Professional Documents
Culture Documents
Question: 1
Which two are technologies that secure the control plane of the Cisco router? (Choose two.)
Answer: C, D
Question: 2
What are the two category types associated with 5.x signature use in Cisco IOS IPS? (Choose
two.)
A. basic
B. advanced
C. 128MB.sdf
D. 256MB.sdf
E. attack-drop
F. built-in
Answer: A, B
Question: 3
Refer to the exhibit.
Which optional AAA or RADIUS configuration command is used to support 802.1X guest VLAN
functionality?
Answer: B
Question: 4
Which is an advantage of implementing the Cisco IOS Firewall feature?
Page 1 of 45
Exam Name: Securing Networks with Cisco Routers and Switches
Exam Type: Cisco Case Studies 2
Exam Code: 642-504(true) Total Questions 129
Answer: B
Question: 5
Which three statements correctly describe the GET VPN policy management? (Choose three.)
Answer: B, C, E
Question: 6
Drop
Answer:
Question: 7
The CPU and Memory Threshold Notifications of the Network Foundation Protection feature
protects which router plane?
A. control plane
B. management plane
C. data plane
D. network plane
Page 2 of 45
Exam Name: Securing Networks with Cisco Routers and Switches
Exam Type: Cisco Case Studies 2
Exam Code: 642-504(true) Total Questions 129
Answer: B
Question: 8
Drop
Answer:
Question: 9
Drop
Answer:
Page 3 of 45
Exam Name: Securing Networks with Cisco Routers and Switches
Exam Type: Cisco Case Studies 2
Exam Code: 642-504(true) Total Questions 129
Question: 10
In DMVPN, the NHRP process allows which requirement to be met?
Answer: A
Question: 11
Which is correct regarding the Management Plane Protection feature?
Answer: D
Question: 12
What are the two enrollment options when using the SDM Certificate Enrollment wizard? (Choose
two.)
A. SCEP
B. LDAP
C. OCSP
D. Cut-and-Paste/Import from PC
Answer: A, D
Question: 13
Refer to the exhibit.
Which two configuration commands are used to apply an inspect policy map for traffic traversing
from the E0 or E1 interface to the S3 interface? (Choose two.)
Page 4 of 45
Exam Name: Securing Networks with Cisco Routers and Switches
Exam Type: Cisco Case Studies 2
Exam Code: 642-504(true) Total Questions 129
Answer: A, F
Question: 14
Cisco IOS Firewall supports which three of the following features? (Choose three.)
A. alerts
B. audit trails
C. multicontext firewalling
D. active/active stateful failover
E. DoS attacks protection
Answer: A, B, E
Question: 15
Refer to the exhibit.
What is correct based on the partial configuration shown?
Answer: D
Page 5 of 45
Exam Name: Securing Networks with Cisco Routers and Switches
Exam Type: Cisco Case Studies 2
Exam Code: 642-504(true) Total Questions 129
Question: 16
When enabling Cisco IOS IPS using 5.x signatures, which required item can be downloaded from
Cisco.com?
Answer: B
Question: 17
Which information will be shown by entering the command show zone-pair security?
Answer: C
Question: 18
Cisco IOS SSL VPN thin-client mode has which two characteristics? (Choose two.)
Answer: A, E
Question: 19
Refer to the exhibit.
What will result from this zone-based firewall configuration?
Page 6 of 45
Exam Name: Securing Networks with Cisco Routers and Switches
Exam Type: Cisco Case Studies 2
Exam Code: 642-504(true) Total Questions 129
A. All traffic from the private zone to the public zone will be dropped.
B. All traffic from the private zone to the public zone will be permitted but not inspected.
C. All traffic from the private zone to the public zone will be permitted and inspected.
D. All traffic from the public zone to the private zone will be permitted but not inspected.
E. Only HTTP and DNS traffic from the private zone to the public zone will be permitted and
inspected.
F. Only HTTP and DNS traffic from the public zone to the private zone will be permitted and
inspected.
Answer: A
Question: 20
Cisco Easy VPN Server pushes parameters such as the client internal IP address, DHCP server
IP address, and WINS server IP address to the Cisco Easy VPN Remote client during which of
these phases?
Answer: C
Question: 21
Which two are capabilities of the Cisco IOS Firewall Feature Set? (Choose two.)
Page 7 of 45
Exam Name: Securing Networks with Cisco Routers and Switches
Exam Type: Cisco Case Studies 2
Exam Code: 642-504(true) Total Questions 129
C. When combined with application inspection, performs as an advanced application layer firewall
gateway
D. Interoperates with Network Address Translation to conserve and simplify network address use
E. Provides for secure connectivity between branch offices
Answer: A, D
Question: 22
Which two commands are used to allow only SSH traffic to the router Eth0 interface and deny
other management traffic (BEEP, FTP, HTTP, HTTPS, SNMP, Telnet, TFTP) to the router
interfaces? (Choose two.)
A. Interface eth0
B. Control-plane host
C. Policy-map type port-filter policy-name
D. Service-policy type port-filter input policy-name
E. Management-interface eth0 allow ssh
F. Line vty 0 5 transport input ssh
Answer: B, E
Question: 23
Cisco IOS IPS uses which alerting protocol with a pull mechanism for getting IPS alerts to the
network management application?
A. HTTPS
B. SMTP
C. SNMP
D. syslog
E. SDEE
F. POP3
Answer: E
Question: 24
When configuring FPM, what should be the next step after the PHDFs have been loaded?
Answer: A
Question: 25
GET VPN uses which secure group keying mechanism?
A. Diffie-Hellman
B. Pre-shared
C. Group Domain of Interpretation
D. Public and private keys
E. Group key agreement
Page 8 of 45
Exam Name: Securing Networks with Cisco Routers and Switches
Exam Type: Cisco Case Studies 2
Exam Code: 642-504(true) Total Questions 129
Answer: C
Question: 26
When configuring the Auto Update feature for Cisco IOS IPS, what is a recommended best
practice?
Answer: A
Question: 27
When configuring GRE over IPsec, what is true regarding the GRE tunnel endpoints?
A. A mirror image of the IPsec crypto ACL needs to be configured to permit the interesting end-
user traffic between the GRE endpoints.
B. The tunnel interface of both endpoints should be configured to use the outside IP address of
the router as the unnumbered IP address.
C. The tunnel interface of both endpoints needs to be in the same IP subnet.
D. For high availability, the GRE tunnel interface should be configured with a primary and a
backup tunnel destination IP address.
Answer: C
Question: 28
Refer to the exhibit.
Given that the fa0/1 interface is the trusted interface, what could be a reason for users on the
trusted inside networks not to be able to successfully establish outbound HTTP connections?
Page 9 of 45
Exam Name: Securing Networks with Cisco Routers and Switches
Exam Type: Cisco Case Studies 2
Exam Code: 642-504(true) Total Questions 129
Answer: C
Question: 29
The Cisco SDM IPS migration tool is used for what purpose?
Answer: B
Question: 30
Refer to the exhibit.
Based on the output shown, which statement is correct regarding the Cisco IOS IPS
configuration?
Page 10 of 45
Exam Name: Securing Networks with Cisco Routers and Switches
Exam Type: Cisco Case Studies 2
Exam Code: 642-504(true) Total Questions 129
Answer: C
Question: 31
Which Cisco IOS Firewall feature allows the firewall to function as a Layer 2 bridge on the
network?
A. zone-based firewall
B. CBAC
C. firewall ACL bypass
D. transparent firewall
Page 11 of 45
Exam Name: Securing Networks with Cisco Routers and Switches
Exam Type: Cisco Case Studies 2
Exam Code: 642-504(true) Total Questions 129
Answer: D
Question: 32
Which statement is correct regarding Cisco IOS Firewall URL-filtering services on Cisco IOS
Release 12.4(15)T and later?
A. Multiple URL lists and URL filter server lists can be configured on the router.
B. URL filtering with zone-based firewalls is configured using the type "inspect" parameter-map.
C. Enabling "allow mode" is required when using an external URL-filtering server.
D. The services support Secure Computing server or Websense server and the local URL list.
Answer: D
Question: 33
Refer to the exhibit.
Based on the CLI configuration shown, which two statements are correct? (Choose two.)
Answer: A, D
Question: 34
When using Cisco Easy VPN, what are the three options for entering the XAUTH username and
password for establishing the VPN connection from the Cisco Easy VPN remote router? (Choose
three.)
Answer: C, D, E
Question: 35
Which Cisco IOS IPS risk rating component uses a low value of 75, a medium value of 100, a
high value of 150, and a mission-critical value of 200?
Page 12 of 45
Exam Name: Securing Networks with Cisco Routers and Switches
Exam Type: Cisco Case Studies 2
Exam Code: 642-504(true) Total Questions 129
Answer: C
Question: 36
When configuring the zone-based firewall feature on a Cisco router, which statement is correct
regarding the zone-based firewall policy?
Answer: A
Question: 37
When you add NADs as AAA clients in the ACS, which three parameters are configured for each
AAA client? (Choose three.)
Answer: A, D, E
Question: 38
Which Cisco IOS VPN feature simplifies IPsec VPN configuration and design by using on-
demand virtual access interfaces that are cloned from a virtual template configuration?
A. GET VPN
B. dynamic VTI
C. static VTI
D. GRE tunnels
E. GRE over IPsec tunnels
F. DMVPN
Answer: B
Question: 39
Refer to the DMVPN topology diagram in the exhibit. Which two statements are correct? (Choose
two.)
Page 13 of 45
Exam Name: Securing Networks with Cisco Routers and Switches
Exam Type: Cisco Case Studies 2
Exam Code: 642-504(true) Total Questions 129
Answer: A, C
Question: 40
When deploying 802.1X authentication on Cisco Catalyst switches, which traffic can be passed
between the client PC and the Cisco Catalyst switch over the uncontrolled port?
A. RADIUS
B. TACACS+
C. HTTP
D. DHCP
E. EAPoLAN
F. CDP
Answer: E
Question: 41
Refer to the exhibit. Based on the partial configuration shown, which additional configuration
parameter is needed under the GET VPN group member GDOI configuration?
Page 14 of 45
Exam Name: Securing Networks with Cisco Routers and Switches
Exam Type: Cisco Case Studies 2
Exam Code: 642-504(true) Total Questions 129
Answer: A
Question: 42
Which action does the interface configuration command switchport protected enable?
Answer: B
Question: 43
What configuration task must you perform prior to configuring private VLANs?
Answer: C
Question: 44
When deploying 802.1X authentication on Cisco Catalyst switches, what are two possible options
for authenticating the clients that do not have an 802.1X supplicant? (Choose two.)
Page 15 of 45
Exam Name: Securing Networks with Cisco Routers and Switches
Exam Type: Cisco Case Studies 2
Exam Code: 642-504(true) Total Questions 129
D. Web authentication
E. Protected EAP
Answer: A, D
Question: 45
When implementing EIGRP dynamic routing over DMVPN, what are three configuration tasks
required at the hub router tunnel interface? (Choose three.)
Answer: A, B, E
Question: 46
Refer to the exhibit.
What is wrong with the GRE over IPsec configuration shown?
Page 16 of 45
Exam Name: Securing Networks with Cisco Routers and Switches
Exam Type: Cisco Case Studies 2
Exam Code: 642-504(true) Total Questions 129
Answer: B
Question: 47
Drop
Answer:
Page 17 of 45
Exam Name: Securing Networks with Cisco Routers and Switches
Exam Type: Cisco Case Studies 2
Exam Code: 642-504(true) Total Questions 129
Question: 48
When you configure Cisco IOS WebVPN, you can use the port-forward command to enable
which function?
A. web-enabled applications
B. Cisco Secure Desktop
C. full-tunnel client
D. thin client
E. CIFS
F. OWA
Answer: D
Question: 49
Which three of these statements are correct regarding DMVPN configuration? (Choose three.)
A. If running EIGRP over DMVPN, the hub router tunnel interface must have "next hop self"
enabled: ip next-hop-self eigrp AS-Number
B. If running EIGRP over DMVPN, the hub router tunnel interface must have split horizon
disabled: no ip split-horizon eigrp AS-Number
C. The spoke routers must be configured as the NHRP servers: ip nhrp nhs spoke-tunnel-ip-
address
D. At the spoke routers, static NHRP mapping to the hub router is required: ip nhrp map hub-
tunnel-ip-address hub-physical-ip-address
E. The GRE tunnel mode must be set to point-to-point mode: tunnel mode gre point-to-point
F. The GRE tunnel must be associated with an IPsec profile: tunnel protection ipsec profile
profile-name
Answer: B, D, F
Question: 50
Refer to the exhibit.
What is wrong with the partial IPsec VPN high-availability configuration shown here?
Answer: D
Question: 51
Page 18 of 45
Exam Name: Securing Networks with Cisco Routers and Switches
Exam Type: Cisco Case Studies 2
Exam Code: 642-504(true) Total Questions 129
Drop
Answer:
Question: 52
You are an administrator configuring a Cisco router to enroll with a certificate authority. What is a
recommended best practice to perform prior to configuring enrollment parameters?
Page 19 of 45
Exam Name: Securing Networks with Cisco Routers and Switches
Exam Type: Cisco Case Studies 2
Exam Code: 642-504(true) Total Questions 129
C. Configure the certificate revocation list to ensure that you do not receive revoked CA
certificates.
D. Configure Network Time Protocol.
E. If using SCEP, ensure that TCP port 22 traffic is permitted to the router.
Answer: D
Question: 53
DMVPN configuration uses which tunnel mode type on the tunnel interface?
A. DVMRP
B. IPsec IPv4
C. NHRP
D. GRE multipoint
Answer: D
Question: 54
Refer to the exhibit.
What is true regarding the IKE security association?
Answer: C
Question: 55
Drop
Page 20 of 45
Exam Name: Securing Networks with Cisco Routers and Switches
Exam Type: Cisco Case Studies 2
Exam Code: 642-504(true) Total Questions 129
Answer:
Question: 56
When configuring a Cisco Easy VPN server, what must be configured prior to entering VPN
configuration parameters?
A. AAA
B. ISAKMP peer authentication method
C. XAuth
D. SSH
E. crypto ACL
F. NTP
Answer: A
Question: 57
Which parameter is configured under the router(config-isakmp)# configuration mode?
Answer: A
Question: 58
Which two statements are correct regarding Network Address Translation and IPsec
interoperability? (Choose two.)
Answer: B, C
Page 21 of 45
Exam Name: Securing Networks with Cisco Routers and Switches
Exam Type: Cisco Case Studies 2
Exam Code: 642-504(true) Total Questions 129
Question: 59
If the show crypto isakmp sa output shows a state of "QM_IDLE" with the "Active" status, what
does that most likely indicate?
Answer: C
Question: 60
Which is the correct sequence of the Cisco Easy VPN remote connection process steps?
I. Step 1
II. Step 2
III. Step 3
IV. Step 4
V. Step 5
VI. Step 6
VII. Step 7
A. I-5,II-1,III-7,IV-2,V-3,VI-6,VII-4
B. I-5,II-1,III-7,IV-3,V-2,VI-6,VII-4
C. I-5,II-1,III-7,IV-2,V-3,VI-4,VII-6
D. I-5,II-1,III-7,IV-3,V-2,VI-4,VII-6
Answer: A
Question: 61
You are the security administrator for companyand you need to know what CBAC does on the
Cisco IOS Firewall. Which one of these is the best answer?
Answer: D
Question: 62
By default, how many half-open sessions need to be in the state table before CBAC will begin to
delete the half-open sessions?
A. 500
Page 22 of 45
Exam Name: Securing Networks with Cisco Routers and Switches
Exam Type: Cisco Case Studies 2
Exam Code: 642-504(true) Total Questions 129
B. 250
C. 1000
D. 2000
Answer: A
Question: 63
The authentication proxy feature has been configured on one of the companyrouters. What does
authentication proxy on the Cisco IOS Firewall do?
A. Creates specific authorization policies for each user with Cisco Secure ACS, dynamic, per-
user security and authorization
B. Provides additional visibility at intranet, extranet, and Internet perimeters
C. Creates specific security policies for each user with Cisco Secure ACS, dynamic, per-user
authentication and authorization
D. Provides secure, per-application access control across network perimeters
Answer: C
Question: 64
You are the Cisco Configuration Assistant in pass4usre.com. Which configuration is not required
to enable the Cisco IOS Firewall to inspect a user-defined application which uses TCP ports 8000
and 8001? (Choose three.)
A. access-list 101 permit tcp any any eq 8000 access-list 101 permit tcp any any eq 8001 class-
map user-10 match access-group 101
B. ip port-map user-10 port tcp 8000 8001 description "TEST PROTOCOL"
C. ip inspect name test user-10
D. int {type|number} ip inpsect name test in
Answer: B, C, D
Question: 65
Which item is true about the relationship between the CLI command and its definition? Not all
commands will be used.
1. clear crypto sa
2. clear crypto isakmp
3. show crypto map
4. show crypto ipsec transform-set
5. show crypto isakmp policy
6. show crypto isakmp sa
7. show crypto ipsec sa
Page 23 of 45
Exam Name: Securing Networks with Cisco Routers and Switches
Exam Type: Cisco Case Studies 2
Exam Code: 642-504(true) Total Questions 129
Answer: A
Question: 66
You are configuring the authentication feature on a new companyrouter. Which of the following
correctly sets the IOS Firewall authentication-proxy idle timer to 20 minutes?
A. ip auth-proxy auth-cache 20
B. ip auth-proxy auth-time 20
C. ip auth-proxy auth-cache-time 20
D. ip auth-proxy idle 20
Answer: C
Question: 67
You are in charge of Securing Networks Cisco Routers and Switches companyWhen
troubleshooting site-to-site IPsec VPN, you see this console message: %CRYPTO-6-
IKMP_SA_NOT_OFFERED: Remote peer %15i responded with attribute [chars] not offered or
changed. Which configuration should you verify?
Answer: D
Question: 68
You are the Cisco Configuration Assistant in pass4usre.com. When you configure a site-to-site
IPsec VPN tunnel, which configuration must be the exact reverse of the other IPsec peer?
A. IPsec policy
B. ISAKMP policy
C. pre-shared key
D. crypto ACL
Answer: D
Question: 69
You are configuring the authentication feature on a new companyrouter. Which of the following
configures an authentication proxy rule for the IOS Firewall?
Answer: B
Question: 70
You are the Cisco Configuration Assistant in pass4usre.com. When you implement 802.1x
authentication, which other ACS component will refer the RACs configured under the Shared
Profile Components in the ACS?
A. user setup
B. group setup
Page 24 of 45
Exam Name: Securing Networks with Cisco Routers and Switches
Exam Type: Cisco Case Studies 2
Exam Code: 642-504(true) Total Questions 129
Answer: D
Question: 71
Which item is correct about the relationship between the command and its WebVPN
troubleshooting function?
A. I-2,II-1,III-4
B. I-2,II-4,III-1
C. I-1,II-2,III-4
D. I-1,II-4,III-2
Answer: A
Question: 72
The authentication proxy feature has been configured on one of the companyrouters. Where are
access profiles stored with the authentication proxy features of the Cisco IOS Firewall?
A. PIX Firewall
B. Cisco router
C. Cisco VPN Concentrator
D. Cisco Secure ACS authentication server
Answer: D
Question: 73
You are the network administrator for pass4usre.com When you implement IBNS, what is defined
using the Tunnel-Private-Group-ID RADIUS attribute?
Answer: D
Question: 74
Refer to the output of a "sh ip auth-proxy cache" command issued on companyrouter below.
Which port is being used by the client? P4S2 # sh ip auth-proxy cache Authentication Proxy
CacheClient Name aaauser,Client IP 10.0.2.12, Port 2636, timeout 5, Time Remaining 3,
stateESTAB Based on this information, which port is being used by the client?
A. 1645
B. 1646
Page 25 of 45
Exam Name: Securing Networks with Cisco Routers and Switches
Exam Type: Cisco Case Studies 2
Exam Code: 642-504(true) Total Questions 129
C. 1812
D. 2636
Answer: D
Question: 75
How does a user on the companyLAN trigger the authentication proxy after the idle timer has
expired?
Answer: B
Question: 76
A new companyrouter is being configured for IDS services. Choose the two types of signature
implementations that the IOS Firewall IDS can detect. (Choose two.)
A. Atomic
B. Dynamic
C. Regenerative
D. Compound
Answer: A, D
Question: 77
When you enter the P4S-S(config)#aaa authentication dot1x default group radius command on a
Cisco Catalyst switch, the Cisco IOS parser returns with the "invalid input detected" error
message. What can be the cause of this error?
A. You must use the dot1x system-auth-control command first to globally enable 802.1x.
B. You must define the RADIUS server IP address first, using the P4S-S(config)# radius-server
host ip-address command.
C. You must enter the aaa new-model command first.
D. The local option is missing in the command.
Answer: C
Question: 78
When you implement Cisco IOS WebVPN on a Cisco router using a self-signed certificate, you
notice that the router is not generating a self-signed certificate. What should you check to
troubleshoot this issue?
Answer: D
Question: 79
Which item is correct about the relationship between the Cisco IOS SEAP feature and its
description? Not all the features are used.
Page 26 of 45
Exam Name: Securing Networks with Cisco Routers and Switches
Exam Type: Cisco Case Studies 2
Exam Code: 642-504(true) Total Questions 129
A. I-3,II-5,III-6
B. I-3,II-6,III-5
C. I-2,II-5,III-6
D. I-2,II-6,III-5
Answer: A
Question: 80
Cisco IOS Intrusion Prevention System (IPS) is an inline, deep-packet inspection feature that
effectively mitigates a wide range of network attacks .When verifying Cisco IOS IPS operations,
when should you expect Cisco IOS IPS to start loading the signatures?
Answer: D
Question: 81
Cisco Secure Access Control Server (ACS) is a highly scalable, high-performance access control
server that provides a comprehensive identity networking solution. Which of these statements is
correct regarding user setup on ACS 4.0?
Answer: A
Question: 82
A new companyswitch has been installed and you wish to secure it. Which Cisco Catalyst IOS
command can be used to mitigate a CAM table overflow attack?
Answer: D
Question: 83
Please match NFP feature to the correct description
Page 27 of 45
Exam Name: Securing Networks with Cisco Routers and Switches
Exam Type: Cisco Case Studies 2
Exam Code: 642-504(true) Total Questions 129
Answer: D
Question: 84
When an active signature is detected, Cisco IOS IPS can take specific actions. Which option is
correct about the relationship between the action and its correct definition?
1. Deny Attacker Inline
2. Deny Connection Inline
3. Deny Packet Inline
4. Produce Alert
5. Reset TCP Connection
A. I-3,II-5,III-2,IV-1,V-4
B. I-3,II-5,III-2,IV-4,V-1
C. I-3,II-5,III-1,IV-2,V-4
D. I-3,II-5,III-1,IV-4,V-2
Answer: A
Question: 85
You want to increase the security of a newly installed switch. Which Cisco Catalyst IOS command
is used to mitigate a MAC spoofing attack?
Answer: C
Question: 86
Based on the following configuration. Which two statements are correct? (Choose two.)
Page 28 of 45
Exam Name: Securing Networks with Cisco Routers and Switches
Exam Type: Cisco Case Studies 2
Exam Code: 642-504(true) Total Questions 129
Ip ip MYIPS IN
!
Answer: C, D
Question: 87
The security administrator for companyInc. is working on defending the network against SYN
flooding attacks. Which of the following are tools to protect the network from TCP SYN attacks?
A. Route authentication
B. Encryption
C. ACLs
D. TCP intercept
Answer: D
Question: 88
Which of the following IOS commands will you advise the companytrainee technician to use when
setting the timeout for router terminal line?
Answer: A
Question: 89
The companynetwork is implementing IBNS. In a Cisco Identity-Based Networking Service
(IBNS) implementation, the endpoint that is seeking network access is known as what?
A. Host
B. Authentication
C. PC
D. Supplicant
Answer: D
Question: 90
A new IBNS system is being installed in the companynetwork. The Cisco Identity-Based
Networking Services (IBNS) solution is based on which two standard implementations? (Choose
two.)
A. TACACS+
B. RADIUS
C. 802.11
D. 802.1x
Answer: B, D
Page 29 of 45
Exam Name: Securing Networks with Cisco Routers and Switches
Exam Type: Cisco Case Studies 2
Exam Code: 642-504(true) Total Questions 129
Question: 91
In IKE phase1, IKE creates an authenticated, secure channel between the two IKE peers, called
the IKE security association. The Diffie-Hellman key agreement is always performed in this
phase. What are the three authentication methods that you can use during IKE Phase 1?
(Choose three.)
A. AAA Authentication
B. pre-shared key
C. RSA signature
D. RSA encrypted nonce
Answer: B, C, D
Question: 92
You wish to configure 802.1X port control on your switch. Which three keywords are used with
the dot1x port-control command? (Choose three.)
A. enable
B. force-authorized
C. force-unathorized
D. auto
Answer: B, C, D
Question: 93
The PHDF defines the structure of a particular packet and adds the protocol inspection
capabilities to Cisco IOS Software .The PHDF stored in the router flash memory is required for
which of these applications to function?
A. NBAR
B. CAC
C. PAM
D. FPM
Answer: D
Question: 94
The companynetwork has rolled out an 802.1X based system. In an 802.1x implementation, the
authenticator acts as a gateway to which device?
A. Host
B. Authenticator
C. PC
D. Authentication server
Answer: D
Question: 95
You are in charge of Securing Networks Cisco Routers and Switches in companyPlease point out
two benefits of using an IPsec GRE tunnel. (Choose two.)
Page 30 of 45
Exam Name: Securing Networks with Cisco Routers and Switches
Exam Type: Cisco Case Studies 2
Exam Code: 642-504(true) Total Questions 129
Answer: C, D
Question: 96
Which two are typical Layer 2 attacks? (Choose two.)
A. MAC spoofing
B. CAM table overflow
C. Route poisoning
D. DHCP Starvation
Answer: A, B
Question: 97
You want to increase the security levels at layer 2 within the companyswitched LAN. Which three
are typical Layer 2 attack mitigation techniques? (Select three)
A. 802.1x authentication
B. Port security
C. ARP snooping
D. DHCP snooping
Answer: A, B, D
Question: 98
The companysecurity administrator is in charge of creating a security policy for the company.
Which two statements about the creation of a security policy are true? (Choose two)
A. It helps Chief Information Officers determine the return on investment of network security at
companyInc.
B. It defines how to track down and prosecute policy offenders at companyInc.
C. It provides a process to audit existing network security at companyInc.
D. It defines which behavior is and is not allowed at companyInc.
Answer: C, D
Question: 99
You are the network consultant from pass4usre.com. Cisco IOS Zone-Based Firewall uses which
of the following to identify a service or application from traffic flowing through the firewall?
Answer: D
Question: 100
Router P4S1 is configured with the IOS firewall feature set to prevent TCP based attacks. How
many incomplete connections must this router have by default before TCP Intercept will start
dropping incomplete connections?
A. 500
B. 1100
C. 700
Page 31 of 45
Exam Name: Securing Networks with Cisco Routers and Switches
Exam Type: Cisco Case Studies 2
Exam Code: 642-504(true) Total Questions 129
D. 900
Answer: B
Question: 101
Which of the following represents the behavior of the CBAC aggressive mode in a Cisco IOS
firewall?
Answer: D
Question: 102
The Dynamic Multipoint VPN (DMVPN) feature allows users to better scale large and small IP
Security (IPsec) Virtual Private Networks (VPNs) by combining generic routing encapsulation
(GRE) tunnels, IPsec encryption, and Next Hop Resolution Protocol (NHRP).Referring to a
DMVPN hub router tunnel interface configuration, what will fail if the ip nhrp map multicast
dynamic command is missing on the tunnel interface?
Answer: D
Question: 103
What OSI layers can CBAC filter on? Select all that apply.
A. Layer 4
B. Layer 3
C. Layer 2
D. Layer 7
Answer: A, B, D
Question: 104
Router P4S1 has been upgraded with the Cisco firewall IOS. Which of the following cannot be
configured on a router unless the IOS Firewall feature set is installed?(Select all that apply)
A. PAM
B. Authentication Proxy
C. IDS
D. CBAC
Answer: A, B, C, D
Question: 105
While logged into companyrouter, which of the following commands specifies that the IOS
Firewall IDS engine drops packets and resets TCP connections for information signatures?
Page 32 of 45
Exam Name: Securing Networks with Cisco Routers and Switches
Exam Type: Cisco Case Studies 2
Exam Code: 642-504(true) Total Questions 129
Answer: D
Question: 106
Select two issues that you should consider when implementing IOS Firewall IDS. (Choose two)
Answer: A, C
Question: 107
You are the Cisco Configuration Assistant in pass4usre.com. Which command will would you use
totrigger the router to request certificates from the CA for the router RSA key pair?
Answer: A
Question: 108
The companynetwork is concerned about SPAM and wants to use IOS tools to prevent SPAM
attacks. By default, how many message recipients must an email have for the IOS Firewall to
consider it a spam attack?
A. 250
B. 500
C. 100
D. 25
Answer: A
Question: 109
You are the Cisco Configuration Assistant in pass4usre.com. You are configuring ACS 4.0
Network Access Profiles, which three things can be used to determine how an access request is
classified and mapped to a profile? (Choose three.)
Answer: A, C, D
Question: 110
The security administrator at companyis seeing a large number of half opened TCP sessions.
What are half open TCP sessions?
Page 33 of 45
Exam Name: Securing Networks with Cisco Routers and Switches
Exam Type: Cisco Case Studies 2
Exam Code: 642-504(true) Total Questions 129
Answer: B
Question: 111
You are the Cisco Configuration Assistant in pass4usre.com. What additional configuration is
required for the Cisco IOS Firewall to reset the TCP connection if any peer-to-peer, tunneling, or
instant messaging traffic is detected over HTTP based on the following configuration? appfw
policy-name mypolicy applicatin http strict-http action reset alarm content-length maximum 1
action reset alarm content-type-verification match-req-rsp action reset alarm max-header-length
request 1 response 1 action reset alarm max-url-length 1 1action reset alarm request-method rfc
put action reset alarm transfer-encoding type default reset alarm
!
ip inspect name firewall appfw mypolicy ip inspect name firewall http
!
interface FastEthernet0/0 ip inspect firewall in
A. class-map configuration
B. the PAM configuration
C. the ip inspect name firewall im, ip inspect name firewall p2p, and ip inspect name firewall
tunnel commands
D. the port-misuse default action reset alarm command in the HTTP application firewall policy
configuration
Answer: D
Question: 112
What command configures the amount of time CBAC will wait for a TCP session to become
established before dropping the connection in the state table?
Answer: D
Question: 113
You are the Cisco Configuration Assistant in pass4usre.com.. What can you determine based on
the following configuration? Crypto ipsec transform-set MINE esp-des ! Crypto map MYMAP 10
ipsec-isakmp Set peer 172.30.5.2 Set transform-set MINE Match address 101
A. The authentication method used between the IPsec peers is pre-shared key.
B. ESP tunnel mode will not be used.
C. This is a dynamic crypto map.
D. ESP tunnel mode will be used.
Answer: D
Question: 114
Page 34 of 45
Exam Name: Securing Networks with Cisco Routers and Switches
Exam Type: Cisco Case Studies 2
Exam Code: 642-504(true) Total Questions 129
Which option is correct about the output of the Cisco IOS IPS configuration displayed in the
following exhibit?
Answer: D
Question: 115
Page 35 of 45
Exam Name: Securing Networks with Cisco Routers and Switches
Exam Type: Cisco Case Studies 2
Exam Code: 642-504(true) Total Questions 129
You have been tasked with setting up a new router with CBAC. How do you configure the CBAC
global UDP idle session timeout?
Answer: D
Question: 116
You have been tasked with setting up a new companyrouter with CBAC. How do you set the
threshold of half-open sessions CBAC will allow per minute before deleting them?
Answer: C
Question: 117
You are the Cisco Configuration Assistant in pass4usre.com. Which TCP port would you use to
access the Cisco ACS web interface?
A. 22
B. 80
C. 127
D. 2002
Answer: D
Question: 118
You are in charge of Securing Networks Cisco Routers and Switches in company. Why is the
Cisco IOS Firewall authentication proxy not working based on the following configuration?
Answer: C
Question: 119
You are setting up a new companyrouter with CBAC. Which of the following commands will alter
the CBAC DNS timeout timer to 10 seconds?
Page 36 of 45
Exam Name: Securing Networks with Cisco Routers and Switches
Exam Type: Cisco Case Studies 2
Exam Code: 642-504(true) Total Questions 129
A. ip inspect dns-server-timeout 10
B. ip inspect dns-server-timer 10
C. ip inspect dns-timeout 10
D. ip inspect dns-timer 10
Answer: C
Question: 120
You are setting up a new companyrouter with CBAC. If CBAC is configured to inspect telnet
traffic on an interface, how should outbound telnet traffic be configured in any ACL's?
Answer: A
Question: 121
CBAC has been configured on router P4S1 to increase the security of the companynetwork.
CBAC intelligently filters TCP and UDP packets based on which protocol-session information?
A. Network layer
B. Transport layer
C. Data-link
D. Application layer
Answer: D
Question: 122
You are the Cisco Configuration Assistant in pass4usre.com. After you enable all the
authentication protocols under the Global Authentication Setup in Cisco ACS, how can you select
a specific EAP type to use for 802.1x authentication?
A. Specify the particular EAP type to use when you configure the RAC.
B. Specify the particular EAP type to use when you configure the NAF
C. Specify the particular EAP type to use when you configure the NAP authentication policy
D. Specify the particular EAP type to use when you configure the NAP authorization policy
Answer: C
Question: 123
John and Kathy are working on configuring the IOS firewall together. They are figuring out what
CBAC uses for inspection rules to configure on a per-application protocol basis. Which one of
these is the correct one?
A. ODBC filtering
B. Tunnel, transport models, or both
C. Alerts and audit trails
D. Stateful failover
Answer: C
Page 37 of 45
Exam Name: Securing Networks with Cisco Routers and Switches
Exam Type: Cisco Case Studies 2
Exam Code: 642-504(true) Total Questions 129
Case Study# 1
Scenario:
This item contains three questions that you must answer. In order to answer the question, you
need to examine the SDM screens by clicking on the SDM button to the left. View the question
by clicking on the Questions button to the left. Then, choose the correct answer from among the
options.
Note: Not all the SDM screen functions are implemented in this simulation. If a certain method to
access the desired SDM screen is not available, please try to use an alternate method to access the
required SDM screen to answer the question.
SDM:
Page 38 of 45
Exam Name: Securing Networks with Cisco Routers and Switches
Exam Type: Cisco Case Studies 2
Exam Code: 642-504(true) Total Questions 129
Topology:
Page 39 of 45
Exam Name: Securing Networks with Cisco Routers and Switches
Exam Type: Cisco Case Studies 2
Exam Code: 642-504(true) Total Questions 129
Question: 1
Referring to the appropriate SDM screen(s), which two statements regarding the Cisco IOS Zone-
Based Firewall configuration are correct? (Choose two)
A. The “reset” action is applied to any HTTP request sourced from the “in” zone and destined to
the “out” zone, which also has a request Uniform Resource Identifier (URI) that is greater
than 500 bytes in length.
B. The “pass” action is applied to HTTP traffic sourced from the “out” zone and destined to the
“in” zone.
C. The “inspect” action is applied to Internet Control Message Protocol (ICMP) traffic sourced
from the “in” zone and destined to the “out” zone.
D. The “http-policy” inspection policy map is applied to all HTTP and HTTPS traffic sourced from
the “in” zone and destined to the “out” zone.
E. The “testpnn” inspection policy map is applied to the “ inout” zone-pair.
Answer: A, E
Question: 2
Page 40 of 45
Exam Name: Securing Networks with Cisco Routers and Switches
Exam Type: Cisco Case Studies 2
Exam Code: 642-504(true) Total Questions 129
Referring to the appropriate SDM screen(s), what is the User Datagram Protocol (UDP) idle time
set for any HTTP traffic that is sources from the “in” zone and destined to the “out” zone?
A. 10 seconds
B. 15 seconds
C. 30 seconds
D. 35 seconds
E. 60 seconds
Answer: D
Question: 3
Referring to the appropriate SDM screen(s), why are outside hosts unable to initiate Telnet (port
23) traffic to the 172.16.1.10 inside host?
A. Static NAT is not correctly enabled to translate the 172.16.1.10 inside host address.
B. The 172.16.1.10 inside host is using dynamic Port Address Translation (PAT).
C. There is no zone-based firewall policy applied to the traffic source d from the “out” zone and
destined to the “in” zone.
D. The implicit deny access control list (ACL) entry on the inbound ACL is applied to the outside
interface.
E. The implicit deny ACL entry on the inbound ACL is applied to the inside interface.
Answer: C
Page 41 of 45
Exam Name: Securing Networks with Cisco Routers and Switches
Exam Type: Cisco Case Studies 2
Exam Code: 642-504(true) Total Questions 129
Case Study# 2
Scenario:
This item contains three questions that you must answer. You can view the question by clicking
on the Questions button to the left. In order to answer the question, you need to examine the SDM
screens by clicking on the SDM button to the left. View the question by clicking on the Questions
button to the left. Then, choose the correct answer from among the options.
Note: Not all the SDM screen functions are implemented in this simulation. If a certain method to
access the desired SDM screen is not available, please try to use an alternate method to access the
required SDM screen to answer the question.
SDM:
Page 42 of 45
Exam Name: Securing Networks with Cisco Routers and Switches
Exam Type: Cisco Case Studies 2
Exam Code: 642-504(true) Total Questions 129
Topology:
Page 43 of 45
Exam Name: Securing Networks with Cisco Routers and Switches
Exam Type: Cisco Case Studies 2
Exam Code: 642-504(true) Total Questions 129
Question: 1
What is the Fidelity Rating of the DDoS Trinoo IPS signature (signature ID 4608, subsignature-id
3)?
A. 0
B. 50
C. 100
D. 150
E. 200
Answer: C
Question: 2
What is the value of the user defined variable used to indicate the criticality of the 10.10.10
99 host? This value is used in the Risk Rating calculations.
A. Low
B. Medium
C. High
D. Mission Critical
Page 44 of 45
Exam Name: Securing Networks with Cisco Routers and Switches
Exam Type: Cisco Case Studies 2
Exam Code: 642-504(true) Total Questions 129
Answer: D
Question: 3
Which Signature Engine supports Cisco IPS Signature ID 9423?
A. atomic-ip
B. string-tcp
C. service-http
D. string-udp
E. service-smb-advanced
Answer: B
End of Document
Page 45 of 45