0 Bewertungen0% fanden dieses Dokument nützlich (0 Abstimmungen)
67 Ansichten43 Seiten
Cisco 642-825 Implementing secure Converged Wide Area Networks exam questions and answers. It will provide you questions and answers carefully compiled and written by our experts. Try to understand the concepts behind the questions instead of cramming the questions.
Cisco 642-825 Implementing secure Converged Wide Area Networks exam questions and answers. It will provide you questions and answers carefully compiled and written by our experts. Try to understand the concepts behind the questions instead of cramming the questions.
Copyright:
Attribution Non-Commercial (BY-NC)
Verfügbare Formate
Als TXT, PDF, TXT herunterladen oder online auf Scribd lesen
Cisco 642-825 Implementing secure Converged Wide Area Networks exam questions and answers. It will provide you questions and answers carefully compiled and written by our experts. Try to understand the concepts behind the questions instead of cramming the questions.
Copyright:
Attribution Non-Commercial (BY-NC)
Verfügbare Formate
Als TXT, PDF, TXT herunterladen oder online auf Scribd lesen
Q&A Version 2010-02-16 It will provide you questions and answers carefully compiled and written by our experts. Try to understand the concepts behind the questions instead of cramming the questions. Go through the entire document at least twice so that you make sure that you are not missing anything. Exam A QUESTION 1 Which two statements about common network attacks are true? (Choose two.) A. Access attacks can consist of password attacks, trust exploitation, port redi rection, and man-in-themiddle attacks. B. Access attacks can consist of password attacks, ping sweeps, port scans, and man-in-the-middle attacks. C. Access attacks can consist of packet sniffers, ping sweeps, port scans, and m an-in-the-middle attacks. D. Reconnaissance attacks can consist of password attacks, trust exploitation, p ort redirection and Internet information queries. E. Reconnaissance attacks can consist of packet sniffers, port scans, ping sweep s, and Internet information queries. F. Reconnaissance attacks can consist of ping sweeps, port scans, man-in-middle attacks and Internet information queries. Answer: AE Section: (none) Explanation/Reference: QUESTION 2 Which two statements about the Cisco AutoSecure feature are true? (Choose two.) A. All passwords entered during the AutoSecure configuration must be a minimum o f 8 characters in length. B. Cisco123 would be a valid password for both the enable password and the enabl e secret commands. C. The auto secure command can be used to secure the router login as well as the NTP and SSH protocols. D. For an interactive full session of AutoSecure, the auto secure login command should be used. E. If the SSH server was configured, the 1024 bit RSA keys are generated after t he auto secure command is enabled. Answer: CE Section: (none) Explanation/Reference: QUESTION 3 Which three statements are correct about MPLS-based VPNs? (Choose three.) A. Route Targets (RTs) are attributes attached to a VPNv4 BGP route to indicate its VPN membership. B. Scalability becomes challenging for a very large, fully meshed deployment. C. Authentication is done using a digital certificate or pre-shared key. D. A VPN client is required for client-initiated deployments. E. A VPN client is not required for users to interact with the network. F. An MPLS-based VPN is highly scalable because no site-to-site peering is requi red. Answer: AEF Section: (none) Explanation/Reference: QUESTION 4 Which two statements are true about broadband cable (HFC) systems? (Choose two.) PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 A. Cable modems only operate at Layer 1 of the OSI model. B. Cable modems operate at Layers 1 and 2 of the OSI model. C. Cable modems operate at Layers 1, 2, and 3 of the OSI model. D. A function of the cable modem termination system (CMTS) is to convert the mod ulated signal from the cable modem into a digital signal. E. A function of the cable modem termination system is to convert the digital da ta stream from the end user host into a modulated RF signal for transmission onto the cable system. Answer: BD Section: (none) Explanation/Reference: QUESTION 5 Which form of DSL technology is typically used as a replacement for T1 lines? A. VDSL B. HDSL C. ADSL D. SDSL E. G.SHDSL F. IDSL Answer: B Section: (none) Explanation/Reference: QUESTION 6 Refer to the exhibit. Which two statements about the AAA configuration are true? (Choose two.) A. A good security practice is to have the none parameter configured as the fina l method used to ensure that no other authentication method will be used. B. If a TACACS+ server is not available, then a user connecting via the console port would not be able to gain access since no other authentication method has been defined. C. If a TACACS+ server is not available, then the user Bob could be able to ente r privileged mode as long as the proper enable password is entered. D. The aaa new-model command forces the router to override every other authentic ation method previously configured for the router lines. E. To increase security, group radius should be used instead of group tacacs+. F. Two authentication options are prescribed by the displayed aaa authentication command. Answer: DF Section: (none) Explanation/Reference: QUESTION 7 Which two Network Time Protocol (NTP) statements are true? (Choose two.) A. A stratum 0 time server is required for NTP operation. B. NTP is enabled on all interfaces by default, and all interfaces receive NTP p ackets. C. NTP operates on IP networks using User Datagram Protocol (UDP) port 123. D. The ntp server global configuration is used to configure the NTP master clock to which other PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 peers synchronize themselves. E. The show ntp status command displays detailed association information of all NTP peers. F. Whenever possible, configure NTP version 5 because it automatically provides authentication and encryption services. Answer: BC Section: (none) Explanation/Reference: QUESTION 8 What are the two main features of Cisco IOS Firewall? (Choose two.) A. TACACS+ B. AAA C. Cisco Secure Access Control Server D. Intrusion Prevention System E. Authentication Proxy Answer: DE Section: (none) Explanation/Reference: QUESTION 9 Refer to the exhibit. On the basis of the partial configuration, which two state ments are true? (Choose two.) A. A CBAC inspection rule is configured on router RTA. B. A named ACL called SDM_LOW is configured on router RTA. C. A QoS policy has been applied on interfaces Serial 0/0 and FastEthernet 0/1. PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 D. Interface Fa0/0 should be the inside interface and interface Fa0/1 should be the outside interface. E. On interface Fa0/0, the ip inspect statement should be incoming. E. The interface commands ip inspect SDM_LOW in allow CBAC to monitor multiple p rotocols. Answer: A Section: (none) Explanation/Reference: QUESTION 10 Which two statements describe the functions and operations of IDS and IPS system s? (Choose two.) A. A network administrator entering a wrong password would generate a true-negat ive alarm. B. A false positive alarm is generated when an IDS/IPS signature is correctly id entified. C. An IDS is significantly more advanced over IPS because of its ability to prev ent network attacks. D. Cisco IDS works inline and stops attacks before they enter the network. E. Cisco IPS taps the network traffic and responds after an attack. F. Profile-based intrusion detection is also known as "anomaly detection". Answer: BF Section: (none) Explanation/Reference: QUESTION 11 Which IOS command would display IPS default values that may not be displayed usi ng the show runningconfig command? A. show ip ips configuration B. show ip ips interface C. show ip ips statistics D. show ip ips session Answer: A Section: (none) Explanation/Reference: QUESTION 12 Refer to the exhibit. What statement is true about the interface S1/0 on router R1? A. Labeled packets can be sent over an interface. B. MPLS Layer 2 negotiations have occurred. C. IP label switching has been disabled on this interface. D. None of the MPLS protocols have been configured on the interface. PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 Answer: D Section: (none) Explanation/Reference: QUESTION 13 Which two statements about packet sniffers or packet sniffing are true? (Choose two.) A. To reduce the risk of packet sniffing, traffic rate limiting and RFC 2827 fil tering should be used. B. Packet sniffers can only work in a switched Ethernet environment. C. To reduce the risk of packet sniffing, cryptographic protocols such as Secure Shell Protocol (SSH) and Secure Sockets Layer (SSL) should be used. D. To reduce the risk of packet sniffing, strong authentication, such as one tim e passwords, should be used. Answer: CD Section: (none) Explanation/Reference: QUESTION 14 Which two network attack statements are true? (Choose two.) A. Access attacks can consist of password attacks, trust exploitation, port redi rection, and man-in-themiddle attacks. B. Access attacks can consist of UDP and TCP SYN flooding, ICMP echo-request flo ods, and ICMP directed broadcasts. C. DoS attacks can be reduced through the use of access control configuration, e ncryption, and RFC 2827 filtering. D. DoS attacks can consist of IP spoofing and DDoS attacks. E. IP spoofing can be reduced through the use of policy-based routing. F. IP spoofing exploits known vulnerabilities in authentication services, FTP se rvices, and web services to gain entry to web accounts, confidential databases, and other sensitive informat ion. Answer: AD Section: (none) Explanation/Reference: QUESTION 15 Which three techniques should be used to secure management protocols? (Choose th ree.) A. Configure SNMP with only read-only community strings. B. Encrypt TFTP and syslog traffic in an IPSec tunnel. C. Implement RFC 3704 filtering at the perimeter router when allowing syslog acc ess from devices on the outside of a firewall. D. Synchronize the NTP master clock with an Internet atomic clock. E. Use SNMP v ersion 2. E. Use TFTP version 3 or above because these versions support a cryptographic au thentication mechanism between peers. Answer: ABC Section: (none) Explanation/Reference: QUESTION 16 Refer to the exhibit. Which three tasks can be configured using the IPS Policies wizard via the Cisco Security Device Manager (SDM)? (Choose three.) PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 A. the configuration of an IP address and the enabling of the interface B. the selection of the encapsulation on the WAN interfaces C. the selection of the interface to apply the IPS rule D. the selection of the traffic flow direction that should be inspected by the I PS rules E. the creation of the signature definition file (SDF) to be used by the router F. the location of the signature definition file (SDF) to be used by the router Answer: CD Section: (none) Explanation/Reference: QUESTION 17 Which two statements about the AutoSecure feature are true? (Choose two.) A. AutoSecure automatically disables the CDP feature. B. If you enable AutoSecure, the minimum length of the login and enable password s is set to 6 characters. C. The auto secure full command automatically configures the management and forw arding planes without any user interaction. D. To enable AutoSecure, the auto secure global configuration command must be us ed. E. Once AutoSecure has been configured, the user can launch the SDM Web interfac e to perform a security audit. Answer: AB Section: (none) Explanation/Reference: PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 QUESTION 18 Refer to the exhibit. Which two statements about the Network Time Protocol (NTP) are true? (Choose two.) A. Router RTA will adjust for eastern daylight savings time. B. To enable authentication, the ntp authenticate command is required on routers RTA and RTB. C. To enable NTP, the ntp master command must be configured on routers RTA and R TB. D. Only NTP time requests are allowed from the host with IP address 10.1.1.1. E. The preferred time source located at 130.207.244.240 will be used for synchro nization regardless of the other time sources. Answer: AB Section: (none) Explanation/Reference: QUESTION 19 Refer to the exhibit. All routers participate in the MPLS domain. An IGP propaga tes the routing information for network 10.10.10.0/24 from R5 to R1. However, router R3 summarizes the routi ng information to 10.10.0.0/16. How will the routes be propagated through the MPLS domain? PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 A. R3, using LDP, will advertise labels for both networks, and the information w ill be propagated throughout the MPLS domain. B. R3 will label the summary route using a pop label. The route will then be pro pagated through the rest of the MPLS domain. R3 will label the 10.10.10.0/24 network and forward to R2 where the network will be dropped. C. R3 will label the 10.10.10.0/24 network using a pop label which will be propa gated through the rest of the MPLS domain. R3 will label the summary route and forward to R2 where the net work will be dropped. D. None of the networks will be labeled and propagated through the MPLS domain b ecause aggregation breaks the MPLS domain. Answer: B Section: (none) Explanation/Reference: QUESTION 20 Refer to the exhibit, which shows a PPPoA diagram and partial SOHO77 configurati on. Which command needs to be applied to the SOHO77 to complete the configuration? PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 A. encapsulation aal5snap applied to the PVC B. encapsulation aal5ciscoppp applied to the PVC C. encapsulation aal5ciscoppp applied to the ATM0 interface D. encapsulation aal5mux ppp dialer applied to the ATM0 interface E. encapsulation aal5mux ppp dialer applied to the PVC Answer: E Section: (none) Explanation/Reference: QUESTION 21 Which three statements about frame-mode MPLS are true? (Choose three.) A. MPLS has three distinct components consisting of the data plane, the forwardi ng plane, and the control plane. B. The control plane is a simple label-based forwarding engine that is independe nt of the type of routing protocol or label exchange protocol. C. The CEF FIB table contains information about outgoing interfaces and their co rresponding Layer 2 header. D. The MPLS data plane takes care of forwarding based on either destination addr esses or labels. E. To exchange labels, the control plane requires protocols such as Tag Distribu tion Protocol (TDP) or MPLS Label Distribution Protocol (LDP). F. Whenever a router receives a packet that should be CEF-switched, but the dest ination is not in the FIB, the packet is dropped. Answer: DEF Section: (none) Explanation/Reference: QUESTION 22 Which three statements about IOS Firewall configurations are true? (Choose three .) PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 A. The IP inspection rule can be applied in the inbound direction on the secured interface. B. The IP inspection rule can be applied in the outbound direction on the unsecu red interface. C. The ACL applied in the outbound direction on the unsecured interface should b e an extended ACL. D. The ACL applied in the inbound direction on the unsecured interface should be an extended ACL. E. For temporary openings to be created dynamically by Cisco IOS Firewall, the a ccess-list for the returning traffic must be a standard ACL. F. For temporary openings to be created dynamically by Cisco IOS Firewall, the I P inspection rule must be applied to the secured interface. Answer: ABD Section: (none) Explanation/Reference: QUESTION 23 What are three features of the Cisco IOS Firewall feature set? (Choose three.) A. network-based application recognition (NBAR) B. authentication proxy C. stateful packet filtering D. AAA services E. proxy server F. IPS Answer: BCF Section: (none) Explanation/Reference: QUESTION 24 Which statement describes the Authentication Proxy feature? A. All traffic is permitted from the inbound to the outbound interface upon succ essful authentication of the user. B. A specific access profile is retrieved from a TACACS+ or RADIUS server and ap plied to an IOS Firewall based on user provided credentials. C. Prior to responding to a proxy ARP, the router will prompt the user for a log in and password which are authenticated based on the configured AAA policy. D. The proxy server capabilities of the IOS Firewall are enabled upon successful authentication of the user. Answer: B Section: (none) Explanation/Reference: QUESTION 25 Which two statements about an IDS are true? (Choose two.) A. The IDS is in the traffic path. B. The IDS can send TCP resets to the source device. C. The IDS can send TCP resets to the destination device. D. The IDS listens promiscuously to all traffic on the network. E. Default operation is for the IDS to discard malicious traffic. Answer: BD Section: (none) Explanation/Reference: PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 QUESTION 26 Which statement about an IPS is true? A. The IPS is in the traffic path. B. Only one active interface is required. C. Full benefit of an IPS will not be realized unless deployed in conjunction wi th an IDS. D. When malicious traffic is detected, the IPS will only send an alert to a mana gement station. Answer: A Section: (none) Explanation/Reference: QUESTION 27 Which three categories of signatures can a Cisco IPS microengine identify? (Choo se three.) A. DDoS signatures B. strong signatures C. exploit signatures D. numeric signatures E. spoofing signatures F. connection signatures Answer: ACF Section: (none) Explanation/Reference: QUESTION 28 Which two statements are true about signatures in a Cisco IOS IPS? (Choose two.) A. The action of a signature can be enabled on a per-TCP-session basis. B. Common signatures are hard-coded into the IOS image. C. IOS IPS signatures are propagated with the SDEE protocol. D. IOS IPS signatures are stored in the startup config of the router. E. Selection of an SDF file should be based on the amount of RAM memory availabl e on the router. Answer: BE Section: (none) Explanation/Reference: QUESTION 29 Which two active response capabilities can be configured on an intrusion detecti on system (IDS) in response to malicious traffic detection? (Choose two.) A. the initiation of dynamic access lists on the IDS to prevent further maliciou s traffic B. the configuration of network devices to prevent malicious traffic from passin g through C. the shutdown of ports on intermediary devices D. the transmission of a TCP reset to the offending end host E. the invoking of SNMP-sourced controls Answer: BD Section: (none) Explanation/Reference: QUESTION 30 What two proactive preventive actions are taken by an intrusion prevention syste m (IPS) when malicious traffic is detected? (Choose two.) A. The IPS shuts down intermediary ports. B. The IPS invokes SNMP-enabled controls. C. The IPS sends an alert to the management station. PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 D. The IPS enables a dynamic access list. E. The IPS denies malicious traffic. Answer: CE Section: (none) Explanation/Reference: QUESTION 31 Refer to the exhibit. What is the VPN IPv4 label for the network 172.16.13.0/24? A. 17 B. 17, 12308 C. 12308 D. 11 Answer: C Section: (none) Explanation/Reference: QUESTION 32 Refer to the exhibit. What does the "26" in the first two hop outputs indicate? A. the outer label used to determine the next hop B. the IPv4 label for the destination network C. the IPv4 label for the forwarding router D. the IPv4 label for the destination router Answer: B Section: (none) Explanation/Reference: QUESTION 33 Refer to the exhibit. Which statement is true about the partial MPLS configurati on that is shown? PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 A. The route-target both 100:2 command sets import and export route-targets for vrf2. B. The route-target both 100:2 command changes a VPNv4 route to a IPv4 route. C. The route-target import 100:1 command sets import route-targets routes specif ied by the route map. D. The route-target import 100:1 command sets import route-targets for vrf2 that override the other routetarget configuration. Answer: A Section: (none) Explanation/Reference: QUESTION 34 What are three configurable parameters when editing signatures in Security Devic e Manager (SDM)? (Choose three.) A. AlarmSeverity B. AlarmKeepalive C. AlarmTraits D. EventMedia E. EventAlarm F. EventAction Answer: ACF Section: (none) Explanation/Reference: QUESTION 35 Refer to the exhibit. Which two statements are true about the authentication met hod used to authenticate users who want privileged access into Router1? (Choose two.) PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 A. All users will be authenticated using the RADIUS server. If the RADIUS server is unavailable, the router will attempt to authenticate the user using its local database. B. All users will be authenticated using the RADIUS server. If the RADIUS server is unavailable, the authentication process stops and no other authentication method is attempted. C. All users will be authenticated using the RADIUS server. If the user authenti cation fails, the router will attempt to authenticate the user using its local database. D. All users will be authenticated using the RADIUS server. If the user authenti cation fails, the authentication process stops and no other authentication method is attempted. E. The default login authentication method is applied automatically to all lines including console, auxiliary, TTY, and VTY lines. Answer: AD Section: (none) Explanation/Reference: QUESTION 36 Refer to the exhibit. Which statement about the authentication process is true? PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 A. The LIST1 list will disable authentication on the console port. B. Because no method list is specified, the LIST1 list will not authenticate any one on the console port. C. All login requests will be authenticated using the group tacacs+ method. D. All login requests will be authenticated using the local database method. E. The default login authentication will automatically be applied to all login c onnections. Answer: A Section: (none) Explanation/Reference: QUESTION 37 Refer to the exhibit. Which statement is true? PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 A. A PPPoE session is established. B. A PPPoE session is rejected because of the per-MAC session limit. C. The MAC address of the remote router is 0001.c9f0.0c1c. D. The CPE router is configured as a PPPoE client over an Ethernet interface. Answer: A Section: (none) Explanation/Reference: QUESTION 38 Refer to the exhibit. On the basis of the information that is provided, which tw o statements are true? (Choose two.) PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 A. An IPS policy can be edited by choosing the Edit button. B. Right-clicking on an interface will display a shortcut menu with options to e dit an action or to set severity levels. C. The Edit IPS window is currently in Global Settings view. D. The Edit IPS window is currently in IPS Policies view. E. The Edit IPS window is currently in Signatures view. F. To enable an IPS policy on an interface, click on the interface and deselect Disable. Answer: AD Section: (none) Explanation/Reference: QUESTION 39 Refer to the exhibit. The SDM IPS Policies wizard is displaying the Select Inter faces window. Which procedure is best for applying IPS rules to interfaces? PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 A. Apply the IPS rules in the outbound direction on interfaces where outgoing ma licious traffic is likely. B. Apply the IPS rules in the outbound direction on interfaces where incoming ma licious traffic is likely. C. Apply the IPS rules in the inbound direction on interfaces where incoming mal icious traffic is likely. D. Apply the rules in the inbound direction on interfaces where outgoing malicio us traffic is likely. E. Apply the IPS rules both in the inbound and outbound direction on all interfa ces. Answer: C Section: (none) Explanation/Reference: QUESTION 40 Refer to the exhibit. Which statement describes the results of clicking the OK b utton in the Security Device Manager (SDM) Add a Signature Location window? PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 A. SDM will respond with a message asking for the URL that points to the 256MB.s df file. B. Cisco IOS IPS will choose to load the 256MB.sdf only if the Built-in Signatur es (as backup) check box is unchecked. C. If Cisco IOS IPS fails to load the 256MB.sdf, it will load the built-in signa tures provided the Built-in Signatures (as backup) check box is checked. D. Cisco IOS IPS will choose to load the 256MB.sdf and then also add the Cisco I OS built-in signatures. E. SDM will respond with an error that indicates that no such file exists. Answer: C Section: (none) Explanation/Reference: QUESTION 41 Refer to the exhibit. Which statement best describes Security Device Event Excha nge (SDEE)? PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 A. It is an application level communications protocol that is used to exchange I PS messages between IPS clients and servers. B. It is a process for ensuring IPS communication between the SDM-enabled device s. C. It is a suite of protocols for ensuring IPS communication between the SDM-ena bled devices. D. It is an OSI level-7 protocol, and it is used to exchange IPS messages betwee n IPS agents. E. The primary purpose of SDEE is for SDM users to send messages to IPS agents. Answer: A Section: (none) Explanation/Reference: QUESTION 42 Refer to the exhibit. When editing the Invalid DHCP Packet signature using secur ity device manager (SDM), which additional severity levels can be chosen? (Choose three.) PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 A. low B. urgent C. high D. debug E. informational F. warning Answer: ACE Section: (none) Explanation/Reference: QUESTION 43 Which three statements about hybrid fiber-coaxial (HFC) networks are true? (Choo se three.) A. A tap produces a significantly larger output signal. B. An amplifier divides the input RF signal power to provide subscriber drop con nections. C. Baseband sends multiple pieces of data simultaneously to increase the effecti ve rate of transmission. D. Downstream is the direction of an RF signal transmission (TV channels and dat a) from the source (headend) to the destination (subscribers). E. The term CATV refers to residential cable systems. F. Upstream is the direction from subscribers to the headend. Answer: DEF Section: (none) Explanation/Reference: QUESTION 44 Which two statements about the transmission of signals over a cable network are true? (Choose two.) A. Downstream signals travel from the cable operator to the subscriber and use f requencies in the range of 5 to 42 MHz. B. Downstream signals travel from the cable operator to the subscriber and use f requencies in the range of 50 to 860 MHz. PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 C. Downstream and upstream signals operate in the same frequency ranges. D. Upstream signals travel from the subscriber to the cable operator and use fre quencies in the range of 5 to 42 MHz. E. Upstream signals travel from the subscriber to the cable operator and use fre quencies in the range of 50 to 860 MHz. Answer: BD Section: (none) Explanation/Reference: QUESTION 45 Refer to the exhibit. On the basis of the partial output that is displayed in th e exhibit, which two statements are true? (Choose two.) A. The ISP router initiated the connection to the CPE router. B. The output is the result of the debug pppoe events command. C. The output is the result of the debug ppp authentication command. D. The output is the result of the debug ppp negotiation command. E. This is the CPE router. F. This is the ISP router. Answer: CE Section: (none) Explanation/Reference: QUESTION 46 Refer to the exhibit. On the basis of the presented information, which configura tion was completed on the router CPE? PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 A. CPE(config)# ip nat inside source list 101 interface Dialer0 CPE(config)# acc ess-list 101 permit ip 10.0.0.0 0.255.255.255 any B. CPE(config)# ip nat inside source list 101 interface Dialer0 overload CPE(con fig)# access-list 101 permit ip 10.0.0.0 0.255.255.255 any C. CPE(config)# ip nat inside source list 101 interface Ethernet 0/0 CPE(config) # access-list 101 permit ip 10.0.0.0 0.255.255.255 any D. CPE(config)# ip nat inside source list 101 interface Ethernet 0/0 overload CP E(config)# access-list 101 permit ip 10.0.0.0 0.255.255.255 any E. CPE(config)# ip nat inside source list 101 interface Ethernet 0/1 CPE(config) # access-list 101 permit ip 10.0.0.0 0.255.255.255 any F. CPE(config)# ip nat inside source list 101 interface Ethernet 0/1 overload CP E(config)# access-list 101 permit ip 10.0.0.0 0.255.255.255 any Answer: B Section: (none) Explanation/Reference: QUESTION 47 An administrator is troubleshooting an ADSL connection. For which OSI layer is t he ping atm interface command useful for probing problems? A. Layer 1 B. Layer 2 C. Layer 3 D. Layer 4 Answer: B Section: (none) Explanation/Reference: QUESTION 48 Which two devices serve as the main endpoint components in a DSL data service ne twork? (Choose two.) A. SOHO workstation B. ATU-R PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 C. ATU-C D. POTS splitter E. CO switch Answer: BC Section: (none) Explanation/Reference: QUESTION 49 Which IOS command will display IPS default values that may not be displayed usin g the show runningconfig command? A. show ip ips session B. show ip ips interface C. show ip ips statistics D. show ip ips configuration E. show ip ips running-config Answer: D Section: (none) Explanation/Reference: QUESTION 50 Refer to the exhibit. Which of the configuration tasks would allow you to quickl y deploy default signatures? A. firewall and ACLs PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 B. security audit C. routing D. NAT E. intrusion prevention F. NAC Answer: E Section: (none) Explanation/Reference: QUESTION 51 What are two possible actions Cisco IOS IPS can take if a packet in a session ma tches a signature? (Choose two.) A. drop the packet B. forward the packet C. quartile the packet D. reset the connection E. check the packet against an ACL Answer: AD Section: (none) Explanation/Reference: QUESTION 52 A router interface is configured with an inbound access control list and an insp ection rule. How will an inbound packet on this interface be processed? A. It will be processed by the inbound ACL. If the packet is dropped by the ACL, then it will be processed by the inspection rule. B. It will be processed by the inbound ACL. If the packet is not dropped by the ACL, then it will be processed by the inspection rule. C. It will be processed by the inspection rule. If the packet matches the inspec tion rule, the inbound ACL will be invoked. D. It will be processed by the inspection rule. If the packet does not match the inspection rule, the inbound ACL will be invoked. Answer: B Section: (none) Explanation/Reference: QUESTION 53 Which two statements are true about the Cisco Classic (CBAC) IOS Firewall set? ( Choose two.) A. It can be used to block bulk encryption attacks. B. It can be used to protect against denial of service attacks. C. Traffic originating from the router is considered trusted, so it is not inspe cted. D. Based upon the custom firewall rules, an ACL entry is statically created and added to the existing ACL permanently. E. Temporary ACL entries that allow selected traffic to pass are created and per sist for the duration of the communication session. Answer: BE Section: (none) Explanation/Reference: QUESTION 54 Which command displays the settings used by the current IPsec security associati ons? PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 A. debug crypto isakmp sa B. show crypto isakmp sa C. show crypto isakmp key D. show crypto ipsec sa Answer: D Section: (none) Explanation/Reference: QUESTION 55 Which two statements about management protocols are true? (Choose two.) A. IGMP should be enabled on edge interfaces to allow remote testing. B. NTP version 3 or later should be used because these versions support the use of a cryptographic authentication mechanism between peers. C. SNMP version 3 is recommended since it provides authentication and encryption services for management packets. D. NTP version 3 or later should be used because these versions support the use of a RADIUS-based authentication mechanism between peers. E. SNMP version 3 is recommended since it provides a RADIUS-based authentication mechanism between peers. Answer: BC Section: (none) Explanation/Reference: QUESTION 56 Which two statements about packet sniffers or packet sniffing are true? (Choose two.) A. Packet sniffers can only work in a switched Ethernet environment. B. To reduce the risk of packet sniffing, traffic rate limitation and RFC 2827 f iltering should be used. C. To reduce the risk of packet sniffing, cryptographic protocols such as SSH an d SSL should be used. D. To reduce the risk of packet sniffing, strong authentication, such as one-tim e passwords, should be used. Answer: CD Section: (none) Explanation/Reference: QUESTION 57 Refer to the exhibit. Based on this partial configuration, which two statements are true? (Choose two.) PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 A. You can log into the console using either the "cisco" or "sanfran" password. B. The local parameter is missing at the end of each aaa authentication LOCAL-AU TH command. C. The aaa authentication default command should be issued for each line instead of the login authentication LOCAL_AUTH command. D. This is an example of a self-contained AAA configuration using the local data base. E. To make the configuration more secure, the none parameter should be added to the end of the aaa authentication login LOCAL_AUTH local command. F. To successfully establish a Telnet session with RTA, a user can enter the use rname Bob and password cisco. Answer: DF Section: (none) Explanation/Reference: QUESTION 58 Refer to the exhibit. Routers RTB and RTC have established LDP neighbor sessions . During troubleshooting, you discovered that labels are being distributed between the tw o routers but no label swapping information is in the LFIB. What is the most likely cause of this probl em? A. The IGP is summarizing the address space. B. IP Cisco Express Forwarding has not been enabled on both RTB and RTC. C. BGP neighbor sessions have not been configured on both routers. D. LDP has been enabled on one router and TDP has been enabled on the other. PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 Answer: B Section: (none) Explanation/Reference: QUESTION 59 Refer to the exhibit. A PPPoA DSL diagram and partial configuration are shown. Y ou would like to allow the router to automatically receive its IP address from the service provider's DSLAM . Which configuration statement or statements do you need to add to SOHO77, and to which interface or interfaces? A. ip nat outside applied to the ATM0 interface B. ip address negotiated applied to the dialer0 interface C. ip address negotiated applied to the ATM0/0 interface D. ip address 0.0.0.0 255.255.255.255 applied to the dialer0 interface and ip na t outside applied to the ATM0/0 interface E. ip address 0.0.0.0 255.255.255.255 applied to the ATM0/0 interface and ip nat outside applied to the dialer0 interface Answer: B Section: (none) Explanation/Reference: QUESTION 60 Refer to the exhibit. The DSL router with this partial configuration is connecte d to a service provider using a PPPoE session over an ATM interface. FTP traffic, generated from inside the netw ork 10.92.1.0/24, fails to reach the PPPoE server. What should be configured on the DSL Router to fix the p roblem? PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 A. The ip mtu command with a bytes argument set greater than 1492 needs to be co nfigured for the Dialer1 interface. B. The ip mtu command with a bytes argument set lower than 1492 needs to be conf igured for the Dialer1 interface. C. The ip mtu command with a bytes argument set greater than 1492 needs to be co nfigured for the ATM0 interface. D. The ip mtu command with a bytes argument set lower than 1492 needs to be conf igured for the ATM0 interface. Answer: B Section: (none) Explanation/Reference: QUESTION 61 Refer to the exhibit. The show mpls interfaces detail command has been used to d isplay information about the interfaces on MPLS edge router R1 that have been configured for label switch ing. Which statement about R1 is true? A. MPLS is not operating on Fa1/0, because the MTU size has exceeded the 1500 li mit of Ethernet. PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 B. The router has established a TDP session with its neighbor on Fa0/1. Packets can be labeled and forwarded out that interface. C. LSP tunnel labeling has not been enabled on either interface Fa0/0 or Fa1/1, therefore MPLS is not operating on Fa0/1. D. The router has established an LDP session with its neighbor on Fa1/1. However , packets cannot be forwarded out that interface because MPLS is not operational. Answer: B Section: (none) Explanation/Reference: QUESTION 62 Refer to the exhibit. Which statement about this Cisco IOS Firewall configuratio n is true? A. Outbound TCP sessions are blocked, preventing inside users from browsing the Internet. B. INSIDEACL permits outbound HTTP sessions; INSIDEACL is applied to the outside interface in the inbound direction. C. OUTSIDEACL permits inbound SMTP and HTTP; OUTSIDEACL is applied to the inside interface in the outbound direction. D. ICMP unreachable "packet-too-big" messages are rejected on all interfaces to prevent DDoS attacks. E. The TCP inspection will automatically allow return traffic for the outbound H TTP sessions and inbound SMTP and HTTP sessions. Answer: E Section: (none) Explanation/Reference: QUESTION 63 What is an MPLS forwarding equivalence class? A. a set of destination networks forwarded from the same ingress router B. a set of destination networks forwarded to the same egress router C. a set of source networks forwarded from the same ingress router PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 D. a set of source networks forwarded to the same egress router Answer: B Section: (none) Explanation/Reference: QUESTION 64 Which approach for identifying malicious traffic involves looking for a fixed se quence of bytes in a single packet or in predefined content? A. policy-based B. anomaly-based C. honeypot-based D. signature-based E. regular-expression-based Answer: D Section: (none) Explanation/Reference: QUESTION 65 Which Cisco SDM feature expedites the deployment of the default IPS settings and provides configuration steps for interface and traffic flow selection, SDF location, and signature depl oyment? A. IPS Edit menu B. IPS Command wizard C. IPS Policies wizard D. IPS Signature wizard Answer: C Section: (none) Explanation/Reference: QUESTION 66 For what purpose does Cisco SDM use Security Device Event Exchange? A. to extract relevant SNMP information B. to pull event logs from the router C. to perform application-level accounting D. to provide a keepalive mechanism E. to allows SNMP to generate traps Answer: B Section: (none) Explanation/Reference: QUESTION 67 In an MPLS VPN implementation, how are overlapping customer prefixes propagated? A. A unique route target is attached to each customer routing update. B. Separate BGP sessions are established between each pair of customer edge LSRs . C. Each customer is given a unique set of edge LSPs. D. A route distinguisher is attached to each customer prefix. E. Each customer i s given a unique IGP instance. Answer: D Section: (none) Explanation/Reference: QUESTION 68 Which two techniques should be used to secure management protocols? (Choose two. ) A. Use SNMP version 2. PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 B. Encrypt TFTP and syslog traffic in an IPsec tunnel. C. Configure SNMP exclusively with read-only community strings. D. Synchronize the NTP master clock with an Internet atomic clock. E. Use TFTP version 3 or later, because these versions support the use of a cryp tographic authentication mechanism between peers. Answer: BC Section: (none) Explanation/Reference: QUESTION 69 Refer to the exhibit. A network administrator wishes to mitigate network threats . Given this purpose, which two statements about the Cisco IOS Firewall configuration that is revealed by th e output are true? (Choose two.) A. The ip inspect FIREWALL_ACL out command must be applied on Fa0/0 interface. B. The ip inspect FIREWALL_ACL out command must be applied on Fa0/1 interface. C. The ip access-group FIREWALL_ACL in command must be applied on Fa0/0 interfac e. D. The ip access-group FIREWALL_ACL in command must be applied on Fa0/1 interfac e. E. The configuration excerpt is an example of a CBAC list. F. The configuration excerpt is an example of a reflexive ACL. Answer: BE Section: (none) Explanation/Reference: QUESTION 70 In an MPLS VPN implementation, how are overlapping customer prefixes propagated? A. A separate instance of the core IGP is used for each customer. B. Separate BGP sessions are established between each customer edge LSR. PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 C. Because customers have their own unique LSPs, address space is kept separate. D. A route distinguisher is attached to each customer prefix. E. Because customers have their own interfaces, distributed CEFs keep the forwar ding tables separate. Answer: D Section: (none) Explanation/Reference: QUESTION 71 Which two statements are true about the Data-over-Cable Service Interface Specif ications? (Choose two.) A. DOCSIS is an international standard developed by CableLabs. B. DOCSIS defines cable operations at Layer 1, Layer 2, and Layer 3 of the OSI m odel. C. Cable operators employ DOCSIS to provide cable access over their existing IP infrastructures. D. DOCSIS defines a set of frequency allocation bands that are common to both U. S. and European cable systems. E. Compliance with DOCSIS has been mandated by the major governmental regulatory agencies in both the U.S. and Europe. F. Euro-DOCSIS requires the European cable channels to conform to PAL-based stan dards, whereas DOCSIS requires the North American cable channels to conform to the NTSC standar d. Answer: AF Section: (none) Explanation/Reference: QUESTION 72 Refer to the exhibit. Which of these statements is true? A. The router failed to train or successfully initialize because of a Layer 1 is sue. B. The router cannot activate the line because of a Layer 2 authentication issue . C. The router failed to train or successfully initialize because of a PPP negoti ation issue. D. The router cannot activate the line because the ISP has not provided the requ ested IP address. Answer: A Section: (none) Explanation/Reference: QUESTION 73 Refer to the exhibit. Which of these statements correctly identifies why the PPP oE client session has not been established successfully? PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 A. The PPP LCP phase has failed because of excessive link noise. B. The PPP authentication phase has failed at the CPE. C. The PPP NCP phase has failed because the local router cannot successfully ini tialize the DSLAM. D. The PPP LCP phase has failed because the correct DSL operating mode (DSL modu lation) is not configured on the CPE router. Answer: B Section: (none) Explanation/Reference: QUESTION 74 Refer to the exhibit. What information can be derived from this show ip cef comm and output? A. This router will use a label of "21" to reach the destination network of 150. 1.12.16. B. This router will use a PHP label to reach the destination network of 150.1.12 .16. C. This router will advertise a label of "19" for the destination network of 150 .1.12.16. D. This router will advertise a label of "21" for the destination network of 150 .1.12.16. PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 Answer: D Section: (none) Explanation/Reference: QUESTION 75 Refer to the exhibit. Why does the third hop only have one label? A. MPLS is not enabled on that link, so only the VPN label is needed. B. MPLS is not enabled on that link, so only the LSP label is needed. C. That link is directly connected to the customer, so only the VPN label is nee ded. D. That link is directly connected to the customer, so only the LSP label is nee ded. E. The PHP process on that link has removed the LSP label, leaving only the VPN label. F. The PHP process on that link has removed the VPN label, leaving only the LSP label. Answer: E Section: (none) Explanation/Reference: QUESTION 76 If you disable Cisco Express Forwarding on a P router in an MPLS network, what w ill the router do? A. stop forwarding all traffic B. stop advertising MPLS labels C. start forwarding MPLS packets using process switching D. start advertising all destination networks with an implicit null label value E. start stripping the MPLS labels off of packets and forwarding them using the destination IP addresses Answer: B Section: (none) Explanation/Reference: QUESTION 77 Refer to the exhibit. Host 1 cannot ping Server 1. In the course of troubleshoot ing, you have eliminated all network issues. Based upon the partial configuration shown, what is the issue? PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 A. No routing protocol is running on R 1 and R 2. B. An encryption algorithm has been configured on R 1 and R 2. C. The tunnel destinations on R 1 and R 2 are not on the same subnet. D. R 1 has the wrong tunnel source configured under the tunnel interface. E. R 2 has the wrong tunnel source configured under the tunnel interface. E. The tunnel numbers (interface tunnel 0 and interface tunnel 1) on R 1 and R 2 do not match. Answer: D Section: (none) Explanation/Reference: QUESTION 78 Refer to the exhibit. Host 1 cannot ping Server 1. In the course of troubleshoot ing, you have eliminated all network issues. Based upon the partial configuration shown, what is the issue? PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 A. No routing protocol is running on R 1 and R 2. B. An encryption algorithm has been configured on R 1 and R 2. C. The tunnel destinations on R 1 and R 2 are not on the same subnet. D. R 1 has the wrong tunnel source configured under the tunnel interface. E. R 2 has the wrong tunnel source configured under the tunnel interface. F. The tunnel numbers (interface tunnel 0 and interface tunnel 1) on R 1 and R 2 do not match. Answer: E Section: (none) Explanation/Reference: QUESTION 79 Refer to the exhibit. What type of high-availability option is being implemented ? PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 A. IPsec stateful failover B. IPsec dead peer detection C. Hot Standby Router Protocol D. GRE's Keepalive Mechanism E. backing up a WAN connection with an IPsec VPN Answer: E Section: (none) Explanation/Reference: QUESTION 80 Which two of these would be classified as reconnaissance attacks? (Choose two.) A. port scans B. ping sweeps C. port redirection D. trust exploitation E. denial of service attacks F. man-in-the-middle attacks Answer: AB Section: (none) Explanation/Reference: QUESTION 81 Which three of these would be classified as access attacks? (Choose three.) A. port scans B. ping sweeps C. port redirection D. trust exploitation E. denial of service attacks F. man-in-the-middle attacks Answer: CDF Section: (none) Explanation/Reference: PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 QUESTION 82 Refer to the exhibit. The ACL in this configuration is used to mitigate which of these? A. DOS smurf attacks B. ICMP message attacks C. TCP SYN DOS attacks D. IP address spoofing attacks E. traceroute message attacks Answer: D Section: (none) Explanation/Reference: QUESTION 83 Refer to the exhibit. Which type of attack does the ACL prevent the internal use r from successfully launching? A. DOS smurf attack B. ICMP message attack C. TCP SYN DOS attacks D. IP address spoofing attack E. traceroute message attacks PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 Answer: D Section: (none) Explanation/Reference: QUESTION 84 If you want to authenticate the NTP associations with other systems for security purposes, which key type algorithm or algorithms are supported? A. MD5 only B. MD7 only C. plain text only D. MD5 and MD7 E. plain text and MD5 F. plain text and MD7 Answer: A Section: (none) Explanation/Reference: QUESTION 85 Which three of these are required before you can configure your routers for SSH server operations? (Choose three.) A. each of the target routers has a unique hostname B. each of the target routers is configured to enable secret passwords C. a user is define in either the local database or on a remote AAA server D. each of the target routers has a password configured on the VTY interface E. each of the target routers is using the correct domain name of your network Answer: ACE Section: (none) Explanation/Reference: QUESTION 86 Which two actions can a Cisco IOS Firewall take when the threshold for the numbe r of half-opened TCP sessions is exceeded? (Choose two.) A. It can send a reset message to the endpoints of the oldest half-opened sessio n. B. It can send a reset message to the endpoints of the newest half-opened sessio n. C. It can send a reset message to the endpoints of a random half-opened session. D. It can block all EST packets temporarily for the duration configured by the t hreshold value. E. It can block all SYN packets temporarily for the duration configured by the t hreshold value. F. It can block all reset packets temporarily for the duration configured by the threshold value. Answer: AE Section: (none) Explanation/Reference: QUESTION 87 Refer to the exhibit. In this firewall implementation, inside users should be pe rmitted to browse the Internet. However, users have indicated that all attempts fail. As a result of troubleshoo ting, you have determined that the issue is related to the firewall implementation. What corrective action should you take? PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 A. Add the global command line ip inspect name INSIDE www. B. Add the global command line ip inspect name OUTSIDE www. C. Add the ACL command line permit tcp any any eq 80 to INSIDEACL. D. Add the ACL command line permit tcp any any eq 80 to OUTSIDEACL. E. Change the access group on Fa0/0 from the inbound direction to the outbound d irection. F. Change the access group on Fa0/1 from the inbound direction to the outbound d irection. Answer: C Section: (none) Explanation/Reference: QUESTION 88 Refer to the exhibit. In this firewall implementation, outside clients should be allowed to communicate with the SMTP server (200.1.2.1) located in the enterprise DMZ. However, users have i ndicated that all attempts fail. As a result of troubleshooting, you have determined that the issu e is related to the firewall implementation. What corrective action should you take? PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 A. Add the global command line ip inspect name INSIDE smtp. B. Add the global command line ip inspect name OUTSIDE smtp. C. Add the ACL command line permit tcp any host 200.1.2.1 eq 25 to DMZACL. D. Add the ACL command line permit tcp any host 200.1.2.1 eq 25 to OUTSIDEACL. E. Change the access group on Fa0/0 from the inbound direction to the outbound d irection. F. Change the access group on Fa0/2 from the inbound direction to the outbound d irection. Answer: D Section: (none) Explanation/Reference: QUESTION 89 Refer to the exhibit. FastEthernet0/0 has been assigned a network address of 200 .0.1.2/24 and no ACL has been applied to that interface. Serial0/0/0 has been assigned a network addr ess of 200.0.0.1/30. Assuming that there are no network-related problems, which ping will be successf ul? PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 A. from 200.0.0.1 to 200.0.0.2 B. from 200.0.0.2 to 200.0.0.1 C. from 200.0.0.2 to 200.0.1.1 D. from 200.0.0.2 to 200.0.1.2 E. from 200.0.1.1 to 200.0.0.2 F. from 200.0.1.2 to 200.0.0.2 Answer: A Section: (none) Explanation/Reference: QUESTION 90 Refer to the exhibit. FastEthernet0/0 has been assigned a network address of 200 .0.1.2/24 and no ACL has been applied to the interface. Serial0/0/0 has been assigned a network addre ss of 200.0.0.1/30. An inspection rule of ip inspect name OUTBOUND tcp has been applied to Serial 0/0/0 . Assuming that there are no network-related issues, which of the following traffi c will be successful? (Choose two.) PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 A. a ping from 200.0.1.1 to 200.0.0.2 B. a ping from 200.0.0.2 to 200.0.1.1 C. a ping from 200.0.0.1 to 200.0.0.2 D. a ping from 200.0.1.2 to 200.0.0.1 E. a Telnet from 200.0.1.1 to 200.0.0.2 F. a Telnet from 200.0.0.2 to 200.0.1.1 Answer: CE Section: (none) Explanation/Reference: QUESTION 91 Refer to the exhibit. Which three statements about this DMZ configuration are tr ue? (Choose three.) PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 A. The device being enabled is a web server. B. The device being enabled is an FTP server. C. The device being enabled is located in the DMZ. D. The device being enabled has been assigned an IP address of 192.168.0.2. E. FTP-based packets with a destination of 192.168.0.2 will be allowed through t he DMZ to the web server located on the untrusted network. F. Web-based packets with a destination of 192.168.0.2 will be allowed through t he DMZ to the web server located on the trusted network. Answer: ACD Section: (none) Explanation/Reference: QUESTION 92 which Security Device Manager(SDM) action is used to customize the intrusion pre vention services(IPS) signature options ?choose one A. Click the Security Audit task . B. Click the Launch IPS Rule Wizard button . C. Click the Edit IPS tab. D. Click the Firewall and ACL task . Answer: C Section: (none) Explanation/Reference: QUESTION 93 Access-list 101 permit tcp any eq 20 10.2.1.0 0.0.0.255 gt 1023 what is the effe ct of the access list ? A. to permit FTP commands originating from hosts on the 10.2.1.0/24 network . B. to permit FTP commands that are destined for the 10.2.1.0/24 network. C. to permit initial packets from the FTP date sessions so that FTP clients in t he 10.2.1.0/24 network can use FTP . PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 D. to permit initial packets from the FTP data sessions so that FTP clients can access servers in the 10.2.1.0/24 network . Answer: C Section: (none) Explanation/Reference: QUESTION 94 Which two features can be implemented using the Cisco SDM Advanced Firewall wiza rd? (Choose two.) A. DMZ support B. custom rules C. firewall signatures D. application security E. IP unicast reverse path forwarding Answer: AB Section: (none) Explanation/Reference: QUESTION 95 What three classifications reflect the different approaches used to identify mal icious traffic? (Choose three.) A. platform based B. signature based C. policy based D. regular-expression based E. symbol based F. anomaly based Answer: BC Section: (none) Explanation/Reference: QUESTION 96 Which action can be taken by Cisco IOS IPS when a packet matches a signature pat tern? A. drop the packet B. reset the UDP connection C. block all traffic from the destination address for a specified amount of time D. perform a reverse path verification to determine if the source of the malicio us packet was spoofed E. forward the malicious packet to a centralized NMS where further analysis can be taken Answer: A Section: (none) Explanation/Reference: QUESTION 97 Which statement is true about an IPsec/GRE tunnel? A. The GRE tunnel source and destination addresses are specified within the IPse c transform set. B. An IPsec/GRE tunnel must use IPsec tunnel mode. C. GRE encapsulation occurs before the IPsec encryption process. D. Crypto map ACL is not needed to match which traffic will be protected. Answer: C Section: (none) Explanation/Reference: PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 QUESTION 98 During the Easy VPN Remote connection process, which phase involves pushing the IP address, DNS, and split tunnel attributes to the client? A. mode configuration B. the VPN client establishment of an ISAKMP SA C. IPsec quick mode completion of the connection D. VPN client initiation of the IKE phase 1 process Answer: A Section: (none) Explanation/Reference: QUESTION 99 What should a security administrator who uses SDM consider when configuring the firewall on an interface that is used in a VPN connection? A. The firewall must permit traffic going out of the local interface only. B. The firewall must permit traffic to a VPN concentrator only. C. The firewall must permit encrypted traffic between the local and remote VPN p eers. D. The firewall cannot be configured in conjunction with a VPN. Answer: C Section: (none) Explanation/Reference: QUESTION 100 Refer to the exhibit. PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 An IOS firewall has been configured to support skinny and H.323. Voice traffic i s not passing through the firewall as expected. What needs to be corrected in this configuration? A. Access list 100 needs to permit skinny and H.323. B. Access list 101 needs to permit skinny and H.323. C. The ip inspect Voice in command on interface FastEthernet 0/1 should be appli ed in the outbound direction. D. The ip inspect Voice out command should be applied to interface FastEthernet 0/0. Answer: C Section: (none) Explanation/Reference: QUESTION 101 Refer to the exhibit. Which Cisco SDM feature is illustrated? A. ACL Editor B. Easy VPN Wizard C. Security Audit D. Site-to-Site VPN E. Inspection Rules F. Reset to Factory Defaults Answer: C Section: (none) Explanation/Reference: QUESTION 102 Which defined peer IP address and local subnet belong to Crete?(Choose two.) A. peer address 192.168.55.159 B. peer address 192.168.77.120 C. peer address 192.168.167.85 D. subnet 10.5.15.0/24 E. subnet 10.8.28.0/24 F. subnet 10.5.33.0/24 Answer: AD Section: (none) Explanation/Reference: PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 QUESTION 103 Which IPSec rule is used for the Olympia branch and what does it define?(Choose two.) A. 102 B. 116 C. 127 D. IP traffic sourced from 10.10.10.0/24 destined to 10.5.15.0/24 will use the V PN. E. IP traffic sourced from 10.10.10.0/24 destined to 10.8.28.0/24 will use the V PN. F. IP traffic sourced from 10.10.10.0/24 destined to 10.5.33.0/24 will use the V PN. Answer: BE Section: (none) Explanation/Reference: QUESTION 104 Which algorithm as defined by the transform set is used for providing data confi dentiality when connected to Tyre? A. ESP-3DES-SHA B. ESP-3DES-SHA1 C. ESP-3DES-SHA2 D. ESP-3DES E. ESP-SHA-HMAC Answer: D Section: (none) Explanation/Reference: QUESTION 105 Which peer authentication method and Which IPSec mode is used to connect to the branch locations? (Choose two.) A. Digital Certificate B. Pre-shared Key C. Transport Mode D. Tunnel Mode E. GRE/IPSEC Transport Mode F. GRE/IPSEC Tunnel Mode Answer: BD Section: (none) Explanation/Reference: QUESTION 106 Drag and drop the Cisco IOS commands that would be used to configure the physica l interface portion of a PPPoE client configuration. Drag and Drop question, drag each item to its proper location. Answer & Explanation Correct Answer Explanations No more information available PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 A. Answer: A Section: (none) Explanation/Reference: QUESTION 107 Drag the correct statements about MPLS-based VPN on the left to the boxes on the right.(Not all statements will be used) Answer & Explanation Correct Answer Explanations No more information available PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 A. Answer: A Section: (none) Explanation/Reference: PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 QUESTION 108 Drag the IPsec protocol description from the above to the correct protocol type on the below.(Not all descriptions will be used) Drag and Drop question, drag each item to its proper location. Answer & Explanation Correct Answer Explanations No more information available PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 A. Answer: A Section: (none) Explanation/Reference: QUESTION 109 Drag and drop each management protocol on the above to the correct category on t he below. Answer & Explanation Correct Answer Explanations No more information available PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 A. Answer: A Section: (none) Explanation/Reference: QUESTION 110 Drag and drop each function on the above to the hybrid fiber-coaxial architectur e component that it describes on the below. Answer & Explanation Correct Answer Explanations No more information available PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 A. Answer: A Section: (none) Explanation/Reference: QUESTION 111 Drag the DSL technologies on the left to their maximum(down/up) data rate values on the below. Answer & Explanation Correct Answer Explanations No more information available PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 A. Answer: A Section: (none) Explanation/Reference: QUESTION 112 Drag the DSL local loop topic on the left to the correct descriptions on the rig ht. Answer & Explanation Correct Answer Explanations No more information available PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 A. Answer: A Section: (none) Explanation/Reference: QUESTION 113 Drag the IOS commands from the left that would be used to implement a GRE tunnel using the 10.1.1.0.30 network on interface serial 0/0 to the correct target area on the right. Answer & Explanation Correct Answer Explanations No more information available PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 A. Answer: A Section: (none) Explanation/Reference: PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 QUESTION 114 Identify the recommended steps for worm attack mitigation by dragging and droppi ng them into the target area in the correct order. Answer & Explanation Correct Answer Explanations No more information available PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 A. Answer: A Section: (none) Explanation/Reference: PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 QUESTION 115 Drag and drop the xDSL type on the above to the appropriate xDSL description on the below. Answer & Explanation Correct Answer Explanations No more information available A. Answer: A Section: (none) Explanation/Reference: PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 QUESTION 116 Match the xDSL type on the above to the most appropriate implementation on the b elow. Answer & Explanation Correct Answer Explanations No more information available A. Answer: A Section: (none) Explanation/Reference: PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 QUESTION 117 Drag each element of the Cisco IOS Firewall Feature Set from the above and drop onto its description on the below. Answer & Explanation Correct Answer Explanations No more information available A. Answer: A Section: (none) Explanation/Reference: PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 QUESTION 118 Drag the protocols that are used to distribute MPLS labels from the above to the target area on the below. (Not all options will be used) Answer & Explanation Correct Answer Explanations No more information available A. Answer: A Section: (none) Explanation/Reference: PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 QUESTION 119 Drag and drop question. The upper gives the MPLS functions, the bottom describes the planes. Drag the above items to the proper location at the below. Answer & Explanation Correct An swer Explanations No more information available A. Answer: A Section: (none) Explanation/Reference: PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 QUESTION 120 Drag and drop question. The left gives some blank boxes for Ipsec VPN, the right gives some IPsec VPN descriptions, drag the correct descriptions on the right to the left boxes. Answ er & Explanation Correct Answer Explanations No more information available A. Answer: A Section: (none) Explanation/Reference: QUESTION 121 Drag and drop question. The left gives some blank boxes for ADSL POTS splitter, the right gives some ADSL POTS splitter descriptions, drag the correct descriptions on the right to t he left boxes. Answer & Explanation Correct Answer Explanations No more information available A. Answer: A Section: (none) Explanation/Reference: PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 QUESTION 122 Drag and drop question. Drag the ordered steps below to the correct DSL ATM inte rface configuration sequence above Answer & Explanation Correct Answer Explanations No more informat ion available A. Answer: A Section: (none) Explanation/Reference: PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 QUESTION 123 Drag and drop question. Drag the above Cisco IOS commands to the proper location to implement a two interface IOS firewall at the below. Answer & Explanation Correct Answer Explana tions No more information available A. Answer: A Section: (none) Explanation/Reference: PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 QUESTION 124 Drag each description to the correct IPsec security feature. Answer & Explanatio n Correct Answer Explanations No more information available A. Answer: A Section: (none) Explanation/Reference: PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 QUESTION 125 Drag each type of attack on the left to the description on the left. Answer & Ex planation Correct Answer Explanations No more information available A. Answer: A Section: (none) Explanation/Reference: QUESTION 126 Drag the worm attack mitigation step on the left to the description on the right . Answer & Explanation Correct Answer Explanations No more information available A. Answer: A Section: (none) Explanation/Reference: PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 QUESTION 127 Drag and drop the Cisco IOS commands that would be used to configure the dialer Interface portion of a PPPoE client implementation where the client is facing the internet and private IP addressing is used on the internal network. Answer & Explanation Correct Answer Explanations No more i nformation available A. Answer: A Section: (none) Explanation/Reference: PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 QUESTION 128 certways is a small export company . This firm has an existing enterprise network that is made up exclusively of rout ers that are using EIGRP as the IGP. Its network is up and operating normally. As part of its network expansion, cert ways has decided to connect to the internet by a broadband cable ISP. Your task is to enable this connection by use of the information below. Connecti on Encapsulation: PPP Connection Type: PPPoE client Connection Authentication: None Connection MTU: 14 92 bytes Address: Dynamically assigned by the ISP Outbound Interface: E0/0 You will know that the connection has been successfully enabled when you can pin g the simulated Internet address of 172.16.1.1 Note: Routing to the ISP: Manually configured default route PassGuide-R# show ip route .... Gateway of last resort is not set 192.168.1.0/27 is subnetted, 7 subnets C 192.168.1.0 is d irectly connected, Ethernet0/1 D 192.168.1.32 [90/307200] via 192.168.1.2, 00:02:16, Ethernet0/1 D 192.168.1.64 [90/307200] via 192.168.1.2, 00:02:17, Ethernet0/1 D 192.168.1.96 [90/307200] via 192.168.1.2, 00:02:17, Ethernet0/1 D 192.168.1.128 [90/307200] via 192.168.1.3, 00:02:17, Ethernet0/1 D 192.168.1.192 [90/307200] via 192.168.1.3, 00:02:17, Ethernet0/1 D 192.168.1.224 [90/307200] via 192.168.1.3, 00:02:17, Ethernet0/1 PassGuide-R# show run .... no service password-encryption ! hostname PassGuide-R ! boot-start-marker boot-end-marker ! no aaa new-model resource policy clock timezone PST 0 ip subnet-zero no ip dhc p use vrf connected ! interface Ethernet0/0 description link to cable modem no ip address shutdown ! interface Ethernet0/1 description link to corporate nework ip address 192.168. 1.1 255.255.255.224 ! interface Ethernet0/2 no ip address ! interface Ethernet0/3 no ip address shutdown ! router eigrp 1 network 192.168.1.0 auto-summary ! line con 0 line vty 0 15 end Click here to input the answer. Answer & Explanation Correct Answer Configuration sequence: A. PassGuide-R(config)#int e0/0 PassGuide-R(config-if)#pppoe enable PassGuide-R(config-if)#pppoe-client dial-pool-number 1 PassGuide-R(config-if)#no sh PassGuide-R(config-if)#exit PassGuide-R(config)#vpdn enable PassGuide-R(config)#vpdn-group 1 PassGuide-R(config-vpdn)#request-dialin PassGuide-R(config-vpdn-req-in)#protocol pppoe PassGuide-R(config-vpdn-req-in)#exit PassGuide-R(config-vpdn)#exit PassGuide-R(config)#dialer-list 1 protocol ip permit PassGuide-R(config)#int dialer 1 PassGuide-R(config-if)#encapsulation ppp PassGuide-R(config-if)#ip address negotiated PassGuide-R(config-if)#dialer pool 1 PassGuide-R(config-if)#dialer-group 1 PassGuide-R(config-if)#ip mtu 1492 PassGuide-R(config-if)#exit Explanations No more information available Answer: A Section: (none) Explanation/Reference: QUESTION 129 Click here to input the answer. A. PassGuide-R1> enable PassGuide-R1# conf t PassGuide-R1(config)#aaa new-model PassGuide-R1(config)#username BDnet1 password Wer#1 PassGuide-R1(config)#tacacs-server host 10.6.6.254 key training PassGuide-R1(config)#aaa authentication login default local PassGuide-R1(config)#aaa authentication login vty group tacacs+ PassGuide-R1(config)#aaa authorization exec vty group tacacs+ PassGuide-R1(config)#line vty 0 4 PassGuide-R1(config)#authorization exec vty PassGuide-R1(config)# login authentication vty PassGuide-R1(config)#end PassGuide-R1#copy run start Test: PassGuide-R2#ssh 10.2.1.1 -l cisco Enter password: Cisco123 Explanations No more information available Answer: A Section: (none) Explanation/Reference: QUESTION 130 A. Answer: A Section: (none) Explanation/Reference: QUESTION 131 Which statement is true about a worm attack? A. Human interaction is required to facilitate the spread. B. The worm executes arbitrary code and installs copies of itself in the memory of the infected computer. C. Extremely large volumes of requests are sent over a network or over the Inter net. D. Data or commands are injected into an existing stream of data. That stream is passed between a client and server application. Answer: B Section: (none) Explanation/Reference: PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 QUESTION 132 What are two steps that must be taken when mitigating a worm attack? (Choose two .) A. Inoculate systems by applying update patches. B. Limit traffic rate. C. Apply authentication. D. Quarantine infected machines. E. Enable anti-spoof measures. Answer: AD Section: (none) Explanation/Reference: QUESTION 133 What is a recommended practice for secure configuration management? A. Disable port scan. B. Use SSH or SSL. C. Deny echo replies on all edge routers. D. Enable trust levels. E. Use secure Telnet. Answer: B Section: (none) Explanation/Reference: QUESTION 134 Which statement is true about the management protocols? A. TFTP data is sent encrypted. B. Syslog data is sent encrypted between the server and device. C. SNMP v1/v2 can be compromised because the community string information for au thentication is sent in clear text. D. NTP v.3 does not support a cryptographic authentication mechanism between pee rs. Answer: C Section: (none) Explanation/Reference: QUESTION 135 At what size should the MTU on LAN interfaces be set in the implementation of MP LS VPNs with traffic engineering? A. 1512 bytes B. 1516 bytes C. 1520 bytes D. 1524 bytes E. 1528 bytes F. 1532 bytes Answer: A Section: (none) Explanation/Reference: QUESTION 136 With MPLS, what is the function of the protocol ID (PID) in a Layer 2 header? PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 A. It specifies that the bottom-of-stack bit immediately follows. B. It specifies that the payload starts with a label and is followed by an IP he ader. C. It specifies that the receiving router use the top label only. D. It specifies how many labels immediately follow. Answer: B Section: (none) Explanation/Reference: QUESTION 137 What phrase best describes a Handler in a distributed denial of service (DDoS) a ttack? A. person who launches the attack B. host that generates a stream of packets that is directed toward the intended victim C. host running the attacker program D. host being attacked Answer: C Section: (none) Explanation/Reference: QUESTION 138 Which PPPoA configuration statement is true? A. The dsl operating-mode auto command is required if the default mode has been changed. B. The encapsulation ppp command is required. C. The ip mtu 1492 command must be applied on the dialer interface. D. The ip mtu 1496 command must be applied on the dialer interface. E. The ip mtu 1492 command must be applied on the Ethernet interface. F. The ip mtu 1496 command must be applied on the Ethernet interface. Answer: A Section: (none) Explanation/Reference: QUESTION 139 Which PPPoE configuration statement is true? A. A PVC must be created before the pppoe enable command on the Ethernet interfa ce is entered. B. The dsl operating-mode auto command is required. C. The encapsulation ppp command must be applied on the Ethernet interface. D. The ip mtu 1492 command must be applied on the dialer interface. E. The ip mtu 1496 command must be applied on the Ethernet interface. F. When the pppoe enable command is applied on the Ethernet interface, a PVC wil l be created. Answer: D Section: (none) Explanation/Reference: QUESTION 140 What are three methods of network reconnaissance? (Choose three.) A. IP spoofing B. one-time password PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 C. dictionary attack D. packet sniffer E. ping sweep F. port scan Answer: DEF Section: (none) Explanation/Reference: QUESTION 141 Which statement about a worm attack is true? A. Human interaction is required to facilitate the spread. B. The worm executes arbitrary code and installs copies of itself in the memory of the infected computer. C. Extremely large volumes of requests are sent over a network or over the Inter net. D. Data or commands are injected into an existing stream of data. That stream is passed between a client and server application. Answer: B Section: (none) Explanation/Reference: QUESTION 142 How can Trojan horse attacks be mitigated? A. Use antivirus software. B. Implement RFC 2827 filtering. C. Use a firewall to block port scans D. Enable trust levels on edge routers. E. Disable echo replies on all edge routes. Answer: A Section: (none) Explanation/Reference: QUESTION 143 You work as a network engineer, study the exhibit carefully. Do you know which C isco feature generated the configuration? PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 A. TACACS+ B. IOS Firewall C. AutoSecure D. IOS IPS Answer: C Section: (none) Explanation/Reference: QUESTION 144 On the basis of the information provided in the exhibit, Which configuration opt ion would correctly configure router certways-R to mitigate a range of threats? PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 A. Company-R(config)# interface Fa0/0 Company-R (config-if)# ip access-group 150 in B. Company-R (config)# interface Fa0/0 Company-R (config-if)# ip access-group 150 out C. Company-R (config)# interface Fa0/1 Company-R (config-if)# ip access-group 150 in D. Company-R (config)# interface Fa0/1 Company-R (config-if)# ip access-group 150 out Answer: C Section: (none) Explanation/Reference: QUESTION 145 Refer to the exhibit. Configure Router Companay-R ACL 150 to mitigate against a range of common threat s. Based on the information shown in the exhibit, which statement is correct? A. The ip access-group 150 command should have been applied to interface FastEth ernet 0/0 in an outbound direction. B. Interface Fa0/0 and interface Fa0/1 should have been configured with the IP a ddresses 10.1.1.1 and 10.2.1.1, respectively. C. The ip access-group 150 command should have been applied to interface FastEth ernet 0/0 in an inbound direction. D. ACL 150 will mitigate common threats. Answer: D Section: (none) Explanation/Reference: QUESTION 146 Study the exhibit carefully. On the basis of the configuration, what will happen to the IPSec VPN between the Remote router and the Head-End router with IP address 172.31.1.100 if receiving no dead-peer detection hello messages for 20 seconds? A. The IPSec VPN will transition to a peering relationship with the Head-End rou ter at 172.31.1.200, with a down-time determined by the time required to tear-down and build the peerings. B. The IPSec VPN will terminate but will rebuild with the same peer because 3 he llo messages have not yet been missed. C. The IPSec VPN will not be affected. D. The IPSec VPN will transition with no down-time to a peering relationship wit h the Head-End router at 172.31.1.200. Answer: C Section: (none) Explanation/Reference: QUESTION 147 Which command sequence is an example of a correctly configured AAA configuration PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 that uses the local database? A. RTA(config)# username Bob password cisco RTA(config)# aaa new-model RTA(config)# aaa authentication login LOCAL_AUTH local RTA(config)# line con 0 RTA(config-line)# login authentication LOCAL_AUTH B. RTA(config)# username Bob password cisco RTA(config)# aaa new-model RTA(config)# aaa authentication login LOCAL_AUTH local RTA(config)# line con 0 RTA(config-line)# login authentication default C. RTA(config)# aaa new-model RTA(config)# tacacs-server host 10.1.1.10 RTA(config)# tacacs-server key cisco 123 RTA(config)# aaa authentication login LOCAL_AUTH group tacacs+ RTA(config)# line con 0 RTA(config-line)# login authentication default D. RTA(config)# aaa new-model RTA(config)#tacacs-server host 10.1.1.10 RTA(config)# tacacs-server key cisco 123 RTA(config)# aaa authentication login LOCAL_AUTH group tacacs+ RTA(config)# line con 0 RTA(config-line)# login authentication LOCAL AUTH Answer: A Section: (none) Explanation/Reference: QUESTION 148 Refer to the exhibit What two types of attacks does the lOS firewall configuration prevent? (Choose t wo.) A. Java applets B. SYN flood C. Trojan horse D. DDOS E. packet sniffers Answer: BD Section: (none) Explanation/Reference: QUESTION 149 What are three options for viewing Security Device Event Exchange (SDEE) message s in Security Device Manager (SDM)? (Choose three.) A. To view SDEE status messages B. To view SDEE keepalive messages C. To view all SDEE messages D. To view SDEE statistics E. To view SDEE alerts F. To view SDEE actions Answer: ACE Section: (none) Explanation/Reference: QUESTION 150 What are the four steps that occur with an IPsec VPN setup? A. Step 1: Interesting traffic initiates the IPsec process. Step 2: AH authenticates IPsec peers and negotiates IKE SAs. Step 3: AH negotiates IPsec SA settings and sets up matching IPsec SAs in the pe ers. Step 4: Data is securely transferred between IPsec peers. B. Step 1: Interesting traffic initiates the IPsec process. Step 2: ESP authenticates IPsec peers and negotiates IKE SAs. Step 3: ESP negotiates IPsec SA settings and sets up matching IPsec SAs in the p eers. Step 4: Data is securely transferred between IPsec peers. C. Step 1: Interesting traffic initiates the IPsec process. Step 2: IKE authenticates IPsec peers and negotiates IKE SAs. Step 3: IKE negotiates IPsec SA settings and sets up matching IPsec SAs in the p eers. Step 4: Data is securely transferred between IPsec peers. D. Step 1: Interesting traffic initiates the IPsec process. Step 2: IKE negotiates IPsec SA settings and sets up matching IPsec SAs in the p eers. Step 3: IKE authenticates IPsec peers and negotiates IKE SAs. Step 4: Data is securely transferred between IPsec peers. Answer: C Section: (none) Explanation/Reference: QUESTION 151 What actions can be performed by the Cisco IOS IPS when suspicious a tivity is d etected? (Choose four.) A. Send an alarm to a syslog server or a centralized management interface B. Initiate antivirus software to clean the packet C. Drop the packet D. Reset the connection E. Request packet to be resent F. Deny traffic from the source IP address associated with the connection Answer: ACDF Section: (none) Explanation/Reference: QUESTION 152 Which three statements are true about Cisco Intrusion Detection System (IDS) and Cisco Intrusion Prevention System (IPS) functions? (Choose three.) Only IDS systems provide real-time monitoring that includes packet capture and a nalysis of network packets. A. Both IDS and IPS systems provide real-time monitoring that involves packet ca pture and analysis of network packets. B. The signatures on the IDS devices are configured manually whereas the signatu re on the IPS devices are configured automatically. C. IDS can detect misuse, abuse, and unauthorized access to networked resources but can only respond after an attack is detected. D. IPS can detect misuse, abuse, and unauthorized access to networked resources and respond before network security can be compromised. E. IDS can deny malicious traffic from the inside network whereas IPS can deny m alicious traffic from outside the network. Answer: BDE Section: (none) Explanation/Reference: QUESTION 153 What is required when configuring IOS Firewall using the CLI? A. IOS IPS enabled on the untrusted interface B. NBAR enabled to perform protocol discovery and deep packet inspection C. Route-map to define the trusted outgoing traffic D. Route-map to define the application inspection rules E. An inbound extended ACL applied to the untrusted interface Answer: E Section: (none) Explanation/Reference: QUESTION 154 Which statement is true when ICMP echo and echo-reply are disabled on edge devic es? A. Pings are allowed only to specific devices. B. CDP information is not exchanged. C. Port scans can no longer be run. D. Some network diagnostic data is lost. E. Wireless devices need to be physically connected to the edge device. F. OSPF routing needs the command ip ospf network non-broadcast enabled. Answer: D Section: (none) Explanation/Reference: QUESTION 155 Which three statements are true when configuring Cisco IOS Firewall features usi ng the SDM? (Choose three.) A. A custom application security policy can be configured in the Advanced Firewa ll Security Configuration dialog box. B. An optional DMZ interface can be specified in the Advanced Firewall Interface Configuration dialog box. C. Custom application policies for e-mail, instant messaging, HTTP, and peer-to- peer services can be created using the Intermediate Firewall wizard. D. Only the outside (untrusted) interface is specified in the Basic Firewall Int erface Configuration dialog box. E. The outside interface that SDM can be launched from is configured in the Conf iguring Firewall for Remote Access dialog box. F. The SDM provides a basic, intermediate, and advanced firewall wizard. Answer: ABE Section: (none) Explanation/Reference: QUESTION 156 Which two mechanisms can be used to detect IPsec GRE tunnel failures? (Choose tw o). A. Dead Peer Detection (DPD) B. CDP C. isakmp keepalives D. GRE keepalive mechanism E. The hello mechanism of the routing protocol across the IPsec tunnel Answer: AE Section: (none) Explanation/Reference: QUESTION 157 What is a reason for implementing MPLS in a network? A. MPLS eliminates the need of an IGP in the core. B. MPLS reduces the required number of BGP-enabled devices in the core. C. Reduces routing table lookup since only the MPLS core routers perform routing table lookups. D. MPLS eliminates the need for fully meshed connections between BGP enabled dev ices. Answer: B Section: (none) Explanation/Reference: QUESTION 158 When establishing a VPN connection from the Cisco software VPN client to an Easy VPN server router using pre-shared key authentication, what is entered in the configuration GUI of the Cisco software VPN client to identify the group profile that is associated with this VPN client? A. Group name B. Client name C. Distinguished name D. Organizational unit Answer: A Section: (none) Explanation/Reference: QUESTION 159 Refer to the exhibit. Assume that a signature can identity an IP address as the source of an attack. W hich action would automatically create an ACL that denies all traffic from an attacking IP address ? A. Alarm B. Drop C. Reset D. Deny Flow ln line E. denyattackerlnline F. Deny-connection-inline Answer: E Section: (none) Explanation/Reference: QUESTION 160 Which statement is true about the SDM IPS Policies wizard? A. In order to configure the lPS, the wizard requires that customized signature files be created. B. The lPS Policies wizard only allows the use of default signatures which canno t be modified. C. The lPS Policies wizard can be used to modify, delete, or disable signatures that have been deployed on the router. D. When initially enabling the IPS Policies wizard, SDM automatically checks and downloads updates of default signatures available from CCO (cisco.com). E. The wizard verifies whether the command is correct but does not verify availa ble router resources before the signatures are deployed to the router. Answer: C Section: (none) Explanation/Reference: QUESTION 161 Case Study#1 Scenerio: This item involves some questions that you need to answer. You can click on the Questions button to the left to view these question. Change questions by clicking the numbers to the lef t of each question. In order to finish the questions, you will need to refer to the SDM and the topology, nei ther of which is currently visible. In order to gain access to either the topology or the SDM, click on the button to left side of the screen that corresponds to the section you wish to access. When you have completed viewing the topology or the SDM, you can return to your questions by clicking on the Questions button to the left. Cruising industries is a large worldwide di ving charter. Recently, this firm has upgraded its internet connectivity. As a new network technician, you ha ve been tasked with documenting the active Firewall configurations on the P4S-R router using the Cis co Router and Security Device Manager (SDM) utility. Using the SDM output from Firewall and ACL Tasks u nder the Configure tab, answer the following questions: Topology: A. Case Study# 1 (Questions) Question: 1 Which option is Correct? A. Both FastEthernet 0/0 and Serial 0/0/0 are trusted interface. B. Both FastEthernet 0/0 and Serial 0/0/0 are untrusted interface. C. FastEthernet 0/0 is a trusted interface and Serial 0/0/0 is an untrusted inte rface. D. FastEthernet 0/0 is an untrusted interface and Serial 0/0/0 is a trusted inte rface. Answer: C Question: 2 Which two statements best describe a permissible incoming TCP packet on an untru sted interface in this configuration?(Choose two) A. The packet has a source address of 172.16.29.12 B. The packet has a source address of 10.94.61.29 C. The session originated from a trusted interface. D. The application is not specified within the inspection rule SDM_LOW. E. The packet has a source address of 198.133.219.144 Answer: C, E Question: 3 Which two statements would specify a permissible incoming TCP packet a trusted i nterface in this configuration?(choose two) A. The packet has a source address of 10.94.61.118 B. The packet has a source address of 172.16.29.12 C. The packet has a source address of 198.133.219.16 D. The destination address is not specified within the inspection rule SDM_LOW. E. The destination address is specified within the inspection rule SDM_LOW. Answer: A, C Answer: A Section: (none) Explanation/Reference: QUESTION 162 Which two statements about the Cisco AutoSecure feature are true? (Choose two.) A. All passwords entered during the AutoSecure configuration must be a minimum o f 8 characters in length. B. Cisco123 would be a valid password for both the enable password and the enabl e secret commands. C. The auto secure command can be used to secure the router login as well as the NTP and SSH protocols. D. For an interactive full session of AutoSecure, the auto secure login command should be used. E. If the SSH server was configured, the 1024 bit RSA keys are generated after t he auto secure command is enabled. Answer: CE Section: (none) Explanation/Reference: QUESTION 163 Refer to the exhibit. Which two statements about the Network Time Protocol (NTP) are true? (Choose two.) A. Router RTA will adjust for eastern daylight savings time. B. To enable authentication, the ntp authenticate command is required on routers RTA and RTB. C. To enable NTP, the ntp master command must be configured on routers RTA and R TB. D. Only NTP time requests are allowed from the host with IP address 10.1.1.1. E. The preferred time source located at 130.207.244.240 will be used for synchro nization regardless of the other time sources. Answer: AB Section: (none) Explanation/Reference: QUESTION 164 Which three categories of signatures can a Cisco IPS microengine identify? (Choo se three.) A. DDoS signatures B. strong signatures C. exploit signatures D. numeric signatures E. spoofing signatures F. connection signatures Answer: ACF Section: (none) Explanation/Reference: QUESTION 165 Refer to the exhibit. On the basis of the information that is provided, which tw o statements are true? (Choose two.) PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 A. An IPS policy can be edited by choosing the Edit button. B. Right-clicking on an interface will display a shortcut menu with options to e dit an action or to set severity levels. C. The Edit IPS window is currently in Global Settings view. D. The Edit IPS window is currently in IPS Policies view. E. The Edit IPS window is currently in Signatures view. F. To enable an IPS policy on an interface, click on the interface and deselect Disable. Answer: AD Section: (none) Explanation/Reference: QUESTION 166 Which two devices serve as the main endpoint components in a DSL data service ne twork? (Choose two.) A. SOHO workstation B. ATU-R PassGuide.com - Make You Succeed To Pass IT Exams PassGuide 642-825 C. ATU-C D. POTS splitter E. CO switch Answer: BC Section: (none) Explanation/Reference: