642-637 - Securing Networks with Cisco Routers and Switches (SECURE) v1.0
Go back to Cisco
Your company has a requirement that if security is compromised on phase 1 of a Diffie-Hellman key exchange that a secondary option will strengthen the security on the IPsec tunnel. What should you implement to ensure a higher degree of key material security?
PFS Group 5
Which of these allows you to add event actions globally based on the risk rating of each event, without having to configure each signature individually?
event action override
Which of the following is not one of the beneficial features of the Cisco IOS Software Certificate Server?
The Cisco IOS Software Certificate Server stores its database on the local flash memory of the router.
When using Cisco Easy VPN, what are the three options for entering an XAUTH username and password for establishing a VPN connection from the Cisco Easy VPN remote router? (Choose three.)
entering the information via the router crypto ipsec client ezvpn connect CLI command in privileged EXEC mode
entering the information from the PC via a browser
storing the XAUTH credentials in the router configuration file
Which two of these are benefits of implementing a zone-based policy firewall in transparent mode? (Choose two.)
It can be easily introduced into an existing network.
IP readdressing is unnecessary.
What will the authentication event fail retry 0 action authorize vlan 300 command accomplish?
assigns clients that fail 802.1X authentication into the restricted VLAN 300
Which of the following is not an authentication that can be used in EZVPN implementations?
You have configured a Cisco router to act a PKI certificate server. However, you are experiencing problems starting the server. You have verified that al CA parameters have been correctly configured. What is the next step you should take in troubleshooting this problem?
Verify that correct time is being used and source are reachable
When 802.1X is implemented, how do the client (supplicant) and authenticator communicate?
Which of the following Cisco Supporting Management components performs the analysis of log data and transforms it into usable graphical information that can be used by security administrators to react efficiently to attacks and breaches against a variety of Cisco products including IPS, firewalls, ISRs, and Cisco Catalyst switches?
Cisco Security Monitoring, Analysis, and Response System (MARS)
When configuring a Cisco PKI client, the command necessary to authenticate the PKI Certificate Authority is which of the following?
crypto pki authenticate trustpoint
What does the command errdisable recovery cause arp-inspection interval 300 provide for?
It will recover a disabled port due to an ARP inspection condition in 5 minutes.
Which of these is true regarding tunnel configuration when deploying a Cisco ISR as a DMVPN hub router?
You can run multiple parallel DMVPNs on the hub router, but each tunnel requires a unique tunnel key.
You are loading a basic IPS signature package onto a Cisco router. After a period of time, you see this message: %IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 275013 ms. What do you expect happened during downloading and compilation of the files?
The files were compiled without error.
Which command will enable a SCEP interface when you are configuring a Cisco router to be a certificate server?
ip http server
Which of the following authentication mechanisms are appropriate for a DMVPN on a hub-and- spoke network? (Select two.)
When configuring a zone-based policy firewall, which of the following commands is used to associate an interface to a zone?
router(config-if)# zone-member security zone-name
When implementing GET VPN, which of these is a characteristic of GDOI IKE?
Security associations do not need to linger between members once a group member has authenticated to the key server and obtained the group policy
When 802.1X is implemented, how do the authenticator and authentication server communicate?
The configuration of Control plane policing (CoPP) requires that the commands be entered while in Control plane configuration mode. Which of the following commands would you use to enter Control plane Configuration mode for a distributed module in slot 1?
router(config)# control-plane slot 1
Which two EAP type(s) require a client certificate? (Choose two.)
You are a network administrator and are moving a web server from inside the company network to a DMZ segment that is located on a Cisco router. The web server was located at IP address 172.16.10.50 on the inside and changed to the IP address 172.20.10.5 on the DMZ. Additionally, you are moving the web port to 8080 but do not want your inside users to be affected. Which NAT statement should you configure on your router to support the change?
hostname(config)# ip nat inside source static tcp 172.16.10.50 80 172.20.10.5 8080
Which additional configuration steps are required for a zone-based policy firewall to operate in a VRF scenario?
No special zone-based policy firewall configurations are needed.
When using 802.1x on Cisco equipment, three port states are used. When using the auto port state, which of the following protocols is not automatically permitted when the port is not- authorized?
Which two of these will match a regular expression with the following configuration parameters? [a-zA-Z][0-9][a-z] (Choose two.)
Which two answers are potential results of an attacker that is performing a DHCP server spoofing attack? (Choose two.)
client unable to access network resources
Cisco IOS Software displays the following message: DHCP_SNOOPING_5- DHCP_SNOOPING_MATCH_MAC_FAIL. What does this message indicate?
The source MAC address in the Ethernet header does not match the address in the "chaddr" field of the DHCP request message.
When configuring a zone-based policy firewall, what will be the resulting action if you do not specify any zone pairs for a possible pair of zones?
All sessions will be denied between these two zones by default.
Which Cisco WLC v7.0 CLI family of commands helps to verify the PAC status for client association when using local-EAP?
Dividing the product of the Attack Severity Rating (ASR), Target Value Rating (TVR), and Signature Fidelity Rating (SFR) by 10,000 is the formula that results in what?
ERR - Event Risk Rating
Which information is displayed when you enter the Cisco IOS command show epm session?
Enforcement Policy Module sessions
You are troubleshooting a Cisco Easy VPN installation that is experiencing session establishment problems. You have verified that matching IKE and IPsec polices exist on both peers. The remote client has also successfully entered authentication credentials. What is the next step to take in troubleshooting this problem?
verify that the router is able to assign an IP address to the client
To prevent a spanning-tree attack, which command should be configured on a distribution switch port that is connected to an access switch?
spanning-tree guard root
Which action does the command private-vlan association 100,200 take?
associates VLANs 100 and 200 with the primary VLAN
What are the key components that compose the GET VPN architecture? (Choose two.)
You are troubleshooting a problem related to IPsec connectivity issues. You see that there is no ISAKMP security association established between peers. You debug the connection process and see an error message of 1d00h: ISAKMP (0:1): atts are not acceptable. Next payload is 0. What does this message indicate?
This indicates a policy mismatch.
Which of these is a configurable Cisco IOS feature that triggers notifications if an attack attempts to exhaust critical router resources and if preventative controls have been bypassed or are not working correctly?
CPU and Memory thresholding
Which of these is a result of using the same routing protocol process for routing outside and inside the VPN tunnel?
The tunnel will constantly flap.
Which of these is correct regarding the configuration of virtual-access interfaces?
They cannot be saved to the startup configuration.
What can be used to provide bi-directional authentication between clients and the Cisco Easy VPN Server to help mitigate man-in-the-middle attacks?
In the initial stages of configuration, the Cisco Easy VPN Server is able to assign IP addresses to the Cisco Easy VPN Remote to use as the "inner" IP address encapsulated under IPSEC. This results in a known IP address from the client that will match against the IPSEC policy. What protocol enables Cisco Easy VPN to accomplish this process?
What are the two prominent technologies that support routable interfaces for Cisco IOS VPNs? (Select two.)
Dynamic Multipoint VPN (DMVPN)
Virtual tunnel interface (VTI)
When configuring NAT, and your solution requires the ability to see the inside local and outside global address entries and any TCP or UDP port in the show ip nat command output, how should NAT be configured on the router?
attach a route-map to the ip nat inside command
What is the result of configuring the command dotlx system-auth-control on a Cisco Catalyst switch?
globally enables 802.1X on the switch
What is the name of the concept that implements multiple layers of defense that use multiple types of defense at each layer?
Which statement best describes inside policy based NAT?
Policy NAT rules are those that determine which addresses need to be translated per the enterprise security policy
Missing Output image of a running-config of the interfaces Zone based policy firewall - Transparent Configuration output. Unique command is Interface Fastethernet F0/1 bridge-group 1 zone-member INSIDE ......................
This is a configuration required for a transparent mode firewall where the interfaces are bridged
Which state is a Cisco IOS IPS signature in if it does not take an appropriate associated action even if it has been successfully compiled?
Which of these should you do before configuring IP Source Guard on a Cisco Catalyst switch?
turn DHCP snooping on at least 24 hours in advance
When configuring an ACL, you can use a range of numbers to identify the type of ACL intended. Which range of numbers identify an extended ACL?
100199 and 20002699