642-504 - Securing Networks with Cisco Routers and Switches

Go back to Cisco

Example Questions

For the following Cisco IOS Firewall features, which one allows the firewall to function as a Layer 2 bridge on the network? You are the Cisco Configuration Assistant in your company. Which TCP port would you use to access the Cisco ACS web interface? What command configures the amount of time CBAC will wait for a TCP session to become established before dropping the connection in the state table? You are configuring the authentication feature on a new Company router. Which of the following correctly sets the IOS Firewall authentication-proxy idle timer to 20 minutes? While using 5.x signatures to enable Cisco IOS IPS, which required option, could be downloaded from Cisco.com? Which two technologies can secure the control plane of the Cisco router? (Choose two.) Which two features are included in Cisco IOS SSL VPN thin-client mode? (Choose two.) Cisco Secure Access Control Server (ACS) is a highly scalable, high-performance access control server that provides a comprehensive identity networking solution. Which of these statements is correct regarding user setup on ACS 4.0? Which two category types are associated with 5.x signature use in Cisco IOS IPS? (Choose two.) Which of the following IOS commands will you advise the Company trainee technician to use when setting the timeout for router terminal line? Which three statements accurately describe DMVPN configuration? (Choose three) When configuring FPM, which is the next step after loading the PHDFs? Select two issues that you should consider when implementing IOS Firewall IDS. (Choose two) Which statement best describes Cisco IOS Firewall URL-filtering services on Cisco IOS Release 12.4(15)T and later? While deploying EIGRP dynamic routing over DMVPN, which three configuration tasks are needed at the hub router tunnel interface? (Choose three.) You are a network administrator for the CK Company. You are asked to configure a Cisco router to enroll with a certificate authority. Before configuring enrollment parameters, what is a recommended best practice to perform? You are the Cisco Configuration Assistant in your company, When you configure a site-to-site IPsec VPN tunnel, which configuration must be the exact reverse of the other IPsec peer? You are the network consultant from your company. Cisco IOS Zone-Based Firewall uses which of the following to identify a service or application from traffic flowing through the firewall? You are in change of Securing Networks Cisco Routers and Switches in your company when troubleshooting site-to-site IPsec VPN, you see this console message: %CRYPT0-6-IKMP_SA_N0T_0FFERED: Remote peer %15i responded with attribute [chars] not offered or changed. Which configuration should you verify? During which phase does Cisco Easy VPN Server push parameters such as the client internal IP address, DHCP server IP address, and WINS server IP address to the Cisco Easy VPN Remote client? You have been tasked with setting up a new Company router with CBAC. How do you set the threshold of half-open sessions CBAC will allow per minute before deleting them? You are configuring the authentication feature on a new Company router. Which of the following configures an authentication proxy rule for the IOS Firewall? You want to increase the security levels at layer 2 within the Company switched LAN. Which three are typical Layer 2 attack mitigation techniques? (Select three) Which three features are supported by Cisco IOS Firewall? (Choose three.) When you implement Cisco IOS WebVPN on a Cisco router using a self-signed certificate, you notice that the router is not generating a self-signed certificate, What should you check to troubleshootthis issue? Cisco IOS Intrusion Prevention System (IPS) is an inline, deep-packet inspection feature that effectively mitigates a wide range of network attacks. When verifying Cisco IOS IPS operations, when should you expect Cisco IOS IPS to start loading the signatures? Which two options are possible for authenticating the clients that do not have an 802.1X supplicant while deploying 802.1X authentication on Cisco Catalyst switches? (Choose two.) Which best practice is recommended while configuring the Auto Update feature for Cisco IOS IPS? Which two are typical Layer 2 attacks? (Choose two.) You are the Cisco Configuration Assistant in your company. After you enable all the authentication protocols under the Global Authentication Setup in Cisco ACS, how can you select a specific EAP type to use for 802.1X authentication? You are in change of Securing Networks Cisco Routers and Switches in your company. Why is the Cisco IOS Firewall authentication proxy not working based on the following configuration? aaa new model aaa authentication login default group tacacs aaa authentication auth-proxy default group tacacs+ aaa accounting auth-proxy default start-stop group tacacs+ enable password TeSt_123 ip auto-proxy name pxy http ip auto-proxy auth-proxy-banner interface Ethernet0/1 ip address ip auto-proxy pxy no ip http server tacacs-server host tacacs-server key Cisco [Output omitted] The Company network is using an 802.1X implementation. In an 802.1X implementation the supplicant directly connects to, and obtains network access permission through which device? The Easy VPN Server feature allows Cisco IOS routers, Cisco Adaptive Security Appliances (ASA), and Cisco PIX Security Appliances to act as head-end devices in site-to-site or remote- access VPNs The feature pushes security policies defined at the central site to the remote device during which of these phases? The Company network is implementing IBNS. In a Cisco Identity-Based Networking Service (IBNS) implementation, the endpoint that is seeking network access is known as what? The authentication proxy feature has been configured on one of the Company routers. What does authentication proxy on the Cisco IOS Firewall do? Which item is true about the zone-based firewall policy while configuring the zone-based firewall feature on a Cisco router? You are the network administrator for your company When you implement IBNS, what is defined using the Tunnel-Private-Group-ID RADIUS attribute? A new Company router is being configured for IDS services. Choose the two types of signature implementations that the IOS Firewall IDS can detect. (Choose two.) Refer to the output of a "sh ip auth-proxy cache" command issued on a Company router below. Which port is being used by the client? R2 # sh ip auth-proxy cache Authentication Proxy Cache Client Name aaauser, Client IP, Port 2636, timeout 5, Time Remaining 3, state ESTAB Based on this information, which port is being used by the client? John and Kathy are working on configuring the IOS firewall together. They are figuring out what CBAC uses for inspection rules to configure on a per-application protocol basis. Which one of these is the correct one? CBAC has been configured on router CK1 to increase the security of the Company network. CBAC intelligently filters TCP and UDP packets based on which protocol-session information? You are the Cisco Configuration Assistant in your company. When you implement 802.1X authentication, which other ACS component will refer the RACs configured under the Shared Profile Components in the ACS? You wish to configure 802.1X port control on your switch. Which three keywords are used with the dotlx port-control command? (Choose three.) You are the Cisco Configuration Assistant in your company, what additional configuration is required for the Cisco IOS Firewall to reset the TCP connection if any peer-to-peer, tunneling, or instant messaging traffic is detected over HTTP based on the following configuration? appfw policy-name my policy application http strict-http action reset alarm content-length maximum 1 action reset alarm content-type-verification match-req-rsp action reset alarm max-header-length request 1 response 1 action reset alarm max-url-length 1 action reset alarm request-method rfc put action reset alarm transfer-encoding type default reset alarm ! ip inspect name firewall appfw mypolicy ip inspect name firewall http ! Interface FastEthernet0/0 ip inspect firewall in ! When you enter the CK-S(config)#aaa authentication dotlx default group radius command on a Cisco Catalyst switch, the Cisco IOS parser returns with the "invalid input detected" error message. What can be the cause of this error? What is the objective of the Cisco SDM IPS migration tool? Which of the following represents the behavior of the CBAC aggressive mode in a Cisco IOS firewall? You are the Cisco Configuration Assistant in your company.Which two commands would you use to only allow SSH traffic to the router Eth0 interface and deny other management traffic (BEEP, FTP, HTTP, HTTPS, SNMP, Telnet, TFTP) to the router interfaces? (Choose two.) Which three descriptions are true about the GET VPN policy management? (Choose three,) Which two capabilities are of the Cisco IOS Firewall Feature Set? (Choose two,)

Study Guides