Beruflich Dokumente
Kultur Dokumente
Refer to the exhibit. Given the partial output of the debug command, what can be determined?
Answer: B
Explanation:
Although the authentication of IKe phase 1 is authenticated, the exhibit question says “Given the
partial output of the “debug command”, what can be determined? 2 is best for the peer has not
matched any offered profiles.
Answer:
Explanation:
Because 802.1X authentication requires several technologies to work together, up-front planning
helps ensure the success of the deployment.
QUESTION NO: 3
Which two Cisco IOS WebVPN features are enabled with the partial configuration shown?
(Choose two.)
A. The end-user Cisco AnyConnect VPN software will remain installed on the end system.
B. If the Cisco AnyConnect VPN software fails to install on the end-user PC, the end user cannot
use other modes.
C. Client based full tunnel access has been enabled.
D. Traffic destined to the 10.0.0.0/8 network will not be tunneled and will be allowed access via a
split tunnel.
E. Clients will be assigned IP addresses in the 10.10.0.0/16 range.
Answer: A,C
Explanation:
QUESTION NO: 4
Which two of these are benefits of implementing a zone-based policy firewall in transparent mode?
(Choose two.)
Answer: B,C
Explanation:
QUESTION NO: 5
When configuring a zone-based policy firewall, what will be the resulting action if you do not
specify any zone pairs for a possible pair of zones?
A. All sessions will pass through the zone without being inspected.
B. All sessions will be denied between these two zones by default.
C. All sessions will have to pass through the router "self zone" for inspection before being allowed
to pass to the destination zone.
D. This configuration statelessly allows packets to be delivered to the destination zone.
Answer: B
Explanation:
Zone Pair Configuration
The configuration of the zone pair is important because its configuration dictates the direction in
which traffic is allowed to flow. As stated previously, a zone pair is unidirectional and is the part of
the configuration that controls traffic between zones; this is referred to as interzone. If no zone pair
is defined, traffic will not flow between zones
QUESTION NO: 6
Refer to the exhibit. What can be determined from the output of this show command?
Answer: C
Explanation:
Verify Local IKE Sessions
Use the show crypto isakmp sa command to display the current IKE Security Associations (SA) on
the local router. The QM_IDLE status indicates successful establishment of the IKE SA, meaning
that the ISAKMP process is idle after having successfully negotiated and established SAs.
Example 15-5 shows the output of the show crypto isakmp sa command.
Answer:
Explanation:
QUESTION NO: 8
You are running Cisco IOS IPS software on your edge router. A new threat has become an issue.
The Cisco IOS IPS software has a signature that can address the new threat, but you previously
retired the signature. You decide to unretire that signature to regain the desired protection level.
How should you act on your decision?
A. Retired signatures are not present in the routers memory. You will need to download a new
signature package to regain the retired signature.
B. You should re-enable the signature and start inspecting traffic for signs of the new threat.
C. Unretiring a signature will cause the router to recompile the signature database, which can
temporarily affect performance.
D. You cannot unretire a signature. To avoid a disruption in traffic flow, it's best to create a custom
signature until you can download a new signature package and reload the router.
Answer: C
Explanation:
Some signatures can be retired. This signature is not present in the router’s memory. Unretiring a
retired signature requires that the router recompile the signature database.
This can temporarily affect performance and take a long time with a large signature database.
QUESTION NO: 9
A. Policy NAT rules are those that determine which addresses need to be translated per the
enterprise security policy
B. Policy NAT consists of policy rules based on outside sources attempting to communicate with
inside endpoints.
C. These rules use source addresses as the decision for translation policies.
D. These rules are sensitive to all communicating endpoints.
Answer: A
Explanation:
The original dump had this option:
QUESTION NO: 10
Refer to the exhibit. What can be determined about the IPS category configuration shown?
Answer: D
Explanation:
This configuration task is completed by entering the signature category configuration mode using
the ip ips signature-category command. See Example 13-3 for the relevant configuration. First,
retire and disable all signatures because only the desired signatures will be enabled. This is
achieved using the category all command. Then, use the retired true and enabled false commands
to disable and retire all signatures by default. Next, enable all signatures that are designed to
prevent attacks against Cisco IOS Software devices and assign a preventative action to them.
Enter the category that comprises these signatures using the category os ios command and
enable them by using the retired false and enabled true commands. Use the event-action produce-
alert deny-packet-inline command to enable these signatures to generate an alert and drop the
offending packets when they trigger.
QUESTION NO: 11
When Cisco IOS IPS is configured to use SDEE for event notification, how are events managed?
A. They are stored in the router's event store and will allow authenticated remote systems to pull
events from the event store.
B. All events are immediately sent to the remote SDEE server.
C. Events are sent via syslog over a secure SSUTLS communications channel.
D. When the event store reaches its maximum configured number of event notifications, the stored
events are sent via SDEE to a remote authenticated server and a new event store is created.
Answer: A
Explanation:
SDEE uses a pull communication model for event messages. This allows management consoles
to pull alerts from the Cisco IPS sensors over an HTTPS connection.
When Cisco SDEE notification is enabled, by default, 200 events can be stored in the local event
store. This number can be increased to hold a maximum of 1000. All stored events are lost if
SDEE notifications are disabled, and a new local event store is allocated when the notification
feature is enabled again.
QUESTION NO: 12
Which two of these will match a regular expression with the following configuration parameters?
[a-zA-Z][0-9][a-z] (Choose two.)
A. Q3h
B. B4Mn
C. aaB132AA
D. c7lm
E. BBpjnrIT
Answer: A,D
Explanation:
QUESTION NO: 13
Answer: C
Explanation:
CPU and Memory Thresholding
One of the ways to monitor whether an attack is occurring on a device is through the simple
monitoring of device resources, including CPU and memory utilization. This is done by configuring
the use of CPU or memory threshold monitoring. Both of these features can be combined with a
remote management server to notify an organization when the CPU and memory conditions on a
device become critical.
“With CPU Thresholding Notification, users can configure CPU utilization thresholds, which trigger
a notification when exceeded. Cisco IOS Software supports two CPU utilization thresholds:”
http://www.cisco.com/en/US/products/ps6642/products_data_sheet09186a00801f98de.html
QUESTION NO: 14
Which Cisco IOS IPS feature allows to you remove one or more actions from all active signatures
based on the attacker and/or target address criteria, as well as the event risk rating criteria?
Answer: A
Explanation:
QUESTION NO: 15
A. issue a show crypto isakmp policy command to verify matching policies of the tunnel endpoints
B. ping the tunnel endpoint
C. run a traceroute to verify the tunnel path
D. debug the connection process and look for any error messages in tunnel establishment
Answer: B
Explanation:
Page 398 - Very Important - several Questions from this
Troubleshooting Flow
Follow these steps to proceed through the recommended flow for troubleshooting IKE peering:
Step 1. Verify peer reachability using the ping and traceroute commands with the tunnel source
and destination IP addresses on both peers. If connectivity is verified, proceed to Step 2;
otherwise, check the path between the two peers for routing or access (firewall or access list)
issues.
Step 2. Verify the IKE policy on both peers using the show crypto isakmp policy command. Debug
messages revealed by the debug crypto isakmp command will also point out IKE policy
mismatches.
Step 3. Verify IKE peer authentication. The debug crypto isakmp command will display
unsuccessful authentication. Step 4. Upon successful completion of Steps 1–3, the IKE SA should
be establishing. This can be verified with the show crypto isakmp sa command and looking for a
state of QM_IDLE.
QUESTION NO: 16
Answer: A
Explanation:
QUESTION NO: 17
Refer to the exhibit. The INSIDE zone has been configured and assigned to two separate router
interfaces. All other zones and interfaces have been properly configured. Given the configuration
example shown, what can be determined?
A. Hosts in the INSIDE zone, with addresses in the 10.10.10.0/24 network, can access any host in
the 10.10.10.0/24 network using the SSH protocol.
B. If a host in the INSIDE zone attempts to communicate via SSH with another host on a different
interface within the INSIDE zone, communications must pass through the router self zone using
the INTRAZONE policy.
C. This is an illegal configuration. You cannot have the same source and destination zones.
D. This policy configuration is not needed, traffic within the same zone is allowed to pass by
default.
Answer: B
Explanation:
The zone pair can also be configured to control the traffic permitted directly into the device; this
includes control and management plane traffic. This is configured by creating a zone pair using the
self zone as the source or destination zone. With the release of IOS 15.0.1M, it is also possible to
control the traffic within the same zone; this is referred to as intrazone.
This is configured by creating a zone pair with the same two zone names as both source and
destination.
QUESTION NO: 18
Answer: B
Explanation:
QUESTION NO: 19
Which of these allows you to add event actions globally based on the risk rating of each event,
without having to configure each signature individually?
Answer: C
Explanation:
QUESTION NO: 20
When using Cisco Easy VPN, what are the three options for entering an XAUTH username and
password for establishing a VPN connection from the Cisco Easy VPN remote router? (Choose
three.)
QUESTION NO: 21
Which of these is true regarding tunnel configuration when deploying a Cisco ISR as a DMVPN
hub router?
Answer: D
Explanation:
Task 4 creates the mGRE tunnel interface. Enter the interface tunnel command and then configure
basic GRE parameters. The tunnel mode gre multipoint command designates the tunnel interface
QUESTION NO: 22
Given the Cisco IOS command crypto key generate rsa label MY_KEYS modulus 2048, which
additional command keyword should be added if you would like to use these keys on another
router or have the ability to back them up to another device?
A. redundancy
B. exportable
C. on:USB smart-token
D. usage-keys
Answer: B
Explanation:
QUESTION NO: 23
Which two types of deployments can be implemented for a zone-based policy firewall? (Choose
two.)
A. routed mode
B. interzone mode
C. fail open mode
D. transparent mode
E. inspection mode
Answer: A,D
Explanation:
Answer:
Explanation:
What is the result of configuring the command dotlx system-auth-control on a Cisco Catalyst
switch?
Answer: B
Explanation:
QUESTION NO: 26
Which information is displayed when you enter the Cisco IOS command show epm session?
Answer: A
Explanation:
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_s4.html#wp1063145
QUESTION NO: 27
Refer to the exhibit. Based on the partial configuration shown, which the GET VPN group member
GDOI configuration?
Answer: A
Explanation:
QUESTION NO: 28
Refer to the exhibit. Given the partial configuration shown, which two statements are correct?
(Choose two.)
A. The tunnel will use the routing protocol configured for GigabitEthemet 1/1 for all tunnel
communication with the peer.
Answer: C,E
Explanation:
QUESTION NO: 29
You are troubleshooting a Cisco Easy VPN installation that is experiencing session establishment
problems. You have verified that matching IKE and IPsec polices exist on both peers. The remote
client has also successfully entered authentication credentials. What is the next step to take in
troubleshooting this problem?
A. verify that the router is not denying traffic from the tunnel
B. verify that the router is able to assign an IP address to the client
C. examine routing tables
D. issue a ping from the client to the router to verify reachability
Answer: B
Explanation:
QUESTION NO: 30
Which of these is a result of using the same routing protocol process for routing outside and inside
the VPN tunnel?
Answer: D
Explanation:
Recursive Routing Hazard You must take precautions when configuring dynamic routing protocols
to ensure that there is a device that participates in the same routing protocol both outside the VPN
tunnel (the transport network) and inside the tunnel (directly with VPN peers).
Answer:
QUESTION NO: 32
Refer to the exhibit. What can be determined from the output of this show command?
Answer: C
Explanation:
You are troubleshooting a problem related to IPsec connectivity issues. You see that there is no
ISAKMP security association established between peers. You debug the connection process and
see an error message of 1d00h: ISAKMP (0:1): atts are not acceptable. Next payload is 0. What
does this message indicate?
Answer: A
Explanation:
QUESTION NO: 34
Refer to the exhibit. Given the output shown, what can be determined?
Answer: B
Explanation:
You can create an extended ACL with MAC address mapping.
If you have a spoofed arp then the message will be different than ACL-DENY - it will be DHCP
Snooping Deny.
http://www.cisco.com/en/US/docs/switches/datacenter/sw/4_1/nx-
os/security/configuration/guide/sec_arpinspect.html#wp1125009
If Host 2 attempts to send an ARP request with the IP address 10.0.0.1, DAI drops the request
and logs the following system message:
00:18:08: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Ethernet1/4, vlan
1.([0001.0001.0001/10.0.0.1/0000.0000.0000/0.0.0.0/01:53:21 UTC Fri Jun 13 2008])
QUESTION NO: 35
Which command will enable a SCEP interface when you are configuring a Cisco router to be a
certificate server?
Answer: D
Explanation:
QUESTION NO: 36
When 802.1X is implemented, how do the client (supplicant) and authenticator communicate?
A. RADIUS
B. TACACS+
C. MAB
D. EAPOL
Answer: D
Explanation:
Note: EAPOL is used between the supplicant and the authenticator, while RADIUS is used
between the authenticator and the authentication server.
Refer to the exhibit. Assuming that all other supporting configurations are correct, what can be
determined from the partial IP admission configuration shown?
A. The router will forward authentication requests to a AAA server for authentication and
authorization.
B. The local user password is thl3F4ftvA.
C. The router will intercept incoming HTTP sessions on interface G0/0 for authentication.
D. The SUPERUSER's privilege level is being restricted.
E. The attribute type supplicant-group "SUPERUSER" configuration can be used to match criteria
in the "inspect" class-map type using the match access-group option.
Answer: C
Explanation:
QUESTION NO: 38
Which of these is an implementation guideline when deploying the IP Source Guard feature in an
environment with multiple switches?
Answer:
Explanation:
QUESTION NO: 40
What does the command errdisable recovery cause arp-inspection interval 300 provide for?
A. It will disable a port when the ARP rate limit of 300 packets per second is received and wait a
configured interval time before placing the port back in normal operation.
B. It will inspect for ARP-disabled ports every 300 seconds.
C. It will recover a disabled port and limit ARP traffic to 300 packets per second to avoid potential
ARP attacks from reoccurring.
D. It will recover a disabled port due to an ARP inspection condition in 5 minutes.
Answer: D
Explanation:
QUESTION NO: 41
You have configured Management Plane Protection on an interface on a Cisco router. What is the
resulting action on implementing MPP?
Answer: D
Explanation:
Answer:
Explanation:
QUESTION NO: 43
Refer to the exhibit. What can be determined from the configuration shown?
Answer: C
Explanation:
First line -- interfaces included specifies that this view is only allowed to see the interface MIB's
QUESTION NO: 44
When enabling the Cisco IOS IPS feature, which step should you perform to prevent rogue
signature updates from being installed on the router?
Answer: B
Explanation:
A user has requested a connection to an external website. After initiating the connection, a
message appears in the user's browser stating that access to the requested website has been
denied by the company usage policy. What is the most likely reason for this message to appear?
A. An antivirus software program has blocked the session request due to potential malicious
content.
B. The network has been configured with a URL filtering service.
C. The network has been configured for 802.1X authentication and the user has failed to
authenticate
D. The user's configured policy access level does not contain proper permissions
Answer: B
Explanation:
QUESTION NO: 46
Refer to the exhibit. Given the partial configuration shown, what can be determined.
Answer: A
Explanation:
QUESTION NO: 47
When is it most appropriate to choose IPS functionality based on Cisco IOS software?
Answer: A
Explanation:
QUESTION NO: 48
When performing NAT, which of these is a limitation you need to account for?
Answer: B
Explanation:
Answer:
Explanation:
QUESTION NO: 50
You have enabled Cisco IOS IPS on a router in your network. However, you are not seeing
expected events on your monitoring system (such as Cisco IME). On the router, you see events
being captured. What is the next step in troubleshooting the problem?
Answer: B
Explanation:
QUESTION NO: 51
Which two of these are features of control plane security on a Cisco ISR? (Choose two.
Answer: A,D
Explanation:
QUESTION NO: 52
Which two of these are potential results of an attacker performing a DHCP server spoofing attack?
(Choose two.)
A. DHCP snooping
B. DoS
C. confidentiality breach
D. spoofed MAC addresses
E. switch ports being converted to an untrusted state
Answer: B,C
Explanation:
QUESTION NO: 53
When Cisco IOS IPS signatures are being tuned, how is the Target Value Rating assigned?
Answer: C
Explanation:
QUESTION NO: 54
Which of these should you do before configuring IP Source Guard on a Cisco Catalyst switch?
Answer: D
Explanation:
QUESTION NO: 55
What action will the parameter-map type ooo global command enable?
A. globally initiates tuning of the router's TCP normalizer parameters for out-of-order packets
B. globally classifies type ooo packets within the parameter map and subsequent policy map
C. enables a parameter map named ooo
D. configures a global parameter map for traffic destined to the router itself
Answer: A
Explanation:
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/12-4t/sec-zone-pol-
fw.html
Answer:
Explanation:
untitled
Answer: R2# show crypto gdoi ks -or- R2# show crypto gdoi ks members -or- R1# show ip
interface brief
Explanation:
NB: it is assumed that only R1 is a member router and ISP is not a member
R1#show crypto gdoi ks
Total group members registered to this box: 0
IPSec SA Number: 10
IPSec SA Rekey Lifetime: 3600 secs
Profile Name: GETPROFILE
Replay method: Count Based
Replay Window Size: 64
SA Rekey
Remaining Lifetime: 1998 secs
ACL Configured: access-list 101
Group Server list: Local
NB: some other tests have 2 answers highlighted- the question does not ask for (Choose Two)
and must assume on one selection is correct.
QUESTION NO: 62
Which protocol is EAP encapsulated in for communications between the authenticator and the
authentication server?
A. EAP-MD5
B. IPsec
C. EAPOL
D. RADIUS
Answer: D
Explanation:
Note: EAPOL is used between the supplicant and the authenticator, while RADIUS is used
between the authenticator and the authentication server.
You are loading a basic IPS signature package onto a Cisco router. After a period of time, you see
this message:
A. The files were successfully copied with an elapse time of 275013 ms. The router will continue
with extraction and compilation of the signature database.
B. The signature engines were compiles, but there is no indication that the actual signatures were
compiled.
C. The compilation failed for some of the signature engines. There are 16 engines, but only 6 were
completed according to the %IPS-6 message
D. The files were compiled without error.
Answer: D
Explanation:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/prod_white_paper090
0aecd805c4ea8.html
QUESTION NO: 64
Refer to the exhibit. Given the configuration shown, which of these statements is correct?
Answer: A
Explanation:
Answer:
Explanation:
QUESTION NO: 66
Refer to the exhibit. Which two of these are most likely to have caused the issue with NHRP, given
this output of the show command? (Choose two.)
Answer: A,D
Explanation:
Explanation:
QUESTION NO: 68
You have configured a guest VLAN using 802.1X on a Cisco Catalyst switch. A client incapable of
using 802.1X has accessed the port and has been assigned to the guest VLAN. What happens
when a client capable of using 802.1Xjoins the network on the same port?
A. The client capable of using 802.1X is allowed access and proper security policies are applied to
the client.
B. EAPOL packets will not be allowed on the guest VLAN and the access attempt with fail.
C. The port is put into the unauthorized state in the user-configured access VLAN, and
authentication is restarted.
D. This is considered a security breach by the authentication server and all users on the access
port will be placed into the restricted VLAN.
Answer: C
Explanation:
Usage Guidelines for Using Authentication Failed VLAN Assignment
When an authentication failed port is moved to an unauthorized state the authentication process is
restarted. If you should fail the authentication process again the authenticator waits in the held
"Pass Any Exam. Any Time." - www.actualtests.com 46
Cisco 642-637 Exam
state. After you have correctly reauthenticated all 802.1x ports are reinitialized and treated as
normal 802.1x ports.
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sga/configuration/guide/dot1x.
html#wp1198927
QUESTION NO: 69
Refer to the exhibit. What can be determined from the information shown?
Answer: C
Explanation:
QUESTION NO: 70
A. The router will forward authentication requests to a AAA server for authentication and
authorization.
B. The user maint3nanc3 will have complete CLI command access once authenticated.
C. After a period of 20 minutes, the user will again be required to provide authentication
credentials.
D. The authentication proxy will fail, because the router's HTTP server has not been enabled.
E. All traffic entering interface GO/1 will be intercepted for authentication, but only Telnet traffic will
be authorized.
Answer: C
Explanation:
QUESTION NO: 71
What will the authentication event fail retry 0 action authorize vlan 300 command accomplish?
A. assigns clients that fail 802.1X authentication into the restricted VLAN 300
B. assigns clients to VLAN 300 and attempts reauthorization
C. assigns a client to the guest VLAN 300 if it does not receive a response from the client to its
EAPOL request/identity frame
Answer: A
Explanation:
Answer:
Explanation:
http://www.slideshare.net/CiscoSystems/ccsp-effective-deployment-of-cisco-asa-access-control
QUESTION NO: 73
When you are configuring a DMVPN network, which tunnel mode should you use for the hub
router configuration?
A. GRE multipoint
B. Nonbroadcast multiaccess
C. Classic point-to-point GRE
D. IPsec multipoint
Answer: A
Explanation:
http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/DMVPN_2_Phase2.html
The hub-and-spoke deployment model is the most common deployment model. This model is the
most scalable, and predominately mimics traditional Layer 2 leased line, Frame Relay, or ATM
hub-and-spoke networks. The headend is configured with a multipoint GRE (mGRE) interface, and
the branch with a point-to-point
(p2p) GRE interface.
QUESTION NO: 74
A. DMVPN
B. Easy VPN
C. IPsec VPN
D. mGRE
Answer: A
Explanation:
You have configured a Cisco router to act a PKI certificate server. However, you are experiencing
problems starting the server. You have verified that al CA parameters have been correctly
configured. What is the next step you should take in troubleshooting this problem?
Answer: D
Explanation:
There are others who prefer the answer from the previous dump.
However, the question clearly states “You have verified that al CA parameters have been correctly
configured”
So if the configuration is correctly configured, why would you enable SCEP interface again? The
best answer is verify correct time is being used and source are reachable
Having synchronized time is vital for PKI, but PKI does not require that the time be extremely
accurate.
Time synchronization issues can cause certificate validation failures if the current time on the VPN
device is outside the validity range of the CA certificate.
QUESTION NO: 76
Which three of these are features of data plane security on a Cisco ISR? (Choose three)
A. uRPF
B. NetFlow export
C. FPM
D. CPPr
E. RBAC
F. routing protocol filtering
Answer: A,B,C
Explanation:
http://ptgmedia.pearsoncmg.com/images/9781587142802/samplepages/1587142805.pdf
QUESTION NO: 77
What will the authentication event fail retry 0 action authorize vlan 300 command accomplish?
A. assigns clients that fail 802.1X authentication into the restricted VLAN 300
B. assigns clients to VLAN 300 and attempts reauthorization
C. assigns a client to the guest VLAN 300 if it does not receive a response from the client to its
EAPOL request/identity frame
D. locks out a user who fails an 802.1X authentication and does not allow the user to try to gain
network access again for 300 seconds
Answer: A
Explanation:
QUESTION NO: 78
When you are configuring DHCP snooping, how should you classify access ports?
A. untrusted
B. trusted
C. promiscuous
D. private
Answer: A
Explanation:
QUESTION NO: 79
When configuring URL filtering with the Trend Micro filtering service. Which of these steps must
you take to prepare for configuration?
Answer: B
Explanation:
QUESTION NO: 80
A. DVTI tunnels are created dynamically from a preconfigured template as tunnels are established
to the hub.
B. The hub router needs a static DVT1 tunnel to each spoke router in order to establish remote
communications from spoke to spoke.
C. Spoke routers require a virtual template to clone the configuration on which the DVTI tunnel is
established.
D. DVTI tunnels appear on the hub as tunnel interfaces.
Answer: A
Explanation:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm.pdf
QUESTION NO: 81
A. GDOI IKE sessions are established between all peers in the network.
B. Security associations do not need to linger between members once a group member has
authenticated to the key server and obtained the group policy.
C. Each pair of peers has a private set of IPsec security associations that is only shared between
the two peers.
D. GDOI IKE uses UDP port 500.
Answer: B
Explanation:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps7180/
deployment_guide_c07_554713.pdf
Answer:
Explanation:
Answer:
Explanation:
Step 1 – The VPN Client initiates IKE Phase 1.
Step 2 – The VPN Client establishes an ISAKMP SA.
Step 3 – The Easy VPN Server accepts the SA proposal.
Step 4 – The Easy VPN Server initiates a username and password challenge.
Step 5 – The mode configuration process is initiated.
Step 6 – The RRI process is initiated.
Step 7 – IPSec quick mode completes the connection process
QUESTION NO: 84
Which of these are the two types of keys used when implementing GET VPN? (Choose two)
A. public key
B. group encryption
C. traffic encryption key
D. pre-shared key
E. key encryption
F. private key
Answer: C,E
Explanation:
You have been given the task of performing initial zone-based policy firewall configurations. You
will need to create zones, assign the zones to specific interfaces, and create zone pairs to allow
for traffic flow between interfaces. You will also need to define a zone-based policy firewall and
assign the policy to the zone pair. To access the router console ports, refer to the exhibit, click the
router for access, and perform the following tasks.
Note that when performing the configuration, you should use the exact names highlighted in bold
below:
Globally create zones and label them with the following names:
• OUTSIDE
• IHSIDE
• Create a zone pair for traffic flowing from the inside to outside zones named IH-TO-OUT - •
Define a zone-based firewall policy named IH-TO-OUT-POLICY
• Use the "match protocol" classification option to statefully inspect HTTP traffic and drop all other
traffic
Answer: First we divide the networks into 2 zones: Inside and Outside.
Router(config)#zone security INSIDE
Router(config)#zone security OUTSIDE
Router(config)#interface fa0/0/1
Router(config-if)#no shutdown
Router(config-if)#zone-member security INSIDE
Router(config)#interface fa0/0/0
Router(config-if)#no shutdown
Router(config-if)#zone-member security OUTSIDE
Router(config)#class-map type inspect match-any HTTP_POLICY
QUESTION NO: 86
Answer: D
Explanation:
QUESTION NO: 87
When is it feasible for a port to be both a guest VLAN and a restricted VLAN?
Answer: D
Explanation:
What can be determined from the information provided in the system image output?
Answer: D
Explanation:
QUESTION NO: 89
Which three of these are sources used when the router is configured for URL filtering? (Choose
three.)
Answer: A,D,E
QUESTION NO: 90
A. multiauth
B. WebAuth
C. MAB
D. 802.1X guest VLAN
Answer: C
Explanation:
QUESTION NO: 91
The advantages of virtual tunnel interfaces (VTIs) over GRE VPN solutions are which three of the
following? (Choose three.)
Answer: B,C,E
Explanation:
Page 391, CCNP Security SECURE 642-637 Official Cert Guide
IPsec VTIs have many benefits:
QUESTION NO: 92
In Cisco IOS 15.0.1M code for the router platform, which new feature has been added to the zone-
based policy firewall?
Answer: B
Explanation:
Page: 309, CCNP Security SECURE 642-637 Official Cert Guide
With the release of IOS 15.0.1M, it is also possible to control the traffic within the same zone; this
is referred to as intrazone. This is configured by creating a zone pair with the same two zone
names as both source and destination.
QUESTION NO: 93
When configuring NAT, which three protocols that are shown may have limitations or
complications when using NAT? (Choose three.)
A. Kerberos
B. HTTPS
C. NTP
D. SIP
E. FTP
F. SQL
Answer: A,D,E
Explanation:
As with any technology, the use of NAT can introduce problems because some technologies do
not support the use of NAT. These limitations include:
QUESTION NO: 94
Which two answers are potential results of an attacker that is performing a DHCP server spoofing
attack? (Choose two.)
A. ability to selectively change DHCP options fields of the current DHCP server, such as the
giaddr field.
B. DoS
Answer: B,E
Explanation:
DHCP Server Spoofing
With DHCP server spoofing, the attacker can set up a rogue DHCP server and respond to DHCP
requests from clients on the network. This type of attack can often be grouped with a DHCP
starvation attack because the victim server will not have any new IP addresses to give out, which
raises the chance of new clients using the rouge DHCP server. This information, which is given
out by the rogue DHCP server, could send all the traffic through a rogue gateway, which can then
capture the traffic for further analysis.
QUESTION NO: 95
Answer: B
Explanation:
Actual Log from Switch configured for DHCP spoofing
007850: Nov 26 09:02:55.484 CET: %DHCP_SNOOPING-5-
DHCP_SNOOPING_MATCH_MAC_FAIL:
DHCP_SNOOPING drop message because the chaddr doesn't match source mac, message type:
DHCPRELEASE, chaddr: 0016.4487.6527, MAC sa: 0017.422e.d204
The switch logging message basically says that the MAC address of the client contained in the
chaddr (client hardware address) field in the DHCP message does not match the source MAC
address of the frame in which the DHCP message is encapsulated. In other words, the interfacefor
which the DHCP message was created does not match the interface through which the message
was actually transmitted.
https://supportforums.cisco.com/thread/344460
QUESTION NO: 96
Based on the partial configuration that is provided, if a non-802.1X client connects to a port on this
switch, which VLAN will it be assigned to, and how long will it take for the port to time out and
transition to the guest VLAN? (Choose all that apply.)
A. The switch is configured for the default 802.1X timeout period of 90 seconds.
B. The 802.1X authentication process will time out in 10 seconds and immediately change the port
to the guest VLAN.
C. The 802.1X authentication process will time out, and the switch will roll over the port to the
guest VLAN in 15 seconds.
D. The non-802.1X client and phones will all be assigned to VLAN 30.
E. The non-802.1X client will be assigned to VLAN 40.
F. The non-802.1X client will be assigned to VLAN 10.
Answer: C,E
Explanation:
The authenticator expects to receive the EAP-Response/Identity frame as a response to its EAP-
Request/Identity frame. If it has not received this frame within the default retransmission time, it
will resend the Request frame. The default retransmission timer is 30 seconds.
You can adjust this time to increase response times, which will allow a faster 802.1X
If the switch fails to authenticate a client, such as the user entering a bad password, the switch
waits a period of time before trying again. The default value for this quiet timer is
60 seconds. You can lower this value, thus giving the client a faster response time with the dot1x
timeout quiet-period seconds interface configuration command.
QUESTION NO: 97
When 802.1X is implemented, how do the authenticator and authentication server communicate?
A. RADIUS
B. TACACS+
C. MAB
D. EAPOL
Answer: A
Explanation:
Page: 119
Note: EAPOL is used between the supplicant and the authenticator, while RADIUS is used
between the authenticator and the authentication server.
QUESTION NO: 98
What can be determined about IPS updates from the configuration shown?
Answer: C
Explanation:
Task 2: Configure Automatic Signature Updates
The second task illustrates how to configure the router to attempt to retrieve automatic signature
updates from Cisco.com or a local server.
To do this, first configure the update URL using the ida-client server url command. Use
thehttps://www.cisco.com/cgi-bin/front.x/ids/locator/locator.plURL. Next, create an auto-update
profile using the ip ips auto-update command. Use the cisco command inside the profile to
designate obtaining updates from Cisco.com. To control when the update attempts occur, use the
occur-at command. Example 13-9 illustrates the setup of the configuration to retrieve automatic
updates from the Cisco.com repository as well as to provide the Cisco.com credentials that will be
used for authentication through using the username command.
Example 13-10 illustrates the setup of the configuration to retrieve automatic updates from a local
staging server.
QUESTION NO: 99
Answer: D
Explanation:
When uploading an IPS signature package to a Cisco router, what is required for the upload to
self-extract the files?
Answer: A
Explanation:
First, the signature package must be downloaded from Cisco.com. Go to the download section of
Cisco.com and navigate to Products > Security > Integrated Router/Switch
Security > Integrated Threat Control > Cisco IOS Intrusion Prevention System Feature Software >
IOS IPS Signature Data File. Download the latest package, which should have a filename in the
format IOS-Sxxx-CLI.pkg. Put the file on the server from which you will transfer it to the router.
Use the copy command to transfer the file to the router’s idconf alias. This causes the router to
download and unpack the contents of the file (XML files)
In a GETVPN solution, which two ways can the key server distribute the new keys to the group
members during the rekey process? (Choose two.)
Answer: A,C
Explanation:
Rekeying Methods
GET VPNs use rekey messages to refresh their IPsec SAs (session keys) outside of IKE sessions.
When the group IPsec SAs are about to expire, one single rekey message for a particular group is
generated on the key server. Distribution of the rekey message does not require that new IKE
sessions be created. GET supports rekeying for Unicast and multicast.
You are a network administrator and are moving a web server from inside the company network to
a DMZ segment that is located on a Cisco router. The web server was located at IP address
172.16.10.50 on the inside and changed to the IP address 172.20.10.5 on the DMZ. Additionally,
Answer: B
Explanation:
When configuring NAT, and your solution requires the ability to see the inside local and outside
global address entries and any TCP or UDP port in the show ip nat command output, how should
NAT be configured on the router?
A. use the overload option on the end of your static NAT statement
B. include both static and dynamic NAT configuration on the router
C. tie the ip nat inside command to a dynamic NAT pool
D. attach a route-map to the ip nat inside command
E. configure the ip nat inside command to an extended ACL
Answer: D
Explanation:
You are working for a corporation that has connected its network to a partner network. Based on
this partial configuration that is supplied in the exhibit, which two things happen to traffic that is
inbound from the partner network (outside is 10.10.30.0/24) and the return traffic from the inside
as it travels through this router? (Choose two.)
A. The source address of the IP packets that are traveling from the 10.10.30.0/24 network to
10.10.19.0/24 are translated to 172.19.1.0/24.
B. The destination address of IP packets that are traveling from 10.10.19.0/24 to any IP network is
translated to 172.19.1.0/24.
C. IP traffic that is flowing from 10.10.19.0/24 to 10.10.30.0/24 has the source address translated
to 172.19.1.0/24.
D. The destination address of IP packets that are traveling from 10.10.19.0/24 to 10.10.30.0/24
are translated to 172.19.1.0/24.
E. The destination address of IP packets that are traveling from 10.10.30.0/24 to 10.10.19.0/24 are
translated to 172.19.1.0/24.
Answer: A,D
Explanation:
You are a network administrator that is deploying a Cisco router that needs to support both PAT
and site-to-site VPN on one public IP address. In order to make both work simultaneously, how
should the NAT configuration be set up?
Answer: C
Explanation:
Based on the configuration that is shown in the exhibit, select the three answers that apply.
(Choose three.)
A. The configuration supports multidomain authentication, which allows one MAC address on the
voice VLAN and one on the data VLAN.
B. Traffic will not flow for either the phone or the host computer until one device completes the
802.1X authentication process.
C. Registration and DHCP traffic will flow on either the data or voice VLAN before authentication.
D. The port will only require the 802.1X supplicant to authenticate one time.
E. MAC Authentication Bypass will be attempted only after 802.1X authentication times out.
F. Non-802.1X devices are supported on this port by setting up the host for MAC address
authentication in the endpoint database.
Answer: A,C,F
Explanation:
You are finding that the 802.1X-configured ports are going into the error-disable state. Which
command will show you the reason why the port is in the error-disable state, and which command
will automatically be re-enabled after a specific amount of time? (Choose two.)
Answer: B,D
Explanation:
Answer: B
Explanation:
IPsec Phases
Which solution on a Cisco router requires the loading of a protocol header definition file (PHDF)?
Answer: C
Explanation:
FPM is implemented using a filtering policy that is divided into four tasks:
You are troubleshooting a problem for which end users are reporting connectivity issues. Your
network has been configured with Layer 2 protection controls. You have determined that the
DHCP snooping database is correct and that proper static addressing maps have been
configured. Which of these should be your next step in troubleshooting this problem?
A. Generate a proxy ARP request and verify that the DHCP database has been updated as
expected.
B. Temporarily disable DHCP snooping and test connectivity again.
C. Clear the ARP tables and have end users release and renew their DHCP-learned addressing.
D. Use a protocol analyzer to determine if there are malformed DHCP or ARP packets.
Answer: D
Explanation:
You are troubleshooting a reported connectivity issue from a remote office whose users are
accessing corporate headquarters via an IPsec VPN connection. You issued a show crypto
isakmp sa command on the headend router, and the state has MM_NO_STATE. Which debug
command should you enter next, and which part of the VPN tunnel establishment process is
A. ISAKMP Phase II
B. ISAKMP Phase I
C. debug crypto isakmp sa
D. debug crypto isakmp
E. debug crypto ipsec
Answer: B,D
Explanation:
Troubleshooting Flow
Follow these steps to proceed through the recommended flow for troubleshooting IKE peering:
Step 1. Verify peer reachability using the ping and traceroute commands with the tunnel source
and destination IP addresses on both peers. If connectivity is
verified, proceed to Step 2; otherwise, check the path between the two peers for routing or access
(firewall or access list) issues.
Step 2. Verify the IKE policy on both peers using the show crypto isakmp policy command. Debug
messages revealed by the debug crypto isakmp command will also point out IKE policy
mismatches.
Step 3. Verify IKE peer authentication. The debug crypto isakmp command will display
unsuccessful authentication.
Step 4. Upon successful completion of Steps 1–3, the IKE SA should be establishing. This can be
verified with
the show crypto isakmp sa command and looking for a state of QM_IDLE.
You are installing a brand-new, site-to-site VPN tunnel and notice that it is not working correctly.
When connecting to the corporate router and issuing a show crypto ipsec sa command, you notice
that for this particular SA that packets are being encrypted but not decrypted. What are two
potential reasons for this problem? (Choose two.)
Which two of these are features of control plane security on a Cisco ISR? (Choose two.)
A. CoPP
B. RBAC
C. AAA
D. CPPr
E. uRPF
F. FPM
Answer: A,D
Explanation:
Which additional configuration steps are required for a zone-based policy firewall to operate in a
VRF scenario?
A. You must assign zone-based policy firewall bridge groups to work in the virtual environment.
B. Separate zone-based policy firewall policies must be defined for each VRF environment.
C. Separate zones must be defined for each virtual zone-based policy firewall instance.
D. No special zone-based policy firewall configurations are needed.
Answer: D
Explanation:
Ensure that you utilized several security layers in your design to adequately protect the rest of
your network from the guest VLAN. You might even consider putting them in a separate Virtual
Routing and Forwarding (VRF) instance. VRFs are configurations on Cisco IOS Software routers
and switches that can be used to provide traffic separation, making them a good solution to keep
guest traffic segregated from your corporate traffic.
ZBPFW is also Virtual Routing and Forwarding (VRF) aware and can be used between different
VRFs. Interfaces that are configured in different VRFs should not be configured in the same zone,
and thus all interfaces that are in a zone must be configured within the same VRF. If there is a
common interface or interfaces that are used by multiple VRFs, a common zone should be created
and individually paired with each zone (and thus with each VRF).
You are troubleshooting an IPsec VPN problem. During debugging of IPsec operations, you see
the message "attributes not acceptable" on the IKE responder after issuing the debug crypto
isakmp command. Which step should you take next?
Answer: C
Explanation:
The show crypto isakmp policy command can be executed on both peers to compare IKE
parameters and ensure that they match. The debug crypto isakmp debugging command will
display debugging messages during IKE negotiation and session establishment. These debugging
commands should be executed and analyzed on both peers.
Which state is a Cisco IOS IPS signature in if it does not take an appropriate associated action
even if it has been successfully compiled?
A. retired
B. disabled
C. unsupported
D. inactive
Answer: B
Explanation:
Which CLI command would you use to verify installed SSL VPN licensing on a Cisco 1900, 2900,
or 3900 Series ISR?
Answer: C
Explanation:
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_sslvpn/configuration/15-1mt/sec-conn-
sslvpn-15-1mtbook.pdf
You can use the show webvpn license command to display the available count and the current
usage. To display the current license type and time period left in case of a nonpermanent license,
use the show license command. To get information related to license operations, events, and
errors, use the debug webvpn license command.
For migrating from any Cisco IOS 12.4T release to Cisco IOS 15.x release, use the license
migration tool at
https://tools.cisco.com/SWIFT/Licensing/LicenseAdminServlet/migrateLicense.
New Cisco IOS SSL VPN licenses that are generated are cumulative. Therefore the old licenses
become inactive when a new license is applied. For example, when you are upgrading your
license from 10 counts to 20 counts (an increase of 10 counts on the current 10 counts), Cisco
provides a single 20 count license.
The old license for 10 counts is not required when a permanent license for a higher count is
available.
However, the old license will exist in an inactive state as there is no reliable method to clear the
old license.
In Cisco IOS Release 15.1(4)M1 and later releases, a Crypto Export Restrictions Manager
(CERM) license is reserved only after the user logs in. If you have an Integrated Services Router
Generation 2 (ISR G2) router with a CERM license, you must upgrade to Cisco IOS Release
15.1(4)M1 or later releases. Before Cisco IOS Release 15.1(4)M1, a CERM license is reserved for
every SSL or Transport Layer Security (TLS) session.
Which statement is correct regarding GRE tunnel endpoints when you are configuring GRE over
IPsec?
Answer: A
Explanation:
Answer: C
Explanation:
When you are using dynamic IPsec VTI tunnels, what can you determine about virtual-access
interfaces from the output shown?
A. The Virtual-Access1 interface currently does not have an IPsec peer connection established.
B. The Virtual-Access2 interface does not yet have an IPsec peer defined.
C. The Virtual-Access1 interface is in the down/down state, because the virtual tunnel source
physical interface is down.
D. The Virtual-Access1 interface, which is used internally by the Cisco IOS software, is always
down.
Answer: A
Explanation: “A special Virtual-Access1 interface is used internally by Cisco IOS Software and is
always present in the output of this command.” but not always DOWN !!!
as follows from:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/
prod_white_paper0900aecd803645b5.pdf
"...When the Easy VPN negotiation is successful, the line protocol state of the virtual access
interface gets changed to up. When the Easy VPN tunnel goes down because the security
association expires or is deleted, the line protocol state of the virtual access interface changes to
down..."
Based on the partial configuration shown, which additional configuration parameter is needed
under the GET VPN group member GDOI configuration?
Answer: A
Explanation:
Answer:
Explanation:
untitled
http://www.cisco.com/en/US/docs/ios/12_4/ip_addr/configuration/guide/
hadnhrp_ps6350_TSD_Products_Configuration_Guide_Chapter.html and
http://blog.ine.com/2008/08/02/dmvpn-explained/ shows this also is this:
6) NHRP Registration is used for ease of support/creation of dynamic tunnels but is not the the
same as 1) NHRP Authentication string. Authenticationis recommended to help keep multiple
NHRP domains separate from each other.
2) NHRP network ID is used to differentiate multiple NHRP domains So
a–4
b – 3 Prior to Cisco IOS Release 12.3(11)T, all mGRE interfaces required the configuration of a
tunnel ID key.
Multipoint tunnels require that you configure a tunnel key. Otherwise, unexpected GRE traffic
could easily be received by the tunnel interface. However, for simplicity, it is recommended that
the tunnel key correspond to the NHRP network identifier.
c–5
d–6
Original dump had 4,1,5,6 not 4,3,5,6 and this explanation
NHRP Hold Time – When this expires, the network ID is no longer valid
NHRP Authentication string - This needs to be the same for all mGRE tunnels on the network
NHRP NHS – This is used for NBMA network
NHRP Registration – This is used for DNVPN tunnel hubs and spokes to authenticate themselves
To make registration possible, you configure each NHC (Client/spoke) with the IP address of at
least one NHS (server/hub). In turn, NHS acts as a database agent, storing all registered
mappings, and replying to NHC queries.
The NHS will keep the registration request cached for the duration of the hold-time, and then, if no
registration update is received, will time it out. One can adopt NHRP to work with “simulated
NBMA” networks, such as mGRE tunnels.
The commands ip nhrp network-id and ip nhrp authentication [Key] identify and authenticate the
logical NHRP network. The [ID] and the [Key] must match on all routers sharing the same GRE
tunnel. It is possible to split an NBMA medium into multiple NHRP networks
Answer:
Explanation:
BPDU guard violation
DHCP snooping rate-limit reached
Port channel misconfiguration
There are various reasons for the interface to go into errdisable. The reason can be:
Reference:
http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00806cd87b.shtml
When you are configuring a hub-and-spoke DMVPN network, which tunnel mode should you use
for the spoke router configuration?
A. GRE multipoint
B. Classis point-to-point GRE
C. IPsec multipoint
D. Nonbroadcast multiaccess
Answer: B
Explanation:
http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/DMVPN_2_Phase2.html
The hub-and-spoke deployment model is the most common deployment model. This model is the
most scalable, and predominately mimics traditional Layer 2 leased line, Frame Relay, or ATM
hub-and-spoke networks. The headend is configured with a multipoint GRE (mGRE) interface, and
the branch with a point-to-point (p2p) GRE interface.
Answer:
Explanation:
untitled
True Positives – The IPS or IDS sensor acted as a consequence of malicious activity. The
represents normal and optimal operation.
True Negative – The IPS or IDS sensor did not take action, even though there was malicious
activity. This represents an error.
False Positive – The IPS or IDS sensor acted as a consequence of non-malicious activity. This
represents an error, generally caused by signatures that are too relaxed.
False Negative – The IPS or IDS sensor did not take action, because there was no malicious
activity. This represents normal and optimal operation.
Answer:
Explanation:
untitled
http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configur
ation/guide/Sw8021x.html
• force-authorized—disables 802.1X and causes the port to transition to the authorized state
without any authentication exchange required. The port transmits and receives normal traffic
Answer:
Explanation:
untitled
The default order for authentication methods is 802.1X, and then MAB, then web-based
authentication.
If fallback authentication methods are not enabled or are not successful, and if a guest VLAN is
configured, the switch assigns the client to a guest VLAN that provides limited services.
If the switch receives an invalid identity from an 802.1X-capable client and a restricted VLAN is
specified, the switch can assign the client to a restricted VLAN that provides limited services.
If the RADIUS authentication server is unavailable (down) and inaccessible authentication bypass
is enabled, the switch grants the client access to the network by putting the port in the critical-
authentication state in the user-specified critical VLAN. Release 12.2(33)SXJ1 and later releases
support configuration of critical voice and data VLANs.
untitled
Restrict
If the switch receives an invalid identity from an 802.1X-capable client and a restricted VLAN is
specified, the switch can assign the client to a restricted VLAN that provides limited services.
Guest
If fallback authentication methods are not enabled or are not successful, and if a guest VLAN is
configured, the switch assigns the client to a guest VLAN that provides limited services.
NOTE: You can configure a VLAN to be both the guest VLAN and the restricted VLAN if you want
to provide the same services to both types of users.
If 802.1X authentication times out while waiting for an EAPOL message exchange, the switch can
use a fallback authentication method, such as MAC authentication bypass (MAB) or web-based
authentication (webauth), if either or both are enabled:
If MAC authentication bypass is enabled, the switch relays the client’s MAC address to the AAA
server for authorization. If the client’s MAC address is valid, the authorization succeeds and the
switch grants the client access to the network.
If web-based authentication is enabled, the switch sends an HTTP login page to the client. The
Reference:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/dot1x.
html#wp1133480
Answer:
Explanation:
untitled
http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html
Answer:
Explanation:
Box 1 – EAP-TTLS
Box 2 – EAP-FAST
Box 3 – EAP-TLS
Box 4 – EAP-MD5
EAP-MD5
EAP-MD5 is the only IETF Standards Track based EAP method - it is not recommended for use by
Cisco
PEAP
The Protected Extensible Authentication Protocol, also known as Protected EAP or simply PEAP,
is a protocol that encapsulates EAP within a potentially encrypted and authenticated Transport
Layer Security (TLS) tunnel. PEAP uses the TLS channel to protect a second EAP exchange,
called the "inner" EAP exchange. PEAP's major advantage is support from Microsoft
EAP-GTC
EAP-GTC, is an EAP method created by Cisco as an alternative to PEAPv0/EAP-MSCHAPv2.
EAP-GTC carries a text challenge from the authentication server, and a reply generated by a
security token.
EAP-FAST
EAP-FAST (Flexible Authentication via Secure Tunneling) is a protocol proposal by Cisco Systems
as a replacement for LEAP
The protocol was designed to address the weaknesses of LEAP while preserving the "lightweight"
implementation. Use of server certificates is optional in EAP-FAST. EAP-FAST uses a Protected
Access Credential (PAC) to establish a TLS tunnel in which client credentials are verified. EAP-
FAST has three phases.
EAP-TTLS
EAP-TLS
EAP-Transport Layer Security (EAP-TLS), defined in RFC 5216, is an IETF open standard, and is
wellsupported among wireless vendors. The security of the TLS protocol is strong, provided the
user understands potential warnings about false credentials. It uses PKI to secure communication
to a RADIUS authentication server or another type of authentication server. Unlike most HTTPS
client implementations like major web browsers, most EAP-TLS implementations require client
certificates, which some have identified as potentially dramatically reducing adoption of EAP-TLS.
EAP-TLS is the original, standard wireless LAN EAP authentication protocol. Although it is rarely
deployed, it is still considered one of the most secure EAP standards available and is universally
supported by all manufacturers of wireless LAN hardware and software.
Answer: A
Explanation:
Answer:
Explanation:
Traffic filtering measures
Transmission pretection
Traffic conditioning features
Answer:
Explanation:
In a multiswitch environment, designate the interswitch links as trusted
NTP should be configured on switches to ensure that coorect handling of DHCP snooping
database
ARP inspection rate limiting is the preferred way of handling DHCP starvation.