and installed on your PC.This Cisco 642-618 is not only advanced and equipped with much more features,it is also not internet dependent, once installed.It enables you to see Interconnecting Cisco Networking Devices Part 1 questions and answers in a simulated Cisco 642-618 exam environment. Working with Cisco 642-618 Interactive Testing Engine is like passing an actual Cisco 642-618 exam.
Most accurate Cisco 642-617 practice test for you to free download.Cisco 642-617 is also an authenticated IT certifications site that offer all the new questions and answers timely.Visit the site Flydumps.com to get free Cisco 642-617 VCE test engine and PDF.
Exam A
QUESTION 1
Using the default modular policy framework global configuration on the Cisco ASA, how does the Cisco ASA process outbound HTTP traffic?
A. HTTP flows are not permitted through the Cisco ASA, because HTTP is not inspected bydefault.
B. HTTP flows match theinspection_default traffic class and are inspected using HTTP inspection.
C. HTTP outbound traffic is permitted, but all return HTTP traffic is denied.
D. HTTP flows arestatefully inspected using TCP stateful inspection.
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
QUESTION 2
Which Cisco ASA feature enables the ASA to do these two things? 1) Act as a proxy for the server and generate a SYN-ACK response to the client SYN request. 2) When the Cisco ASA receives an ACK back from the client, the Cisco ASA authenticates the client and allows the connection to the server.
A. TCPnormalizer
B. TCP state bypass
C. TCP intercept
D. basic threat detection
E. advanced threat detection
F. botnet traffic filter
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
QUESTION 3
By default, which traffic can pass through a Cisco ASA that is operating in transparent mode without explicitly allowing it using an ACL?
A. ARP
B. BPDU
C. CDP
D. OSPF multicasts
E. DHCP
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
QUESTION 4
Refertothe exhibit. Which Cisco ASA feature can be configured using this Cisco ASDM screen?
Build Your Dreams PassGuide 642-617
A. Cisco ASA command authorization using TACACS+
B. AAA accounting to track serial,ssh, and telnet connections to the Cisco ASA
C. Exec Shell access authorization using AAA
D. cut-thru proxy
E. AAA authentication policy for Cisco ASDM access
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
QUESTION 5
Refer to the exhibit. The Cisco ASA is dropping all the traffic that is sourced from the internet and is destined to any security context inside interface. Which configuration should be verified on the Cisco ASA to solve this problem?
A. The Cisco ASA has NAT control disabled on each security context.
B. The Cisco ASA is using inside dynamic NAT on each security context.
C. The Cisco ASA is using a unique MAC address on each security context outside interface.
D. The Cisco ASA is using a unique dynamic routing protocol process on each security Build Your Dreams PassGuide 642-617 context.
E. The Cisco ASA packet classifier is configured to use the outside physical interface to assign the packets to each security context.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
QUESTION 6
Which four types of ACL object group are supported on the Cisco ASA (release 8.2)? (Choose four.)
A. protocol
B. network
C. port
D. service
E. icmp-type
F. host
Correct Answer: ABDE Section: (none) Explanation
Explanation/Reference:
QUESTION 7
Refer to the exhibit. Which two CLI commands will result? (Choose two. )
A. aaa authorization network LOCAL
B. aaa authorization network default authentication-server LOCAL
C. aaa authorization command LOCAL
D. aaa authorization exec LOCAL
E. aaa authorization exec authentication-server LOCAL
F. aaa authorization exec authentication-server
Correct Answer: CD Section: (none) Explanation
Explanation/Reference:
Build Your Dreams PassGuide 642-617
QUESTION 8
Refer to the exhibit. Which two statements about the class maps are true? (Choose two.)
A. These class maps are referenced within the global policy by default for HTTP inspection.
B. These class maps are all type inspect http class maps.
C. These class maps classify traffic using regular expressions.
D. These class maps are Layer 3/4 class maps.
E. These class maps are used within theinspection_default class map for matching the default inspection traffic.
Correct Answer: CE Section: (none) Explanation
Explanation/Reference:
QUESTION 9
Refer to the exhibit. A Cisco ASA in transparent firewall mode generates the log messages seen in the exhibit. What should be configured on the Cisco ASA to allow the denied traffic?
A. extended ACL on the outside and inside interface to permit the multicast traffic
B. EtherType ACL on the outside and inside interface to permit the multicast traffic
C. stateful packet inspection
D. static ARP mapping
E. static MAC address mapping
Correct Answer: A Section: (none)
Explanation
Explanation/Reference:
QUESTION 10
The Cisco ASA must support dynamic routing and terminating VPN traffic. Which three Cisco
Build Your Dreams PassGuide 642-617
ASA options will not support these requirements? (Choose three.)
A. transparent mode
B. multiple context mode
C. active/standby failover mode
D. active/active failover mode
E. routed mode
F. no NAT-control
Correct Answer: ABD Section: (none) Explanation
Explanation/Reference:
QUESTION 11
Refer to the exhibits. Which five options should be entered into the five fields in the Cisco ASDM Add Static Policy NAT Rule screen? (Choose five.) access-list POLICY_NAT_ACL extended permit ip host
172.16.0.10 10.0.1.0 255.255.255.0 static (dmz,outside) 192.168.2.10 access-list POLICY_NAT_ACL
A. dmz = Original Interface
B. outside = Original Interface
C. 172.16.0.10 = Original Source
D. 192.168.2.10 = Original Source
E. 10.0.1.0/24 = Original Destination
F. 192.168.2.10 = Original Destination
G. dmz = Translated Interface Build Your Dreams PassGuide 642-617
H. outside = Translated Interface
I. 192.168.2.10 = Translated Use IP Address
J. 172.16.0.10 = Translated Use IP Address
Correct Answer: ACEHI Section: (none) Explanation
Explanation/Reference:
QUESTION 12
By default, which access rule is applied inbound to the inside interface?
A. All IP traffic is denied.
B. All IP traffic is permitted.
C. All IP traffic sourced from any source to any less secure network destinations is permitted.
D. All IP traffic sourced from any source to any more secure network destinations is permitted
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
QUESTION 13
In which type of environment is the Cisco ASA MPF set connection advanced-options tcp-statebypass option the most useful?
A. SIP proxy
B. WCCP
C. BGP peering through the Cisco ASA
D. asymmetric traffic flow
E. transparent firewall
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
QUESTION 14
Which Cisco ASA platform should be selected if the requirements are to support 35,000 connections per second, 600,000 maximum connections, and traffic shaping?
A. 5540
B. 5550
C. 5580-20
D. 5580-40
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
QUESTION 15
Refer to the exhibit. What is the resulting CLI command?
Build Your Dreams PassGuide 642-617
A. match requesturi regex _default_GoToMyPC-tunnel drop-connection log
B. matchregex _default_GoToMyPC-tunnel drop-connection log
C. class _default_GoToMyPC-tunnel drop-connection log
D. match class-map _default_GoToMyPC-tunnel drop-connection log
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
QUESTION 16
A customer is ordering a number of Cisco ASAs for their network. For the remote or home office, they are purchasing the Cisco ASA 5505. When ordering the licenses for their Cisco ASAs, which two licenses must they order that are “platform specific” to the Cisco ASA 5505? (Choose two.)
A. AnyConnect Essentials license
B. per-user Premium SSL VPN license
C. VPN shared license
D. internal user licenses
E. Security Plus license
Correct Answer: AE Section: (none) Explanation
Explanation/Reference:
Build Your Dreams PassGuide 642-617
QUESTION 17
With Cisco ASA active/standby failover, what is needed to enable subsecond failover?
A. Use redundant interfaces.
B. Enable thestateful failover interface between the primary and secondary Cisco ASA.
C. Decrease the defaultunitfailover polltime to 300 msec and the unitfailover holdtime to 900 msec
D. Decrease the default number of monitored interfaces to 1.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
QUESTION 18
When enabling a Cisco ASA to send syslog messages to a syslog server, which syslog level will produce the most messages?
A. notifications
B. informational
C. alerts
D. emergencies
E. errors
F. debugging
Correct Answer: F Section: (none) Explanation
Explanation/Reference:
QUESTION 19
Which Cisco ASA feature is implemented by the ip verify reverse-path interface interface_name command?
A. uRPF
B. TCP intercept
C. botnet traffic filter
D. scanning threat detection
E. IPS (IP audit)
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
QUESTION 20
A Cisco ASA requires an additional feature license to enable which feature?
A. transparent firewall
B. cut-thru proxy
C. threat detection
D. botnet traffic filtering Build Your Dreams PassGuide 642-617
E. TCPnormalizer
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
The Cisco 642-617 Certified Network Associate (CCNA) is the composite exam associated with the Cisco Certified Network Associate certification. Candidates can prepare for this exam by taking the Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 and the Interconnecting Cisco Networking Devices Part 2 (ICND2) v1.0 courses. This exam tests a candidate’s knowledge and skills required to install, operate, and troubleshoot a small to medium size enterprise branch network. The topics include connecting to a WAN; implementing network security; network types; network media; routing and switching fundamentals; the TCP/IP and OSI models; IP addressing; WAN technologies; operating and configuring IOS devices; extending switched networks with VLANs; determining IP routes; managing IP traffic with access lists; establishing point-to-point connections; and establishing Frame Relay connections.
GOOD NEWS:Flydumps has published the new version with all the new added questions and answers. By training the Cisco 642-552 VCE dumps, you can pass the exam easily and quickly.
Exam A
QUESTION 1
A malicious program is disguised as another useful program; consequently, when the user executes the program, files get erased and then the malicious program spreads itself using emails as the delivery mechanism. Which type of attack best describes how this scenario got started?
A. DoS
B. worm
C. virus
D. trojan horse
E. DDoS
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation: Denial of Service (DoS) is an attack designed to render a computer or network incapable of providing normal services. The most common DoS attacks will target the computer’s network bandwidth or connectivity. Bandwidth attacks flood the network with such a high volume of traffic, that all available network resources are consumed and legitimate user requests cannot get through. Connectivity attacks flood a computer with such a high volume of connection requests, that all available operating system resources are consumed and the computer can no longer process legitimate user requests. A “denial-of-service” attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service. Examples include
*
attempts to “flood” a network, thereby preventing legitimate network traffic
*
attempts to disrupt connections between two machines, thereby preventing access to a service
*
attempts to prevent a particular individual from accessing a service
*
attempts to disrupt service to a specific system or person Distributed Denial of Service
*
An attacker launches the attack using several machines. In this case, an attacker breaks into several machines, or coordinates with several zombies to launch an attack against a target or network at the same time.
*
This makes it difficult to detect because attacks originate from several IP addresses.
*
If a single IP address is attacking a company, it can block that address at its firewall. If it is 300 00 this is extremely difficult.
QUESTION 2
What is the key function of a comprehensive security policy?
A. informing staff of their obligatory requirements for protecting technology and information assets
B. detailing the way security needs will be met at corporate and department levels
C. recommending that Cisco IPS sensors be implemented at the network edge
D. detailing how to block malicious network attacks
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation: Developing a strong security policy helps to protect your resources only if all staff members are properly instructed on all facets and processes of the policy. Most companies have a system in place whereby all employees need to sign a statement confirming that they have read and understood the security policy. The policy should cover all issues the employees encounter in their day-to-day work, such as laptop security, password policy, handling of sensitive information, access levels, tailgating, countermeasures, photo IDs, PIN codes, and security information delivered via newsletters and posters. A top-down approach is required if the policy is to be taken seriously. This means that the security policy should be issued and supported from an executive level downward.
QUESTION 3
Which building blocks make up the Adaptive Threat Defense phase of Cisco SDN strategy?
A. VoIP services, NAC services, Cisco IBNS
B. network foundation protection, NIDS services, adaptive threat mitigation services
C. firewall services, intrusion prevention, secure connectivity
D. firewall services, IPS and network antivirus services, network intelligence
E. Anti-X defense, NAC services, network foundation protection
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation: Computer connected to the Internet without a firewall can be hijacked and added to an Internet outlaw’s botnet in just a few minutes. A firewall can block malware that could otherwise scan your computer for vulnerabilities and then try to break in at a weak point. The real issue is how to make one 99.9% secure when it is connected to in Internet. At a minimum computers need to have firewall, antivirus and anti-spyware software installed and kept up-to-date. A home network that uses a wired or wireless router with firewall features provides additional protection. A computer virus can be best described as a small program or piece of code that penetrates into the operating system, causing unexpected and negative events to occur. A well-known example is a virus, SoBig. Computer viruses reside in the active memory of the host and try to duplicate themselves by different means. This duplication mechanism can vary from copying files and broadcasting data on local-area network (LAN) segments to sending copies via e-mail or an Internet relay chat (IRC). Antivirus software applications are developed to scan the memory and hard disks of hosts for known viruses. If the application finds a virus (using a reference database with virus definitions), it informs the user.
QUESTION 4
DRAG DROP You work as a network administrator at Certkiller .com. Your boss Mrs. Certkiller asks you to match the malicious network attack types with the correct definition.
A.
B.
C.
D.
Correct Answer: Section: (none) Explanation
Explanation/Reference:
Explanation:
1.
Reconnaissance: Reconnaissance refers to the preparatory phase where an attacker seeks to gather as much information as possible about a target of attack prior to launching an attack. This phase is also where the attacker draws on competitive intelligence to learn more about the target. The phase may also involve network scanning either external or internal without authorization. This is a phase that allows the potential attacker to strategize his attack. This may spread over time, as the attacker waits to unearth crucial information. One aspect that gains prominence here is social engineering. A social engineer is a person who usually smooths talk’s people into revealing information such as unlisted phone numbers, passwords or even sensitive information. Other reconnaissance techniques include dumpster diving. Dumpster diving is the process of looking through an organization’s trash for discarded sensitive information. Building user awareness of the precautions they must take in order to protect their information assets is a critical factor in this context.
2.
DOS (Denial Of Service) Denial of Service (DoS) is an attack designed to render a computer or network incapable of providing normal services. The most common DoS attacks will target the computer’s network bandwidth or connectivity. Bandwidth attacks flood the network with such a high volume of traffic, that all available network resources are consumed and legitimate user requests cannot get through. Connectivity attacks flood a computer with such a high volume of connection requests, that all available operating system resources are consumed and the computer can no longer process legitimate user requests.
3.
Brute force The brute force method is the most inclusive – though slow. Usually, it tries every possible letter and number combination in its automated exploration.
QUESTION 5
DRAG DROP You work as a network administrator at Certkiller .com. Your boss Mrs. Certkiller asks you to match signature type with the correct definition.
A.
B.
C.
D.
Correct Answer: Section: (none) Explanation
Explanation/Reference:
Explanation:
1.
DOS (Denial Of Service)
Denial of Service (DoS) is an attack designed to render a computer or network incapable of providing
normal services. The most common DoS attacks will target the computer’s network bandwidth or
connectivity. Bandwidth attacks flood the network with such a high volume of traffic, which all available
network resources are consumed and legitimate user requests cannot get through. Connectivity attacks
flood a computer with such a high volume of connection requests, that all available operating system
resources are consumed and the computer can no longer process legitimate user requests.
2.
Exploit
A defined way to breach the security of an IT system through vulnerability.
QUESTION 6
Which of these two ways does Cisco recommend that you use to mitigate maintenance-related threats? (Choose two.)
A. Maintain a stock of critical spares for emergency use.
B. Ensure that all cabling is Category 6.
C. Always follow electrostatic discharge procedures when replacing or working with internal router and switch device components.
D. Always wear an electrostatic wrist band when handling cabling, including fiber-optic cabling.
E. Always employ certified maintenance technicians to maintain mission-critical equipment and cabling.
Correct Answer: AC Section: (none) Explanation
Explanation/Reference:
QUESTION 7
What are two security risks on 802.11 WLANs that implement WEP using a static 40-bit key with open authentication? (Choose two.)
A. The IV is transmitted as plaintext, and an attacker can sniff the WLAN to see the IV.
B. The challenge packet sent by the wireless AP is sent unencrypted.
C. The response packet sent by the wireless client is sent unencrypted.
D. WEP uses a weak-block cipher such as the Data Encryption Algorithm.
E. One-way authentication only where the wireless client does not authenticate the wireless-access point.
Correct Answer: AE Section: (none) Explanation
Explanation/Reference:
Explanation: The wireless nature and the use of radio frequency for networking makes securing WLANs more challenging than securing a wired LAN. Originally, the Wired Equivalent Privacy (WEP) protocol was developed to address this issue. It was designed to provide the same privacy that a user would have on a wired network. WEP is based on the RC4 symmetric encryption standard and uses either 64-bit or 128-bit key. However, the keys are not really this many bits because a 24-bit Initialization Vector (IV) is used to provide randomness. So the “real key” is actually 40 or 104 bits long. There are two ways to implement the key. First, the default key method shares a set of up to four default keys with all the wireless access points (WAPs). Second is the key mapping method, which sets up a key-mapping relationship for each wireless station with another individual station. Although slightly more secure, this method is more work. Consequently, most WLANs use a single shared key on all stations, which makes it easier for a hacker to recover the key. Now, let’s take a closer look at WEP and discuss the way it operates. To better understand the WEP process, you need to understand the basics of Boolean logic. Specifically, you need to understand how XORing works. XORing is just a simple binary comparison between two bytes that produce another byte as a result of the XORing process. When the two bits are compared, XORing looks to see if they are different. If they are different, the resulting output is 1. If the two bits are the same, the result is 0. If you want to learn more about Boolean logic, a good place to start is here: http://en.wikipedia.org/wiki/Boolean_algebra. All this talk about WEP might leave you wondering how exactly RC4 and XORing are used to encrypt wireless communication. To better explain those concepts, let’s look at the seven steps of encrypting a message:
1.
The transmitting and receiving stations are
initialized with the secret key. This secret
key must be distributed using an out-of-band mechanism such as email, posting it
on a website, or giving it to you on a piece
of paper the way many hotels do.
2.
The transmitting station produces a seed,
which is obtained by appending the 40-bit
secret key to the 24-bit Initialization
Vector (IV), for input into a Pseudo
Random Number Generator (PRNG).
3.
The transmitting station inputs the seed to
the WEP PRNG to generate a key stream
of random bytes.
4.
The key stream is XORd with plaintext to
obtain the cipher text.
5.
The transmitting station appends the
cipher text to the IV and sets a bit
indicates that it is a WEP-encrypted
packet. This completes WEP
encapsulation, and the results are
transmitted as a frame of data. WEP only
encrypts the data. The header and trailer
are sent in clear text.
6.
The receiving station checks to see if the
encrypted bit of the frame it received is
set. If so, the receiving station extracts the
IV from the frame and appends the IV
with the secret key.
7.
The receiver generates a key stream that
must match the transmitting station’s key.
This key stream is XORd with the cipher
text to obtain the sent plaintext.
QUESTION 8
DRAG DROP You work as a network administrator at Certkiller .com. Your boss Mrs. Certkiller asks order the steps to mitigate a worm attack.
A.
B.
C.
D.
Correct Answer: Section: (none) Explanation
Explanation/Reference:
Explanation: Viruses and worms are part of a larger category of malicious code or malware. Viruses and worms are programs that can cause a wide range of damage from displaying messages to making programs work erratically or even destroying data or hard drives. Viruses accomplish their designed task by placing self-replicating code in other programs. When these programs execute, they replicate again and infect even more programs. Closely related to viruses and worms is spyware. Spyware is considered another type of malicious software. In many ways, spyware is similar to a Trojan, as most users don’t know that the program has been installed and it hides itself in an obscure location. Spyware steals information from the user and also eats up bandwidth. If that’s not enough, it can also redirect your web traffic and flood you with annoying pop-ups.
Many users view spyware as another type of virus.
The following are the recommended steps for worm attack mitigation:
1.
Containment: Contain the spread of the worm inside your network and within your network. Compartmentalize parts of your network that have not been infected.
2.
Inoculation: Start patching all systems and, if possible, scanning for vulnerable systems.
3.
Quarantine : Track down each infected machine inside your network. Disconnect, remove, or block infected machines from the network.
4.
Treatment: Clean and patch each infected system. Some worms may require complete core system reinstallations to clean the system.
QUESTION 9
Which method of mitigating packet-sniffer attacks is the most effective?
A. implement two-factor authentication
B. deploy a switched Ethernet network infrastructure
C. use software and hardware to detect the use of sniffers
D. deploy network-level cryptography using IPsec, secure services, and secure protocols
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
You cannot talk about VPNs without saying something about IP Security (IPSec). IPSec is a framework of
open standards. It is not bound to any specific encryption or authentication algorithm keying technology.
IPSec acts on the network layer, where it protects and authenticates IP packets between participating
peers such as firewalls, routers, or concentrators. IPSec security provides four major functions:
*
Confidentiality The sender can encrypt the packets before transmitting them across the network. If such a communication is intercepted, it cannot be read by anybody.
*
Data integrity The receiver can verify whether the data was changed while traveling the Internet.
*
Origin authenticationThe receiver can authenticate the source of the packet.
*
Antireplayprotection The receiver can verify that each packet is unique and is not duplicated.
QUESTION 10
What is a reconnaissance attack?
A. when an intruder attacks networks or systems to retrieve data, gain access, or escalate access privileges.
B. when an intruder attempts to discover and map systems, services, and vulnerabilities
C. when malicious software is inserted onto a host in order to damage a system, corrupt a system, replicate itself, or deny service or access to networks, systems, or services
D. when an intruder attacks your network in a way that damages or corrupts your computer system, or denies you and other access to your networks, systems, or services
E. when an intruder attempts to learn user IDs and passwords that can later be used in identity theft
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation: Reconnaissance refers to the preparatory phase where an attacker seeks to gather as much information as possible about a target of attack prior to launching an attack. This phase is also where the attacker draws on competitive intelligence to learn more about the target. The phase may also involve network scanning either external or internal without authorization. This is a phase that allows the potential attacker to strategize his attack. This may spread over time, as the attacker waits to unearth crucial information. One aspect that gains prominence here is social engineering. A social engineer is a person who usually smooths talk’s people into revealing information such as unlisted phone numbers, passwords or even sensitive information. Other reconnaissance techniques include dumpster diving. Dumpster diving is the process of looking through an organization’s trash for discarded sensitive information. Building user awareness of the precautions they must take in order to protect their information assets is a critical factor in this context.
QUESTION 11
What should be the first step in migrating a network to a secure infrastructure?
A. developing a security policy
B. securing the perimeter
C. implementing antivirus protection
D. securing the DMZ
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation: The development of a security policy is the first step to a secure infrastructure, without this availability of your network will be compromised.
QUESTION 12
What is a DoS attack?
A. when an intruder attacks networks or systems to retrieve data, gain access, or escalate access privileges
B. when an intruder attempts to discover and map systems, services, and vulnerabilities
C. when malicious software is inserted onto a host in order to damage a system, corrupt a system, replicate itself, or deny services or access to networks, systems, or services
D. When an intruder attacks your network in a way that damages or corrupts your computer system, or denies you and others access to your networks, systems, or services
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation: Denial of Service (DoS) is an attack designed to render a computer or network incapable of providing normal services. The most common DoS attacks will target the computer’s network bandwidth or connectivity. Bandwidth attacks flood the network with such a high volume of traffic, that all available network resources are consumed and legitimate user requests cannot get through. Connectivity attacks flood a computer with such a high volume of connection requests, that all available operating system resources are consumed and the computer can no longer process legitimate user requests. A “denial-of-service” attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service. Examples include
*
attempts to “flood” a network, thereby preventing legitimate network traffic
*
attempts to disrupt connections between two machines, thereby preventing access to a service
*
attempts to prevent a particular individual from accessing a service
*
attempts to disrupt service to a specific system or person
QUESTION 13
Which method of mitigation packet-sniffer attacks is most cost effective?
A. authentication
B. switched infrastructure
C. antisniffer tools
D. cryptography
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Cryptography: Rendering packet sniffers irrelevant is the most effective method for countering packet sniffers. Cryptography is even more effective than preventing or detecting packet sniffers. If a communication channel is cryptographically secure, the only data a packet sniffer detects is cipher text (a seemingly random string of bits) and not the original message.
QUESTION 14
During which phase of an attack does the attacker attempt to identify targets?
A. penetrate
B. propagate
C. persist
D. probe
E. paralyze
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation: Probe phase: The attacker identifies vulnerable targets in this phase. The goal of this phase is to find computers that can be subverted. Internet Control Message Protocol (ICMP) ping scans are used to map networks, and application port scans identify operating systems and vulnerable software. Passwords can be obtained through social engineering, a dictionary attack, a brute-force attack, or network sniffing. Incorrect: A – Phase 2 B – Phase 4 C – Phase 3 D – Phase 5
QUESTION 15
What is considered the main administrative vulnerability of Cisco Catalyst switches?
A. SNMP
B. Telnet
C. Poor passwords
D. Poor encryption
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explantion:
By default, a Cisco switch shows the passwords in plaintext for the following settings in the configuration
file: the .enable. password, the username password, the console line and the virtual terminal lines.
Using the same password for both the enable secret and other settings on a switch allows for potential
compromise because the password for certain settings (for example, telnet) may be in plaintext and can be
collected on a network using a network analyzer. Also, setting the same password for the .enable secret.
passwords on multiple switches provides a single point of failure because one compromised switch
endangers other switches.
QUESTION 16
DRAG DROP
Click and drag the four steps to mitigating worm attacks in order from step 1 to steep 4.
A.
B.
C.
D.
Correct Answer: Section: (none) Explanation
Explanation/Reference:
Explanation:
Worm attack mitigation requires diligence on the part of system and network administration staff.
Coordination between system administration, network engineering, and security operations personnel is
critical in responding effectively to a worm incident. The following are the recommended steps for worm
attack mitigation:
1.
Containment: Contain the spread of the worm inside your network and within your network. Compartmentalize parts of your network that have not been infected.
2.
Inoculation: Start patching all systems and, if possible, scanning for vulnerable systems.
3.
Quarantine: Track down each infected machine inside your network. Disconnect, remove, or block infected machines from the network.
4.
Treatment: Clean and patch each infected system. Some worms may require complete core system reinstallations to clean the system.
QUESTION 17
Certkiller .com network administrators have just configured SSH on their target router and have now discovered that an intruder has been using this router to perform a variety of malicious attacks. What have they most likely forgotten to do and which Cisco IOS commands do they need to use to fix this problem on their target router?
A. forgot to reset the encryption keys using the crypto key zeroize rsa Cisco IOS global configuration command
B. forgot to close port 23 and they need to issue the no transport input telnet Cisco IOS global
configuration command
C. forgot to disable vty inbound Telnet sessions and they need to issue the line vty 0 4 and the no transport input telnet Cisco IOS line configuration commands
D. forgot to restrict access to the Telnet service on port 23 using ACLs and they need to issue the access-list 90 deny any log Cisco IOS global configuration command, and the line vty 0 4 and access-class 90 in Cisco IOS line configuration commands
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation: Telnet and rlogin commands are known as unsecure commands, they transports the data packets on plain text format. If anyone can tries to capture the packets they can easily read. So SSH (Secure Shell) is the most usable Remote Login tool. Which maintains the secure communication. Router(Config)#line vty 0 4 Router(Config-router)transport input telnet | ssh | all May be telnet is enabled so just disable the telnet using no.
QUESTION 18
To verify role-based CLI configurations, which Cisco IOS CLI commands do you need use to verify a view?
A. parser view view-name, then use the ? to verify the available commands
B. enable view view-name, then use the ? to verify the available commands
C. enable view, then use the parser view view-name to verify the available commands
D. show view view-name to verify the available commands
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation: The Role-Based CLI Access feature allows the network administrator to define “views,” which are a set of operational commands and configuration capabilities that provide selective or partial access to CiscoIOS EXEC and configuration (Config) mode commands. Views restrict user access to CiscoIOS command-line interface (CLI) and configuration information; that is, a view can define what commands are accepted and what configuration information is visible. Thus, network administrators can exercise better control over access to Cisco networking devices. SUMMARY STEPS1. enable view
2.
configure terminal
3.
parser view view-name
4.
secret 5 encrypted-password
5.
commands parser-mode {include | include-exclusive | exclude} [all] [interface interface-name | command]
6.
exit
7.
exit
8.
enable [privilege-level] [view view-name]
9.
show parser view [all]
QUESTION 19
What two tasks should be done before configuring SSH server operations on Cisco routers? (Choose two.)
A. Upgrade routers to run a Cisco IOS Release 12.1(1)P image.
B. Upgrade routers to run a Cisco IOS Release 12.1(3)T image or later with the IPsec feature set.
C. Ensure routers are configured for external ODBC authentication.
D. Ensure routers are configured for local authentication or AAA for username and password authentication.
E. Upgrade routers to run a Cisco IOS Release 11.1(3)T image or later with the IPsec feature set.
Correct Answer: BD Section: (none) Explanation
Explanation/Reference:
Explanation:
Secure Shell (SSH) is a protocol which provides a secure remote access connection to network devices.
Communication between the client and server is encrypted in both SSH version 1 and SSH version 2.
Implement SSH version 2 when possible because it uses a more enhanced security encryption algorithm.
SSH was introduced into these IOS platforms and images:
1.
SSH Version 1.0 (SSH v1) server was introduced in some IOS platforms and images starting in Cisco IOS Software Release 12.0.5.S.
2.
SSH client was introduced in some IOS platforms and images starting in Cisco IOS Software Release
12.1.3.T.
3.
SSH terminal-line access (also known as reverse-Telnet) was introduced in some IOS platforms and images starting in Cisco IOS Software Release 12.2.2.T.
4.
SSH Version 2.0 (SSH v2) support was introduced in some IOS platforms and images starting in Cisco IOS Software Release 12.1(19)E. Example of SSH Configuration on Cisco Router aaanew-model username cisco password 0 cisco ip domain-name rtp.cisco.com cry key generate rsa ip ssh time-out 60 ip ssh authentication-retries 2 line vty 0 4 transport input SSH
QUESTION 20
In the Cisco SDM Security Audit Wizard screen shown in the figure, which Fix it action should be selected to prevent smurf denial of service attacks?
A. IP Mask Reply is enabled
B. IP Unreachables is enabled
C. IP Directed Broadcast is enabled
D. IP Redirects is enabled
E. IP Proxy ARP is enabled
F. Access class is not set on vty lines
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation: Directed-Broadcast An IP directed broadcast is a datagram sent to the broadcast address of a subnet that is not directly attached to the sending machine. The directed broadcast is routed through the network as a unicast packet until it arrives at the target subnet, where it is converted into a link-layer broadcast. Because of the nature of the IP addressing architecture, only the last router in the chain, which is connected directly to the target subnet, can conclusively identify a directed broadcast.
*
IP directed broadcasts are used in the extremely common and popular smurf Denial of Service (DoS)
attacks. In a smurf attack, the attacker sends ICMP echo requests from a falsified source address to a
directed broadcast address, causing all the hosts on the target subnet to send replies to the falsified
source. By sending a continuous stream of such requests, the attacker can create a much larger stream of
replies, which can completely inundate the host whoseaddress is being falsified.
*
This service should be disabled on all interfaces when not needed to prevent smurf and DoS attacks.
*
Cisco AutoSecure disables IP directed broadcasts using the no ip directed-broadcast command in
interface configuration mode on each interface.
Reference:
http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/products_white_paper09186a00801dbf61.shtml
Cisco 642-552 Interactive Testing Engine is an engine that can be downloaded and installed on your PC.This Cisco 642-552 is not only advanced and equipped with much more features,it is also not internet dependent, once installed.It enables you to see Interconnecting Cisco Networking Devices Part 1 questions and answers in a simulated Cisco 642-552 exam environment. Working with Cisco 642-552 Interactive Testing Engine is like passing an actual Cisco 642-552 exam.
Flydumps presents the highest quality of Cisco 642-551 practice material which helps candidates to pass the Cisco 642-551 exams in the first attempt.The brain dumps are the latest,authenticated by expert and covering each and every aspect of Cisco 642-551 exam.
Exam A
QUESTION 1
What is a set of conditions that, when met, indicates that an intrusion is occurring or has occurred?
A. rules
B. state tables
C. signatures
D. master parameters
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
QUESTION 2
If you choose Add from the Allowed Hosts panel in Cisco IDM, which two fields are available for configuration? (Choose two.)
A. Static Routes
B. Dynamic Routes
C. IP Address
D. Default Route
E. Netmask
Correct Answer: CE Section: (none) Explanation
Explanation/Reference:
QUESTION 3
Drag Drop question
A.
B.
C.
D.
Correct Answer: Section: (none) Explanation
Explanation/Reference:
Answer: Check certifyme eEngine, Download from Member Center
QUESTION 4
Drag Drop question
A.
B.
C.
D.
Correct Answer: Section: (none) Explanation
Explanation/Reference:
Answer: Check certifyme eEngine, Download from Member Center
QUESTION 5
What are the three types of private VLAN ports? (Choose three.)
A. typical
B. isolated
C. nonisolated
D. promiscuous
E. community
F. bridging
Correct Answer: BDE Section: (none) Explanation
Explanation/Reference:
QUESTION 6
LAB
This is the answer:
pixfirewall(config)#interface eth3 100full
pixfirewall(config)# nameif eth3 protected security 56
pixfirewall(config)# ip address protected 192.168.147.1 255.255.255.0
A.
B.
C.
D.
Correct Answer: Section: (none) Explanation
Explanation/Reference:
Answer: Check certifyme eEngine, Download from Member Center
QUESTION 7
When port security is enabled on a Cisco Catalyst switch, what is the default action when the configured maximum of allowed MAC addresses value is exceeded?
A. The port is shut down.
B. The port is enabled and the maximum number automatically increases.
C. The MAC address table is cleared and the new MAC address is entered into the table.
D. The MAC address table is shut down.
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
QUESTION 8
What is a description of a promiscuous PVLAN port?
A. It has a complete Layer 2 separation from the other ports within the same PVLAN.
B. It can only communicate with other promiscuous ports.
C. It can communicate with all interfaces within a PVLAN.
D. It cannot communicate with any other ports.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
QUESTION 9
Which two protocols does Cisco Secure ACS use for AAA services? (Choose two.)
A. TACACS+
B. Telnet
C. SSH
D. RADIUS
E. SSL
F. SNMP
Correct Answer: AD Section: (none) Explanation
Explanation/Reference:
QUESTION 10
Which command would be used on the Cisco PIX Security Appliance to show the pool of addresses to be translated?
A. show nat
B. show xlate
C. show global
D. show conn
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
QUESTION 11
What is the default security-level definition setting for the outside interface for the Cisco PIX Security Appliance?
A. 0
B. 100
C. 50
D. 25
Correct Answer: A Section: (none) Explanation
Explanation/Reference: QUESTION 12
Which Cisco IOS command enables the AAA access-control commands and functions on the router, and overrides the older TACACS and extended TACACS commands?
A. no aaa authentication login default enable
B. aaa authentication login default local
C. aaa new-model
D. login authentication default
E. no login authentication default
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
QUESTION 13
Which communication protocol is used by the administrator workstation to communicate with the CSA MC?
A. SSH
B. Telnet
C. HTTPS
D. SSL
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
QUESTION 14
To which router platform can Turbo ACLs be applied?
A. Cisco 800 Router
B. Cisco 2600 Series Router
C. Cisco 3500
D. Cisco 7200 Router
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
QUESTION 15
Which administrative access mode for the Cisco PIX Security Appliance allows you to change the current settings?
A. unprivileged mode
B. privileged mode
C. configuration mode
D. monitor mode
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
QUESTION 16
Which Cisco IDS/IPS feature enables the appliance to aggregate alarms?
A. FireOnce
B. response actions
C. alarm summarization
D. threshold configuration
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
QUESTION 17
Which method does a Cisco firewall use for packet filtering?
A. inspection rules
B. ACLs
C. security policies
D. VACLs
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
QUESTION 18
Which component within the Cisco Network Admission Control architecture acts as the policy server for evaluating the endpoint security information that is relayed from network devices, and for determining the appropriate access policy to apply?
A. CiscoWorks
B. CiscoWorks VMS
C. Cisco Secure ACS
D. Cisco Trust Agent
E. Cisco Security Agent
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
QUESTION 19
Which command is used to reboot the Cisco PIX Security Appliance?
A. reboot
B. restart
C. boot D. reload
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
QUESTION 20
Packet sniffers work by using a network interface card in which mode?
A. inline
B. cut-through
C. promiscuous
D. Ethernet
E. passive
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Cisco 642-551 Questions and Answers Products basically comprise of the simulated Cisco 642-551 exam questions AND their most correct answers,accompanied with a methodical elucidation of the Cisco 642-551 answers and the probable wrong answers.The extent to which Cisco 642-551 Questions and Answers Products cover their Cisco subject is so thorough,that once you are done with a Cisco product, passing the Cisco 642-551 exam in first attempt should be a piece of cake.