642-637 - Securing Networks with Cisco Routers and Switches (SECURE) v1.0

Go back to Cisco

Example Questions

Your company has a requirement that if security is compromised on phase 1 of a Diffie-Hellman key exchange that a secondary option will strengthen the security on the IPsec tunnel. What should you implement to ensure a higher degree of key material security? Which of these allows you to add event actions globally based on the risk rating of each event, without having to configure each signature individually? Which of the following is not one of the beneficial features of the Cisco IOS Software Certificate Server? When using Cisco Easy VPN, what are the three options for entering an XAUTH username and password for establishing a VPN connection from the Cisco Easy VPN remote router? (Choose three.) Which two of these are benefits of implementing a zone-based policy firewall in transparent mode? (Choose two.) What will the authentication event fail retry 0 action authorize vlan 300 command accomplish? Which of the following is not an authentication that can be used in EZVPN implementations? You have configured a Cisco router to act a PKI certificate server. However, you are experiencing problems starting the server. You have verified that al CA parameters have been correctly configured. What is the next step you should take in troubleshooting this problem? When 802.1X is implemented, how do the client (supplicant) and authenticator communicate? Which of the following Cisco Supporting Management components performs the analysis of log data and transforms it into usable graphical information that can be used by security administrators to react efficiently to attacks and breaches against a variety of Cisco products including IPS, firewalls, ISRs, and Cisco Catalyst switches? When configuring a Cisco PKI client, the command necessary to authenticate the PKI Certificate Authority is which of the following? What does the command errdisable recovery cause arp-inspection interval 300 provide for? Which of these is true regarding tunnel configuration when deploying a Cisco ISR as a DMVPN hub router? You are loading a basic IPS signature package onto a Cisco router. After a period of time, you see this message: %IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 275013 ms. What do you expect happened during downloading and compilation of the files? Which command will enable a SCEP interface when you are configuring a Cisco router to be a certificate server? Which of the following authentication mechanisms are appropriate for a DMVPN on a hub-and- spoke network? (Select two.) When configuring a zone-based policy firewall, which of the following commands is used to associate an interface to a zone? When implementing GET VPN, which of these is a characteristic of GDOI IKE? When 802.1X is implemented, how do the authenticator and authentication server communicate? The configuration of Control plane policing (CoPP) requires that the commands be entered while in Control plane configuration mode. Which of the following commands would you use to enter Control plane Configuration mode for a distributed module in slot 1? Which two EAP type(s) require a client certificate? (Choose two.) You are a network administrator and are moving a web server from inside the company network to a DMZ segment that is located on a Cisco router. The web server was located at IP address 172.16.10.50 on the inside and changed to the IP address 172.20.10.5 on the DMZ. Additionally, you are moving the web port to 8080 but do not want your inside users to be affected. Which NAT statement should you configure on your router to support the change? Which additional configuration steps are required for a zone-based policy firewall to operate in a VRF scenario? When using 802.1x on Cisco equipment, three port states are used. When using the auto port state, which of the following protocols is not automatically permitted when the port is not- authorized? Which two of these will match a regular expression with the following configuration parameters? [a-zA-Z][0-9][a-z] (Choose two.) Which two answers are potential results of an attacker that is performing a DHCP server spoofing attack? (Choose two.) Cisco IOS Software displays the following message: DHCP_SNOOPING_5- DHCP_SNOOPING_MATCH_MAC_FAIL. What does this message indicate? When configuring a zone-based policy firewall, what will be the resulting action if you do not specify any zone pairs for a possible pair of zones? Which Cisco WLC v7.0 CLI family of commands helps to verify the PAC status for client association when using local-EAP? Dividing the product of the Attack Severity Rating (ASR), Target Value Rating (TVR), and Signature Fidelity Rating (SFR) by 10,000 is the formula that results in what? Which information is displayed when you enter the Cisco IOS command show epm session? You are troubleshooting a Cisco Easy VPN installation that is experiencing session establishment problems. You have verified that matching IKE and IPsec polices exist on both peers. The remote client has also successfully entered authentication credentials. What is the next step to take in troubleshooting this problem? To prevent a spanning-tree attack, which command should be configured on a distribution switch port that is connected to an access switch? Which action does the command private-vlan association 100,200 take? What are the key components that compose the GET VPN architecture? (Choose two.) You are troubleshooting a problem related to IPsec connectivity issues. You see that there is no ISAKMP security association established between peers. You debug the connection process and see an error message of 1d00h: ISAKMP (0:1): atts are not acceptable. Next payload is 0. What does this message indicate? Which of these is a configurable Cisco IOS feature that triggers notifications if an attack attempts to exhaust critical router resources and if preventative controls have been bypassed or are not working correctly? Which of these is a result of using the same routing protocol process for routing outside and inside the VPN tunnel? Which of these is correct regarding the configuration of virtual-access interfaces? What can be used to provide bi-directional authentication between clients and the Cisco Easy VPN Server to help mitigate man-in-the-middle attacks? In the initial stages of configuration, the Cisco Easy VPN Server is able to assign IP addresses to the Cisco Easy VPN Remote to use as the "inner" IP address encapsulated under IPSEC. This results in a known IP address from the client that will match against the IPSEC policy. What protocol enables Cisco Easy VPN to accomplish this process? What are the two prominent technologies that support routable interfaces for Cisco IOS VPNs? (Select two.) When configuring NAT, and your solution requires the ability to see the inside local and outside global address entries and any TCP or UDP port in the show ip nat command output, how should NAT be configured on the router? What is the result of configuring the command dotlx system-auth-control on a Cisco Catalyst switch? What is the name of the concept that implements multiple layers of defense that use multiple types of defense at each layer? Which statement best describes inside policy based NAT? Missing Output image of a running-config of the interfaces Zone based policy firewall - Transparent Configuration output. Unique command is Interface Fastethernet F0/1 bridge-group 1 zone-member INSIDE ...................... Which state is a Cisco IOS IPS signature in if it does not take an appropriate associated action even if it has been successfully compiled? Which of these should you do before configuring IP Source Guard on a Cisco Catalyst switch? When configuring an ACL, you can use a range of numbers to identify the type of ACL intended. Which range of numbers identify an extended ACL?

Study Guides