cisco 642-637 exam questions & answers · cisco 642-637 exam questions & answers number :...

CISCO 642-637 EXAM QUESTIONS & ANSWERS

Number: 642-637Passing Score: 800Time Limit: 120 minFile Version: 36.5

http://www.gratisexam.com/

CISCO 642-637 EXAM QUESTIONS & ANSWERS

Exam Name: Securing Networks with Cisco Routers and Switches Exam

Actualanswers

QUESTION 1One commonly used feature in many companies is the remote wakeup feature. The problem is however thatwhen using a standard 802.1x configuration the traffic that is sent to wake the device up is not allowed,disabling this functionality. Which of the following commands can be issued to permit this functionality withoutopening a security hole?

A. router(config-if)# authentication control-direction inB. router(config)# authentication control-direction inC. router(config)# authentication control-direction bothD. router(config-if)# authentication control-direction both

Correct Answer: ASection: (none)Explanation

Explanation/Reference:Explanation: You can use the authentication control-direction in command in interface configuration mode topermit inbound packets including wake packets; it does not however permit any traffic outbound exceptEAPOL, CDP, and STP traffic until authenticated. The authentication control-direction both command is enteredin interface configuration mode and requires that the port be authenticated before traffic other then EAPOL,CDP, or STP is permitted.

QUESTION 2Which of the following is not one of the beneficial features of the Cisco IOS Software Certificate Server?

A. The Cisco IOS Software Certificate Server stores its database on the local flash memory of the router.B. It can act as a root or a subordinate certificate authority.C. It includes a backup function to create a backup of Cisco IOS Software Certificate Server keys and auxiliary

files.D. It provides enhancements that can simplify the management of the certificate life cycle, such as supporting

automatic re-enrollment of clients to simplify certificate renewal.


Explanation/Reference:Explanation: One of the factors that must be considered when selecting the proper router for hosting acertificate server is the location of the CRL. The Cisco IOS Software Certificate Server stores its database onthe local flash memory of the router. High volume environments might suffer long queue lengths because theindividual data files must be written to the file system before the next certificate enrollment in the queue can beserviced.

QUESTION 3Which of the following are optional for configuring a GET VPN group member? (Select two.)

A. Configure an IKE Policy.B. Enable the GET VPN group member function.C. Generate and configure Authentication Credentials.D. Configure a Fail-Closed Policy.E. Create and apply the GET VPN Crypto Map.

Correct Answer: ADSection: (none)

Explanation

Explanation/Reference:Explanation: Two of the configuration tasks are optional:

Configure a nondefault IKE policy: It may be desired to configure an IKE policy that has higher security settingsthan those in the default policy. Also consider configuring shorter SA lifetimes to reduce load on the key serverbecause IKE SAs do not need to remain after registration and policy download.

Consider using a Fail-Closed Policy: This can enhance the security posture and prevent packets fromtraversing the untrustednetwork while IPsec SAs are not yet established. There should still be exceptions to this to enable routingprotocols andmanagement traffic.

Authentication credentials, enabling group member function, and applying the crypto map are all requiredconfiguration items forthe group members.

QUESTION 4Full tunneling remote access VPN solutions enable clients to access almost all internal network assets. What isanother benefit ofusing full tunneling remote access VPN?


A. Requires installation of an SSL VPN on client systemsB. Limited user trainingC. Used on managed devices that are typically more trustedD. Administrative privileges required to install the VPN client

Correct Answer: BSection: (none)Explanation

Explanation/Reference:Explanation: One of the benefits of using a full tunneling remote access VPN is that it does not require any usertraining exceptfor initiating and terminating the VPN connection.

QUESTION 5Which of the SAFE design principles provides a basis for network designs that enable accelerated provisioningand easiertroubleshooting and maintenance?

A. Modularity and FlexibilityB. Auditable and Measurable ControlsC. Service Availability and ResiliencyD. Operational Efficiency

Correct Answer: D

Section: (none)Explanation

Explanation/Reference:Explanation: The Operational Efficiency principle attempts to help to increase the operational efficiency of thenetwork. This isdone by designing a network that can have accelerated provisioning and is easier to troubleshoot and maintain.The Modularityand Flexibility principle attempts to set up a design that is modular and can easily adapt. The Auditable andMeasureableControls principle provides for a network easily audited to help in the ability to maintain a close eye onoperational data. TheExhibitsService Availability and Resiliency principle addresses the need for the network to have high serviceavailability and as muchresiliency as possible.

QUESTION 6When developing a security policy, a number of reasons can make the policy ineffective and weak. Which ofthe following are some these things to watch for? (Choose all correct answers.)

A. Lack of biometric controlB. Lack of a written security policyC. Lack of continuityD. Lack of correct equipment selection

Correct Answer: BCSection: (none)Explanation

Explanation/Reference:Explanation: The enforcement of a security policy is hard enough without turnover of company staff; in themodern work environment, many people change jobs. As this happens, it is harder to ensure that a securitypolicy is followed because the policy must be relearned by each individual; this is what is addressed with lack ofcontinuity. Many policies within companies are not written and are simply passed from person to person; thistype of policy is almost impossible to enforce over time because Exhibitsthe purpose of the original policy is lostover multiple exchanges. Writing the policy and enforcing it makes enforcement easier. The selection of thecorrect equipment does not typically affect the effectiveness of a security policy. Although the lack of biometriccontrol options might hurt the security of the company, it does not affect the effectiveness of the security policy.

QUESTION 7The Content Addressable Memory (CAM) table on a switch is maintained to increase the switching speed oftraffic by tracking which devices are associated with which switchport. To be practical, the entries in this tablemust timeout at some point to enable devices to move switchports. What is the default timeout for this table?

A. 10 minutesB. 30 minutesC. 5 minutesD. 30 seconds

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Explanation: By default, the entries in the CAM table are set to timeout after 5 minutes of inactivity. Although thetimeout is configurable, if the timeout is to be raised, it both limits the capability of the switch to support devicesthat move from switchport to switchport and increases the chance of a successful CAM spoofing attack

because the bogus entries would remain in the table Exhibitslonger.

QUESTION 8Which VPN technology is not appropriate to use over public networks (Internet)?

A. Cisco Easy VPNB. Individual IPSEC tunnelsC. Dynamic Multipoint VPN (DMVPN)D. Group Encrypted Transport (GET) VPN

Correct Answer: DSection: (none)Explanation

Explanation/Reference:Explanation: Cisco GET VPN employs a mixed encapsulation in which the IP addressing of the packets doesnot get changed as it is encapsulated. Because of this, it can be deployed only over networks that can route theinternal addresses, such and MPLS or private WAN circuits. GET VPNs cannot be deployed over the Internetbecause of this.

QUESTION 9What are the two prominent technologies that support routable interfaces for Cisco IOS VPNs? (Select two.)

A. Dynamic Multipoint VPN (DMVPN)B. Virtual tunnel interface (VTI)C. Group Encrypted Transport (GET) VPND. Point-to-Point VPN

Correct Answer: ABSection: (none)Explanation

Explanation/Reference:Explanation: Routing protocols are ideal technologies to use with tunnel-based IPsec VPNs because the IPsectunnels are routable interfaces to Cisco IOS Software. Two of the prominent technologies that support thisfunctionality are IPsec Virtual Tunnel Interfaces (VTI) and the Dynamic Multipoint VPN (DMVPN) architecture.

QUESTION 10When configuring a Cisco IOS device for use as a zone-based firewall, which of the following is used toconfigure it?

A. VRFB. AICC. MQCD. C3PL


Explanation/Reference:Explanation: Cisco Common Classification Policy Language (C3PL) configures a device as a zone- basedfirewall. The Modular QoS CLI (MQC) configures device QoS features. Application Inspection and Control (AIC)perform deep packet inspection for use with Layers 5 through 7 zone-based firewalls. Virtual Routing andForwarding (VRF) creates virtual routes instances on a single device.

QUESTION 11If a network has a group of address (192.168.1.0/24) that need to be translated through a router onto theInternet with a single address of 64.28.85.16, which of the following commands would be used to create theaddress pool named ciscopress-pool? (Select all that apply.)

A. router(config)# ip nat pool ciscopress-pool 64.28.85.16 64.28.85.16 netmask 255.255.255.0B. router(config)# ip nat pool ciscopress-pool 192.168.1.1 192.168.1.254 netmask 255.255.255.0C. router(config)# ip nat pool ciscopress-pool 64.28.85.16 64.28.85.16 prefix-length 24D. router(config)# ip nat pool ciscopress-pool 192.168.1.1 192.168.1.254 prefix-length 24

Correct Answer: ACSection: (none)Explanation

Explanation/Reference:Explanation: The correct command syntax to create a NAT pool is ip nat pool pool-name start-ip end-ip[netmask netmask | prefix length prefix-length]; either the netmask or prefix-length keyword can be useddepending on the preference of the person configuring the router. In this scenario the pool of addressesincludes a single outside address of 64.28.85.16; the inside Exhibitsrange of address would be configured forNAT with an access-list not a NAT pool.

QUESTION 12Which of the following authentication mechanisms are appropriate for a DMVPN on a hub-and- spoke network?(Select two.)

A. Extensible Authentication ProtocolB. Preshared keysC. Challenge-Handshake Authentication ProtocolD. PKI-based IKE

Correct Answer: BDSection: (none)Explanation

Explanation/Reference:Explanation: When deploying a DMVPN, choices for topology, number of hubs, and authentication type arerequired prior to implementation. For a hub-and-spoke topology, you can use either PKI- based IKE orpreshared key authentication. The Challenge-Handshake Authentication Protocol (CHAP) authenticates a useror network host to an authenticating entity. Extensible Authentication Protocol (EAP) is an authenticationframework used for wireless networks and point-to-point connection. Neither CHAP nor EAP are used inDMVPNs.

QUESTION 13When implementing the new digitally signed IOS images feature, there are three different types of keys used.Which of the following is NOT one of these key types?

A. MasterB. ProductionC. RolloverD. Special


Explanation/Reference:

Explanation: When implementing the new digitally signed IOS images, there is no use of a master key type.The valid key types include Production, Special, and Rollover.

QUESTION 14One of the main methods you can use to protect against DHCP server spoofing attack is the DHCP snoopingfeature. When using DHCP snooping, in which of the following situations are packets NOT automaticallydenied?

A. A packet is received from a DHCP server on an untrusted switchport.B. A packet is received from a DHCP server on a trusted switchport.C. A packet is received on a switchport that does not match the contents of the DHCP snooping tableD. A packet is received from a DHCP relay-agent that does not match 0.0.0.0.


Explanation/Reference:Explanation: A packet received on a trusted switchport is always permitted. Any traffic coming from anunauthorized DHCP server on an untrusted port will be denied. If a packet is received on an untrustedswitchport without having an entry in the DHCP snooping database, it will be denied. A packet received from aDHCP relay-agent that does not match 0.0.0.0 or the relay agent forwards a packet with option-82 informationwill be denied.

QUESTION 15To understand the way that different threats are carried out, they must be analyzed and categorized. Which ofthe following major categories address threats? (Choose all correct answers.)

A. Structured threatsB. Unstructured threatsC. DoS ThreatsD. Reconnaissance threats


Explanation/Reference:Explanation: Threats are categorized into two categories: structured and unstructured. Structured threats aretypically organized to breach a specific target and are typically preplanned. Unstructured threats are morecommon and are typically unplanned and include things such as scanning, simple scripts, and other opportunityattack tools. A reconnaissance threat is not a major category; this type of threat is defined by threats attemptingto figure out a variety of different pieces of information that Exhibitscan be used to later exploit a target. A DoSthreat is also not a major category; this type of threat involves attempts to bring down the specific target byoverloading the resources of the target.

QUESTION 16What are the key components that compose the GET VPN architecture? (Choose two.)

A. Authentication serverB. SupplicantC. Key serversD. Group members

Correct Answer: CDSection: (none)

Explanation

Explanation/Reference:Explanation: Group Controller/Key Servers (GCKS), also known as key servers (KSs, and group members arethe two key components that compose the GET VPN architecture. Authentication servers and supplicant arekey components in 802.1X authentication.

QUESTION 17In environments running a redundant solution using two DMVPNs with dynamic spoke-to-spoke tunnels, youcan have two or more GRE tunnel sessions between the same two spokes. What command creates thenecessary single IPsec SA database?

A. crypto ipsec sa redundantB. ip split saC. tunnel protection ipsec profile sharedD. ipsec dual SA


Explanation/Reference:Explanation: The tunnel protection ipsec profile shared command creates a single IPsec SADB for all tunnelinterfaces that use the same profile and tunnel source interface. This enables the same IPsec SA to secure allGRE tunnels (same source and destination but different tunnel key).

QUESTION 18Which network security element is a focus of potential attack because of its responsibility in securing theperimeter of the network?

A. SwitchB. RouterC. ServerD. Firewall


Explanation/Reference:Explanation: The firewall is the network security element tasked with securing the borders of the network.Because it is the "front door" of the network, it is constantly under attack from outside sources. A server is notresponsible for network border security; a server is responsible for running applications and for storing dataused on the network. A router by itself is not responsible for network border security. Although some routerssupport firewall functionality, a router's responsibility is to Exhibitscontrol the path of traffic throughout thenetwork. A switch is also not responsible for network border security; the switch is responsible for switchingtraffic between a number of different network devices.

QUESTION 19Which network topology is in use when two sites interconnect using a secure VPN using point-to- pointconnectivity?

A. Hub-and-spoke networkB. Star topology networkC. Individual point-to-point VPN connectionD. Fully meshed network


Explanation/Reference:Explanation: The individual point-to-point VPN connection: Two sites connect to each other using secure VPNtechnologies. Each required connection between two sites requires manually creating a VPN connection.The hub and-spoke network: There is a central site considered to be a hub, and all other sites (the spokes)peer only with the hub. Most traffic patterns exist from spoke to hub, but connectivity between spokes can berelayed through the hub site.

The partially meshed network: Multiple sites requiring connectivity with other sites. VPNs are built as the needarises, so each site will have multiple VPN connections to several other sites.

The fully meshed network: Multiple sites that have a VPN connection to each and every other site. Thistopology provides the most optimal traffic flow.

QUESTION 20When configuring Flexible Packet Matching (FPM), two different class-maps types are supported. Which of thefollowing class-map types are supported? (Select all that apply.)

A. Access-controlB. StackC. InspectD. Urlfilter


Explanation/Reference:Explanation: The two different class-map types that are supported for use with FPM include Stack and access-control. The Urlfilter and Inspect class-map types are used when setting up a zone- based firewall.

QUESTION 21If configuring URL filtering, which of the following GLOB expressions matches the characters from a through f?

A. (a-f)B. (af)C. [af]D. [a-f]


Explanation/Reference:Explanation: When using GLOB, the correct expression that would match the characters from a through f is [a-f]. The [af] expression would match `a' and `f' but not the characters in between. The expression usingparentheses is not used in GLOB expressions.

QUESTION 22Cisco Integrated Services Routers (ISR) can implement the Cisco IPS sensor functionality by using the router'smain CPU to analyze packets. What are software-based IPS sensors limited by? (Select two.)

A. Signature engine

B. InterfacesC. CPUD. Memory

Correct Answer: CDSection: (none)Explanation

Explanation/Reference:

QUESTION 23Cisco IOS Software supports what type of peer authentication mechanisms for VTI-based site-to- site IPsecVPNs?

A. Preshared keys.B. All the answers are correct.C. None of the answers are correct.D. RSA encrypted nonces.E. RSA signatures.


Explanation/Reference:Explanation: Cisco IOS Software provides support for preshared keys, Rivest, Shamir, and Adleman (RSA)encrypted nonces, and RSA signatures to authenticate IPsec Peers.

QUESTION 24When configuring a Cisco PKI client, the command necessary to authenticate the PKI Certificate Authority iswhich of the following?

A. crypto pki enrollB. show crypto pki serverC. crypto pki authenticate trustpointD. crypto pki trustpoint


Explanation/Reference:Explanation: A PKI client authenticates to the CA by obtaining its self-signed certificate. The command used torequest the CA certificate from the enrollment URL over SCEP is the crypto pki authenticate trustpointcommand.

QUESTION 25Dividing the product of the Attack Severity Rating (ASR), Target Value Rating (TVR), and Signature FidelityRating (SFR) by 10,000 is the formula that results in what?

A. FRR - Facility Risk RatingB. CRR - Credit Risk RatingC. ORR - Obligor Risk RatingD. ERR - Event Risk Rating


Explanation/Reference:Explanation: The event risk rating (ERR) calculation that follows uses several components from an intrusionevent. The Attack Severity Rating (ASR) is assigned to each signature by the Cisco IPS sensor. The TargetValue Rating (TVR) is assigned to each asset and is used to assign value to a particular asset. The SignatureFidelity Rating (SFR) is assigned to each asset and is used to assign value.

ERR = ASR * TVR * SFR / 10,000

QUESTION 26What is the benefit to leverage an existing authentication database such as Windows Active Directory in an802.1X implementation?

A. A trusted network path enables an anonymous EAP-FAST implementation.B. Deployment might be transparent to users.C. Supports the software distribution mechanism in use by the organization.D. Enables a choice of compatible supplicants.


Explanation/Reference:Explanation: Because 802.1X authentication requires several technologies to work together; upfront planningcan help ensure the success of the deployment. Part of this planning involves gathering important inputinformation:

Determine the list of LAN switches that currently enable unauthorized users full access to the network. Use thislist to determine which of these devices should be configured with 802.1X and the feature availability on theswitches.

Determine what authentication database (such as Windows AD) is used for user credentials. This enables youto determine ifyou can leverage the same one and make the 802.1X deployment transparent to your users.

Determine the software distribution mechanism in use by the organization. This affects provisioning andsupporting thesupplicant on current and future client workstations.

Determine if the network path between the supplicant and the authentication server is trusted. A trustednetwork path enablesan anonymous EAP-FAST implementation whereas a nontrusted network path requires separate EAP-FASTcredentials.

QUESTION 27When configuring the zone-pairs for a zone-based policy firewall, in what situation does a second zone-pairNOT need to be configured? (Select all that apply.)

A. The first zone-pair does not use stateful inspection.B. Only expecting TCP traffic.C. The first zone-pair uses stateful inspection.D. Only expecting return traffic.


Explanation/Reference:Explanation: The configuration of a second zone-pair is not required when the only expected traffic is the returntraffic initiated by the source; for this to work however the first zone-pair must be configured to perform statefulinspection to track the sessions. Only the TCP traffic that was initiated from the source zone is permitted backwith this configuration.

QUESTION 28A number of different SNMP security levels can be used. Which of these SNMP levels is supported by SNMPv2c? (Select all that apply.)

A. noAuthnoPrivB. noAuthPrivC. AuthPrivD. AuthnoPriv


Explanation/Reference:Explanation: The noAuthnoPriv SNMP security level uses only a community string for authentication and is theonly security level supported by SNMP versions 1 and 2c. The AuthnoPriv security level uses a MD5 or SHA forauthentication and no encryption. The AuthPriv security level uses MD5 or SHA for authentication and DES,3DES, or AES for encryption. Encryption cannot happen without authentication, so the noAuthPriv security levelis not possible.

QUESTION 29Which of the following is not an authentication that can be used in EZVPN implementations?

A. XAUTHB. AAAC. TACACS+D. IPSECE. RADIUS


Explanation/Reference:Explanation: IPSEC IP Security is a type of encrypted tunnel that is used by many VPN technologies but is nota type of authentication mechanism.

XAUTH should be used to provide additional authentication for remote access users. It can also be used toprovide per-user services such as per-user IP addresses or access rules.

This topic provides configuration guidance for implementing XAUTH with local user account configured on theEasy VPN Server.

However, it can very easily be configured to use AAA authentication methods to leverage the centralized natureof using RADIUS, TACACS+, or other authentication protocols.

QUESTION 30

Which of the following profile types enable a dynamic Virtual Tunnel Interfaces (DVTIs) to match on a singlepeer, multiple peers, or even no peers based on the identity information received during the IKE negotiations?

A. IKE peering profileB. IPsec protection profileC. ISAKMP profileD. IPsec transform set


Explanation/Reference:Explanation: Another feature of Cisco IOS Software called ISAKMP profiles is required to use dynamic VirtualTunnel Interfaces (DVTI). ISAKMP profiles contain a set of match statements used to define a peer or set ofpeers. ISAKMP profiles can possibly match on a single peer, multiple peers, or even no peers based on theidentity information received during the IKE negotiations.

QUESTION 31Which of the following are recommended when configuring static point-to-point VTI tunnels? (Choose all thatapply.)

A. Make sure that the tunnel destination is learned over the physical interface and not the tunnel interface.B. All the answers are correct.C. Use unnumbered IP addresses.D. Use dynamic routing protocols.E. Create a custom transform set.


Explanation/Reference:Explanation: A custom transform set is recommended because there is a chance that the default transform setwith higher priority uses 3DES as its encryption algorithm, which may cause lower performance on someplatforms.

Consider the following when configuring static point-to-point VTI tunnels:- It is recommended that the VTI tunnel use unnumbered IP addressing to conserve IP address space.

- Using dynamic routing protocols instead of static routing statements will increase the scalability andmanageability of a VTI-based VPN deployment.

- To prevent recursive routing lookups, make sure that the tunnel destination is learned over the physicalinterface and not thetunnel interface.

QUESTION 32When implementing the Control plane protection (CPPr) port filtering feature, it has the capability to blockbased on TCP or UDP port numbers. At what point in the forwarding path does this feature drop the specifiedtraffic?

A. Before the IP input queueB. After the IP input-queueC. Before the CEF input forwarding path

D. After the control feature path


Explanation/Reference:Explanation: When the CPPr port filtering feature drops a packet, it is done before the traffic enters the IP inputqueue. Traffic must be classified as destined for the Control plane before any CPPr action is taken, which iswhy it is not done before or after the CEF input forwarding path. At the point where traffic reaches the controlfeature path, it has already traversed the IP input queue.

QUESTION 33One of the most commonly used security features on a switch includes port security. Which of the followingoptions correctly explains how a sticky secure MAC address works?

A. The MAC address of a newly connected device is added to both the CAM table and to the runningconfiguration.

B. The MAC address of a newly connected device is added to the CAM table.C. The MAC address of a device is manually entered into the CAM table.D. The MAC address of a device is preconfigured into the running configuration.


Explanation/Reference:Explanation: A sticky secure MAC address is dynamically learned and entered into the CAM table and into therunning configuration; however, until the information that has been added to the running configuration has beensaved, it cannot survive reboot unless it is saved to the startup configuration. The only way to manually enter aMAC address into the CAM table is by using a static entry in the running configuration. A dynamic MAC addressis dynamically learned and entered into only the CAM table.

QUESTION 34Which of the following certificate types is a document that binds together an entity's name and its public keyand is signed by the certificate authority so that every other end user entity can verify it (by virtue of having theCA's public key already)?

A. X.509B. XMLC. RS530D. RS232


Explanation/Reference:Explanation: X.509 is a well-known standard that defines the basic PKI data formats like the certificate itselfand the certificate revocation list (CRL) formats to enable basic interoperability. The format defined by theX.509 standard is used extensively in today's networks.

QUESTION 35Regardless of the size of an organization's networks, employing security measures at the appropriate layer isimportant. Which of the following areas can device hardening and routing protocol authentication beimplemented on? (Select all that apply.)

A. Core layerB. Management layerC. Distribution layerD. Access layer

Correct Answer: ACDSection: (none)Explanation

Explanation/Reference:Explanation: For large enterprises device hardening and routing protocol authentication are important at thedistribution layer and can also be implemented at the core layer (Figure 3-1). Small and Medium Businesses(SMB) do not typically have the network deployed using the Cisco Hierarchical Network design model. Thismeans the services of the three layers will be configured on the same devices. Security controls found at theaccess layer of the Enterprise Model need to be configured on all devices in this scenario. (Figure 3-2). TheCisco Hierarchical Network design model does not include a management layer.

QUESTION 36When configuring privileges on a Cisco IOS device, a range of privilege levels can be used. Which of thefollowing shows the valid range of privilege levels?

A. 18B. 08C. 115D. 015


Explanation/Reference:Explanation: When configuring privileges on a Cisco IOS device, the valid range of privileges is from 1 through15, with a privilege 15 being the highest level of access.

QUESTION 37A number of timers are used by NAT to determine when specific protocol sessions are timed out. Which of thefollowing timeouts is the default for ICMP?

A. 24 hoursB. 30 minutesC. 1 minuteD. 5 minutes


Explanation/Reference:Explanation: The default timeout used by NAT for ICMP sessions is 1 minute. The default timeout used by NATfor TCP sessions is 24 hours. The default timeout used by NAT for UDP sessions is 5 minutes. No protocol hasa default timeout of 30 minutes.

QUESTION 38In the initial stages of configuration, the Cisco Easy VPN Server is able to assign IP addresses to the CiscoEasy VPN Remote to use as the "inner" IP address encapsulated under IPSEC. This results in a known IPaddress from the client that will match against the IPSEC policy. What protocol enables Cisco Easy VPN to

accomplish this process?

A. SNMPB. RIPC. IKED. EIGRP


Explanation/Reference:Explanation: Internet Key Exchange (IKE) mode configuration allows a Cisco Easy VPN Server to download anIP address and other network parameters to the Cisco Easy VPN Remote as part of an IKE negotiation. In thisexchange, the Cisco Easy VPN Server assigns IP addresses to the Cisco Easy VPN Remote to use as the"inner" IP address encapsulated under IPSEC. This results in a known IP address from the client that will matchagainst the IPSEC policy.

RIP Routing Information ProtocolEIGRP Enhanced Interior Gateway Routing ProtocolSNMP Simple Network Management Protocol

QUESTION 39What is the name of the concept that implements multiple layers of defense that use multiple types of defenseat each layer?

A. Security Control FrameworkB. Data ConfidentialityC. Network Foundation ProtectionD. Defense-in-Depth


Explanation/Reference:Explanation: Defense-in-Depth is a common concept that defines the implementation of multiple layers ofsecurity. Each of these layers is tasked with running different types of security methods' multiple layers ofdiffering technologies can secure the network even if individual vulnerabilities exist. The Security ControlFramework is a Cisco framework for ensuring network and service availability. Data confidentiality is theconcept of maintaining the readability of secure data to those authorized to read it. Network FoundationProtection is another Cisco framework tasked with protecting the infrastructure of the network.

QUESTION 40The Cisco DMVPN feature combines the features and benefits of IPsec encryption and the Next HopResolution Protocol (NHRP).Which of the following tunnel modes provides a solution that easily provisions VPN peers?

A. Point-to-Point Tunneling protocol (PPTP)B. Point-to-Point Tunneling protocol (PPTP)C. Multipoint generic routing encapsulation (mGRE)D. Point-to-Point Protocol (PPP)


Explanation/Reference:Explanation: All DMVPN members use either GRE or mGRE interfaces to build tunnels between other peerdevices. GRE provides a scalable multiprotocol tunneling framework with optional dynamic routing?CHAP authenticates a user or network host to an authenticating entity. PPP is a data link protocol commonlyused in establishing a direct connection between two networking nodes. PPTP uses a GRE tunnel similar toDMVPN except that it encapsulates PPP packets.

QUESTION 41When categorizing network attacks, three main ones are typically used. Which of the following is not one ofthese types?

A. Access attacksB. Reconnaissance attacksC. DoS attacksD. Switching attacks


Explanation/Reference:Explanation: Although you can have a switching attack, it is not one of the main three types of network attacktype. Reconnaissance attacks are designed to discover information about an intended target; this informationcould include network addresses, operating system types, and what services run among other information.Access attacks are typically designed to exploit the target system or systems; if successful the attacker couldgain access to the system for a number of different purposes. A DoS attack is designed solely to cause theinterruption of service to a system or network.

QUESTION 42NAT can be configured in a number of different ways. Which of the following is NOT one of these types?

A. StaticB. OverloadedC. LocalD. Dynamic


Explanation/Reference:Explanation: The local type is not one that is supported by NAT. The ways that NAT can be configured includestatically, dynamically, and overloaded.

QUESTION 43What mixture of security services for IPv4 and IPv6 does ESP encapsulation provide? (Select all that apply.)

A. IntegrityB. AvailabilityC. AuthenticityD. Confidentiality

Correct Answer: ACDSection: (none)Explanation

Explanation/Reference:Explanation: Availability is not a service associated with any type of encryption. A performance cost isassociated with using ESP.ESP encapsulation provides a mixture of security services for IPv4 and IPv6 such as confidentiality,authenticity, and integrity of IP data. ESP also provides protection from antireplay by encrypting, sequencing,and authenticating data that is to be protected, placing it in the data portion of the IP ESP payload, and thensequencing and authenticating the ESP encapsulated packet.

QUESTION 44The configuration of Control plane policing (CoPP) requires that the commands be entered while in Controlplane configuration mode. Which of the following commands would you use to enter Control planeConfiguration mode for a distributed module in slot 1?

A. router(config)# control-plane slot 1B. router(config)# control plane, router(config-cp)#slot 1C. router(config)# control plane slot 1D. router(config)# control-plane, router(config-cp)#slot 1


Explanation/Reference:Explanation: When configuring distributed CoPP on a device, the configuration must be entered while in Controlplane Configuration mode for that specific slot. To enter Control plane Configuration mode for a distributedmodule in slot 1, the correct command would be controlplane slot slot-number when in global Configurationmode. All other options are syntactically incorrect.

QUESTION 45Identity Based Network Services (IBNS) defines a framework for deployment that enables a smooth transitionto a fully enforceable environment by following through a number of different deployment modes. Which ofthese modes enables differentiated access through policy-driven downloadable access control lists?

A. Low-Impact modeB. High-Impact modeC. Monitor mode


Explanation/Reference:Explanation: The IBNS Low-Impact mode reduces known issues with other protocols' timeouts and networkedservices by enabling differentiated access through policy-driven downloadable access control lists. The IBNShigh-impact mode provides the highest level of LAN-based access security in which access is not grantedwithout authentication. The IBNS monitor mode provides a method to assess the access-control and policies ofa network.

QUESTION 46The route processor of a device is divided into two main parts. Which of the following parts are included?(Select all that apply.)

A. Management planeB. Fast planeC. Control planeD. Data plane


Explanation/Reference:Explanation: The route processor of a device includes two main parts: the Control plane and the central switchengine. The Management and Data planes are responsible for other functions on the device. A Fast plane cantake someone from place to place faster than a Slow plane.

QUESTION 47Which of the following are considered VPN failure modes?

A. None of the answers are correct.B. Failure of a device.C. Failure of the path between the VPN peers.D. All the answers are correct.


Explanation/Reference:Explanation: Failure of the path between the VPN peers: This path can fail without affecting the status of a localinterface, which makes it difficult to recognize. Failure of a network interface of the link adjacent to one of theVPN devices, which prevents one VPN peer from reaching the other: This is similar to the failure of a physicalWAN interface in traditional WAN networks. This can be resolved with redundant interfaces or redundantdevices with a secondary circuit.

QUESTION 48What can be used to provide bi-directional authentication between clients and the Cisco Easy VPN Server tohelp mitigate man-in-the-middle attacks?

A. Digital CertificatesB. 802.1XC. TACACS+D. Gift Certificates


Explanation/Reference:Explanation: Easy VPN solutions can be deployed using certificates instead of group passwords to providebidirectional authentication between remote clients and the Easy VPN Server. This method of authentication willrequire all Easy VPN devices to have an identity certificate that was provisioned by a trusted PKI and the CAcertificate in order to verify the peer's certificate in the IKE peer authentication process.Certificate-based Easy VPN implementations can mitigate the MITM issue that is created by using grouppasswords.

QUESTION 49When configuring 802.1x, one of the major problems is what to do when a device does not support it. Which ofthe following methods can you use to maintain support for these devices? (Select all that apply.)

A. Install a different Network Interface Card (NIC).B. Implement Private VLANs.

C. Use MAC Authentication Bypass (MAB).D. Disable 802.1x on the port that connects to the nonsupporting device.


Explanation/Reference:Explanation: When a device connected to a port cannot support 802.1x, one of the options is to simply disablethe use of 802.1x on the port they are connected to` this can open up a security hole into the network as well. Asecond option is the implementation of the MAB feature; this feature works by establishing a MAC addressdatabase on the authentication server used to individually verify devices with specific MAC addresses. Theimplementation of private VLANs would not affect 802.1x authentication. The support for 802.1x typically is partof the operating system; if the operating system does not support 802.1x, the replacement of a NIC would notaffect support.

QUESTION 50When using the Cisco Secure ACS server, what is the navigation path used when importing a CA certificatethat can identify client certificates?

A. System Configuration > ACS Certificate Setup > ACS Certificate Authority SetupB. System Configuration > ACS Certificate Authority SetupC. System Configuration > ACS Certificate Authority > Setup ACS Certificate SetupD. System Configuration > ACS Certificate Setup


Explanation/Reference:Explanation: The correct screen that needs to be accessed to import a CA certificate to be used to identifyclient certificates is reached by following the System Configuration > ACS Certificate Setup > ACE CertificateAuthority Setup path. All other options cannot take you to the correct screen for this type of configuration.

QUESTION 51Which of the following Cisco Supporting Management components performs the analysis of log data andtransforms it into usable graphical information that can be used by security administrators to react efficiently toattacks and breaches against a variety of Cisco products including IPS, firewalls, ISRs, and Cisco Catalystswitches?

A. Cisco Secure Access Control Server (ACS)B. Cisco Security Monitoring, Analysis, and Response System (MARS)C. Cisco Configuration Professional (CCP)D. Cisco Security Manager (CSM)


Explanation/Reference:Explanation: The Cisco Security Monitoring, Analysis, and Response System (MARS) is an application thatperforms the analysis of log data and transforms it into usable graphical information that can be used bysecurity administrators to react efficiently to attacks and breaches. The Cisco Secure Access Control Server(CS ACS) is an authentication server that supports TACACS and RADIUS protocols. The Cisco ConfigurationProfessional (CPP) is a graphical user interface (GUI) device management application for Cisco IntegratedService Routers (ISR). Cisco Security Manager (CSM) is an application from Cisco that can deploy andmanage security features on Cisco devices.

QUESTION 52When using 802.1x on Cisco equipment, three port states are used. When using the auto port state, which ofthe following protocols is not automatically permitted when the port is not- authorized?

A. EAPOLB. ARPC. STPD. CDP


Explanation/Reference:Explanation: Address Resolution Protocol (ARP) is not required to be transported past the local network so it isnot required to be permitted. Regardless of authorization status, an 802.1x device will always enable EAPOL,CDP, and STP traffic.

QUESTION 53One of the ways to configure Cisco Secure ACS includes an ability to assign interface VLANs based on theuser or group being authenticated. Which of the following RADIUS attributes is used to configure the VLAN thatwill be assigned to the authenticated party?

A. Tunnel-TypeB. Tunnel-Assignment-IDC. Tunnel-Medium-TypeD. Tunnel-Private-Group-ID


Explanation/Reference:Explanation: The RADIUS attribute used with Cisco Secure ACS to specify the VLAN to be issued to theauthenticated users interface is the Tunnel-Private-Group-ID (81) attribute. The Tunnel- Medium-Type (65)attribute should be set to 802 when configuring this functionality. The Tunnel- Type (64) attribute should be setto VLAN when configuring this functionality. The Runnel-Assignment-ID (82) attribute is not used in thisconfiguration.

QUESTION 54A number of different attack types focus on the data plane of a switch. Which of these attack types works byflooding the switch with frames to attempt to fill up the switch's device association tables?

A. CAM floodingB. IP spoofingC. MAC Address spoofingD. ARP spoofing


Explanation/Reference:Explanation: The Content Addressable Memory table is where a switch associates specific MAC addresses tospecific switchports; if this table is flooded until it's full, all unknown frames broadcast to all switchports. MAC

Address spoofing happens when a third-party device on a network attempts to fool other devices on thenetwork by using the same MAC addresses as a commonly used trusted device, for example a server or router.Address Resolution Protocol (ARP) spoofing works one of two ways: either by passively responding to ARPrequests on a network in an attempt for the asking device to transmit traffic to the attacking device or by activelysending out Gratuitous ARP (GARP) to have devices change their ARP tables to send traffic to the attackingdevice. IP spoofing happens when someone attempts to fool other devices on the network by using the sameIP address as a commonly used trusted device.

QUESTION 55Which of the following are enrollment protocols supported by Cisco IOS PKI clients? (Select all that apply.)

A. Public Key Cryptography Standards (PKCS) #10B. Open Shortest Path First (OSPF)C. Online Certificate Status Protocol (OCSP)D. Simple Certificate Enrollment Protocol (SCEP)

Correct Answer: ADSection: (none)Explanation

Explanation/Reference:Explanation: There are several protocols in use today for enrollment. Some of the common ones follow:File-based requests: The end user formats an enrollment request in the form of a Public Key CryptographyStandards (PKCS) #10 message in a file. The file is transferred to the CA, which signs the information andreturns a PKCS #10 response file with an embedded certificate.

Web-based requests: Used by web browsers and executed directly over the HTTP protocol. Simple CertificateEnrollment Protocol (SCEP): A lightweight, HTTP-based protocol for enrollment of network devices.

OSPF is a Cisco routing protocol. OCSP is a protocol that provides real-time verification of certificates against adatabase ofrevoked certificates.

QUESTION 56What can be done to prevent client authentication issues caused by new self-signed X.509 certificates causedby reboots on an ISR? (Select all that apply.)

A. Configure basic user authentication.B. Configure the ISR with basic SSL VPN gateway features.C. Use a permanent self-signed certificate that is persistent.D. Enroll the ISR in an existing PKI.


Explanation/Reference:Explanation: By default, the ISR creates a self-signed X.509 certificate on each reboot, which causes clientwarnings when attempting SSL VPN access because the certificate cannot be verified because it is self-signed.This can be addressed in two ways:

- Create a permanent self-signed certificate that is persistent across reboots. This certificate can be saved onclients and used if they access the ISR initially over a trusted network. This is usually not true and therefore notrecommended.- Enroll the ISR into an existing PKI, with the clients authenticating the ISR identity certificate on each access byvalidating it using a valid CA certificate that was used to sign the ISR's identity certificate. This CA certificatewould need to be provisioned on all clients for this authentication to work properly.

QUESTION 57When configuring a zone-based policy firewall, which of the following commands is used to associate aninterface to a zone?

A. router(config-if)# zone security zone-nameB. router(config)# zone-member security zone-nameC. router(config)# zone security zone-nameD. router(config-if)# zone-member security zone-name


Explanation/Reference:Explanation: The correct command syntax to associate an interface to a zone is zone-member security zone-name and is issued while in interface Configuration mode. The zone security zone- name command is used tocreate a zone.


cisco 642-637 exam questions & answers · cisco 642-637 exam questions & answers number :...

Documents