642-504 129Q

Exam Name: Securing Networks with Cisco Routers and Switches
Exam Type: Cisco Case Studies 2

Exam Code: 642-504(true) Total Questions 129
Question: 1
Which two are technologies that secure the control plane of the Cisco router? (Choose two.)
A. Cisco IOS Flexible Packet Matching

B. uRPF
C. routing protocol authentication
D. CPPr
E. BPDU protection
F. role-based access control
Answer: C, D
Question: 2
What are the two category types associated with 5.x signature use in Cisco IOS IPS? (Choose
two.)
A. basic
B. advanced
C. 128MB.sdf
D. 256MB.sdf
E. attack-drop
F. built-in
Answer: A, B
Question: 3
Refer to the exhibit.
Which optional AAA or RADIUS configuration command is used to support 802.1X guest VLAN
functionality?
A. AAA authentication dot1x default group radius

B. AAA authorization network default group radius
C. AAA accounting dot1x default start-stop group radius
D. AAA accounting system default start-stop group radius
E. Radius-server host 10.1.1.1 auth-port 1812 acct-port 1813
Answer: B
Question: 4
Which is an advantage of implementing the Cisco IOS Firewall feature?
A. Provides self-contained end-user authentication capabilities

B. Integrates multiprotocol routing with security policy enforcement
C. Acts primarily as a dedicated firewall device
D. Is easily deployed and managed by the Cisco Adaptive Security Device Manager
E. Provides data leakage protection capabilities
Page 1 of 45
Answer: B
Question: 5
Which three statements correctly describe the GET VPN policy management? (Choose three.)
A. A central policy is defined at the ACS (AAA) server.

B. A local policy is defined on each group member.
C. A global policy is defined on the key server, and it is distributed to the group members.
D. The key server and group member policy must match.
E. The group member appends the global policy to its local policy.
Answer: B, C, E
Question: 6
Drop
Answer:
Question: 7
The CPU and Memory Threshold Notifications of the Network Foundation Protection feature
protects which router plane?
A. control plane
B. management plane
C. data plane
D. network plane
Page 2 of 45
Answer: B
Question: 8
Drop
Answer:
Question: 9
Drop
Answer:
Page 3 of 45
Question: 10
In DMVPN, the NHRP process allows which requirement to be met?
A. Dynamic physical interface IP address at the spoke routers

B. High-availability DMVPN designs
C. Dynamic spoke-to-spoke on-demand tunnels
D. Dynamic routing over the DMVPN
E. Dual DMVPN hub designs
Answer: A
Question: 11
Which is correct regarding the Management Plane Protection feature?
A. By default, Management Plane Protection is enabled on all interfaces.

B. Management Plane Protection provides for a default management interface.
C. Only SSH and SNMP management will be allowed on nondesignated management interfaces.
D. All incoming packets through the management interface are dropped except for those from the
allowed management protocols.
Answer: D
Question: 12
What are the two enrollment options when using the SDM Certificate Enrollment wizard? (Choose
two.)
A. SCEP
B. LDAP
C. OCSP
D. Cut-and-Paste/Import from PC
Answer: A, D
Question: 13
Which two configuration commands are used to apply an inspect policy map for traffic traversing
from the E0 or E1 interface to the S3 interface? (Choose two.)
Page 4 of 45
A. zone-pair security test source Z1 destination Z2

B. interface E0
C. policy-map myfwpolicy class class-default inspect
D. ip inspect myfwpolicy out
E. ip inspect myfwpolicy in
F. service-policy type inspect myfwpolicy
Answer: A, F
Question: 14
Cisco IOS Firewall supports which three of the following features? (Choose three.)
A. alerts
B. audit trails
C. multicontext firewalling
D. active/active stateful failover
E. DoS attacks protection
Answer: A, B, E
Question: 15
What is correct based on the partial configuration shown?
A. The policy is configured to use an authentication key of 'rsa-sig'.

B. The policy is configured to use Diffie-Hellman group sha-1.
C. The policy is configured to use Triple DES IPsec encryption.
D. The policy is configured to use digital certificates.
E. The policy is configured to use access list 101 to identify the IKE-protected traffic.
Answer: D
Page 5 of 45
Question: 16
When enabling Cisco IOS IPS using 5.x signatures, which required item can be downloaded from
Cisco.com?
A. SDF files (128MB.sdf, 256MB.sdf, attack.drop.sdf)

B. public key
C. built-in signatures
D. Signature Micro-Engines
E. IME
Answer: B
Question: 17
Which information will be shown by entering the command show zone-pair security?
A. Zone descriptions and assigned interfaces

B. All service policy maps
C. Source and destination zones, and attached policy
D. Physical interface members of the zone pair
Answer: C
Question: 18
Cisco IOS SSL VPN thin-client mode has which two characteristics? (Choose two.)
A. Uses a Java applet

B. Supports TCP and UDP applications that use static port(s)
C. Provides full tunnel access like the IPsec VPN software client
D. Requires the use of browser plug-ins
E. Provides TCP port forwarding capabilities
Answer: A, E
Question: 19
What will result from this zone-based firewall configuration?
Page 6 of 45
A. All traffic from the private zone to the public zone will be dropped.
B. All traffic from the private zone to the public zone will be permitted but not inspected.
C. All traffic from the private zone to the public zone will be permitted and inspected.
D. All traffic from the public zone to the private zone will be permitted but not inspected.
E. Only HTTP and DNS traffic from the private zone to the public zone will be permitted and
inspected.
F. Only HTTP and DNS traffic from the public zone to the private zone will be permitted and
inspected.
Answer: A
Question: 20
Cisco Easy VPN Server pushes parameters such as the client internal IP address, DHCP server
IP address, and WINS server IP address to the Cisco Easy VPN Remote client during which of
these phases?
A. IKE Phase 1 first-message exchange

B. IKE Phase 2 last-message exchange
C. IKE mode configuration
D. IKE XAUTH
E. IKE quick mode
Answer: C
Question: 21
Which two are capabilities of the Cisco IOS Firewall Feature Set? (Choose two.)
A. Protects against worms, malicious users, and denial of service

B. Provides intrusion protection capabilities
Page 7 of 45
C. When combined with application inspection, performs as an advanced application layer firewall
gateway
D. Interoperates with Network Address Translation to conserve and simplify network address use
E. Provides for secure connectivity between branch offices
Answer: A, D
Question: 22
Which two commands are used to allow only SSH traffic to the router Eth0 interface and deny
other management traffic (BEEP, FTP, HTTP, HTTPS, SNMP, Telnet, TFTP) to the router
interfaces? (Choose two.)
A. Interface eth0
B. Control-plane host
C. Policy-map type port-filter policy-name
D. Service-policy type port-filter input policy-name
E. Management-interface eth0 allow ssh
F. Line vty 0 5 transport input ssh
Answer: B, E
Question: 23
Cisco IOS IPS uses which alerting protocol with a pull mechanism for getting IPS alerts to the
network management application?
A. HTTPS
B. SMTP
C. SNMP
D. syslog
E. SDEE
F. POP3
Answer: E
Question: 24
When configuring FPM, what should be the next step after the PHDFs have been loaded?
A. Define a stack of protocol headers.

B. Define a traffic policy.
C. Define a service policy.
D. Define a class map of type "access-control" for classifying packets.
E. Reload the router.
F. Save the PHDFs to startup-config.
Answer: A
Question: 25
GET VPN uses which secure group keying mechanism?
A. Diffie-Hellman
B. Pre-shared
C. Group Domain of Interpretation
D. Public and private keys
E. Group key agreement
Page 8 of 45
Answer: C
Question: 26
When configuring the Auto Update feature for Cisco IOS IPS, what is a recommended best
practice?
A. Synchronize the router's clock to the PC before configuring Auto Update.

B. Clear the router's flash of unused signature files.
C. Enable anonymous TFTP downloads from Cisco.com and specify the download frequency.
D. Create the appropriate directory on the router's flash memory to store the downloaded
signature files.
E. Download the realm-cisco.pub.key file and update the public key stored on the router.
Answer: A
Question: 27
When configuring GRE over IPsec, what is true regarding the GRE tunnel endpoints?
A. A mirror image of the IPsec crypto ACL needs to be configured to permit the interesting end-
user traffic between the GRE endpoints.
B. The tunnel interface of both endpoints should be configured to use the outside IP address of
the router as the unnumbered IP address.
C. The tunnel interface of both endpoints needs to be in the same IP subnet.
D. For high availability, the GRE tunnel interface should be configured with a primary and a
backup tunnel destination IP address.
Answer: C
Question: 28
Given that the fa0/1 interface is the trusted interface, what could be a reason for users on the
trusted inside networks not to be able to successfully establish outbound HTTP connections?
Page 9 of 45
A. The outgoing ACL on the fa0/1 interface is not set.

B. The FWRULE inspection policy is not inspecting HTTP traffic.
C. ACL 104 is denying the outbound HTTP traffic.
D. The outgoing inspection rule on the fa0/1 interface is not set.
E. ACL 104 is denying the return HTTP traffic.
F. The FWRULE inspection policy is not configured correctly.
Answer: C
Question: 29
The Cisco SDM IPS migration tool is used for what purpose?
A. To migrate the built-in signatures to the SDF format

B. To migrate from Cisco IOS IPS version 4.0 to Cisco IOS IPS version 5.0
C. To migrate from promiscuous mode IPS to inline IPS
D. To migrate from Cisco IOS IPS to the Cisco AIM-IPS
E. To migrate from the Cisco NM-CIDS to the Cisco AIM-IPS
Answer: B
Question: 30
Based on the output shown, which statement is correct regarding the Cisco IOS IPS
configuration?
Page 10 of 45
A. The built-in signatures will be used.

B. There were problems loading the signatures as indicated by the high number of total inactive
signatures shown.
C. The router is using the advanced IPS signature set.
D. The SDF will be loaded from the IPS directory in flash.
E. The SMEs are stored in the IPS directory in flash.
Answer: C
Question: 31
Which Cisco IOS Firewall feature allows the firewall to function as a Layer 2 bridge on the
network?
A. zone-based firewall
B. CBAC
C. firewall ACL bypass
D. transparent firewall
Page 11 of 45
Answer: D
Question: 32
Which statement is correct regarding Cisco IOS Firewall URL-filtering services on Cisco IOS
Release 12.4(15)T and later?
A. Multiple URL lists and URL filter server lists can be configured on the router.
B. URL filtering with zone-based firewalls is configured using the type "inspect" parameter-map.
C. Enabling "allow mode" is required when using an external URL-filtering server.
D. The services support Secure Computing server or Websense server and the local URL list.
Answer: D
Question: 33
Based on the CLI configuration shown, which two statements are correct? (Choose two.)
A. Serial0/0/0 is the outside NAT interface.

B. The overload option enables static PAT.
C. The static PAT configuration will not work since the second entry in access-list 1 overlaps the
static PAT configuration.
D. All HTTP connections to the Serial0/0/0 interface IP address will be translated to the
172.16.1.2 IP address port 8080.
E. Access-list 1 defines the list of inside global IP addresses.
Answer: A, D
Question: 34
When using Cisco Easy VPN, what are the three options for entering the XAUTH username and
password for establishing the VPN connection from the Cisco Easy VPN remote router? (Choose
three.)
A. Using the router local user database

B. Using an external AAA server
C. Entering the information from the router console or SDM
D. Entering the information from the PC browser when browsing
E. Saving the XAUTH credentials to this router
Answer: C, D, E
Question: 35
Which Cisco IOS IPS risk rating component uses a low value of 75, a medium value of 100, a
high value of 150, and a mission-critical value of 200?
A. Signature Fidelity Rating
Page 12 of 45
B. Attack Severity Rating

C. Target Value Rating
D. Attack Relevancy Rating
E. Promiscuous Delta
F. Watch List Rating
Answer: C
Question: 36
When configuring the zone-based firewall feature on a Cisco router, which statement is correct
regarding the zone-based firewall policy?
A. The policy is applied unidirectionally between two security zones.

B. Interfaces in the same zone require that a bidirectional traffic policy be applied to permit traffic
flow.
C. Traffic between an interface belonging to a zone and an interface that is not a zone member is
allowed to pass without the policy being applied to the traffic.
D. Traffic between an interface belonging to a zone and the "self" zone is denied by default
unless it is explicitly allowed by a used-defined policy.
Answer: A
Question: 37
When you add NADs as AAA clients in the ACS, which three parameters are configured for each
AAA client? (Choose three.)
A. The NAD IP address

B. The AAA server IP address
C. The EAP type
D. The shared secret key
E. The AAA protocol to use for communication with the NADs
F. The UDP ports to use for communication with the NADs
Answer: A, D, E
Question: 38
Which Cisco IOS VPN feature simplifies IPsec VPN configuration and design by using on-
demand virtual access interfaces that are cloned from a virtual template configuration?
A. GET VPN
B. dynamic VTI
C. static VTI
D. GRE tunnels
E. GRE over IPsec tunnels
F. DMVPN
Answer: B
Question: 39
Refer to the DMVPN topology diagram in the exhibit. Which two statements are correct? (Choose
two.)
Page 13 of 45
A. The hub router needs to have EIGRP split horizon disabled.

B. At the Spoke A router, the next hop to reach the 192.168.2.0/24 network is 10.0.0.1.
C. Before a spoke-to-spoke tunnel can be built, the spoke router needs to send an NHRP query
to the hub to resolve the remote spoke router physical interface IP address.
D. At the Spoke B router, the next hop to reach the 192.168.1.0/24 network is 172.17.0.1.
E. The spoke routers act as the NHRP servers for resolving the remote spoke physical interface
IP address.
F. At the Spoke A router, the next hop to reach the 192.168.0.0/24 network is 172.17.0.1.
Answer: A, C
Question: 40
When deploying 802.1X authentication on Cisco Catalyst switches, which traffic can be passed
between the client PC and the Cisco Catalyst switch over the uncontrolled port?
A. RADIUS
B. TACACS+
C. HTTP
D. DHCP
E. EAPoLAN
F. CDP
Answer: E
Question: 41
Refer to the exhibit. Based on the partial configuration shown, which additional configuration
parameter is needed under the GET VPN group member GDOI configuration?
Page 14 of 45
A. Key server IP address

B. Rekey parameter
C. Local priority
D. Mapping of the IPsec profile to the IPsec SA
E. Mapping of the IPsec transform set to the GDOI group
Answer: A
Question: 42
Which action does the interface configuration command switchport protected enable?
A. Groups ports into an isolated community when configured on multiple ports

B. Configures the interface for the PVLAN edge
C. Provides isolation between two protected ports located on different switches
D. Allows traffic on protected ports to be forwarded at Layer 2
Answer: B
Question: 43
What configuration task must you perform prior to configuring private VLANs?
A. Enable port security on the interface

B. Associate all isolated ports to the primary VLAN
C. Set the VTP mode to transparent
D. Configure PVLAN trunking
Answer: C
Question: 44
When deploying 802.1X authentication on Cisco Catalyst switches, what are two possible options
for authenticating the clients that do not have an 802.1X supplicant? (Choose two.)
A. MAC Authentication Bypass

B. Active Directory Single Sign-On
C. Authentication proxy
Page 15 of 45
D. Web authentication
E. Protected EAP
Answer: A, D
Question: 45
When implementing EIGRP dynamic routing over DMVPN, what are three configuration tasks
required at the hub router tunnel interface? (Choose three.)
A. Disabling EIGRP ip next-hop-self

B. Disabling EIGRP ip split-horizon
C. Disabling EIGRP auto-summary
D. Disabling EIGRP stub
E. Enabling multipoint GRE
F. Configuring the NHRP next-hop server IP address
Answer: A, B, E
Question: 46
What is wrong with the GRE over IPsec configuration shown?
A. The crypto map is not correctly configured.
Page 16 of 45
B. The crypto ACL is not correctly configured.

C. The network 172.16.0.0 command is missing under router eigrp 1 .
D. ESP transport mode should be configured instead of using the default tunnel mode.
Answer: B
Question: 47
Drop
Answer:
Page 17 of 45
Question: 48
When you configure Cisco IOS WebVPN, you can use the port-forward command to enable
which function?
A. web-enabled applications
B. Cisco Secure Desktop
C. full-tunnel client
D. thin client
E. CIFS
F. OWA
Answer: D
Question: 49
Which three of these statements are correct regarding DMVPN configuration? (Choose three.)
A. If running EIGRP over DMVPN, the hub router tunnel interface must have "next hop self"
enabled: ip next-hop-self eigrp AS-Number
B. If running EIGRP over DMVPN, the hub router tunnel interface must have split horizon
disabled: no ip split-horizon eigrp AS-Number
C. The spoke routers must be configured as the NHRP servers: ip nhrp nhs spoke-tunnel-ip-
address
D. At the spoke routers, static NHRP mapping to the hub router is required: ip nhrp map hub-
tunnel-ip-address hub-physical-ip-address
E. The GRE tunnel mode must be set to point-to-point mode: tunnel mode gre point-to-point
F. The GRE tunnel must be associated with an IPsec profile: tunnel protection ipsec profile
profile-name
Answer: B, D, F
Question: 50
What is wrong with the partial IPsec VPN high-availability configuration shown here?
A. A static crypto map should be used instead of a dynamic crypto map.

B. The crypto map CM interface configuration statement is missing the stateful option.
C. The crypto map interface configuration statement should reference the dynamic crypto map
DM.
D. IPsec is not synchronized with HSRP.
Answer: D
Question: 51
Page 18 of 45
Drop
Answer:
Question: 52
You are an administrator configuring a Cisco router to enroll with a certificate authority. What is a
recommended best practice to perform prior to configuring enrollment parameters?
A. Contact the registration authority to obtain the enrollment URL.

B. Manually verify the PKCS #10 certificate prior to enrollment.
Page 19 of 45
C. Configure the certificate revocation list to ensure that you do not receive revoked CA
certificates.
D. Configure Network Time Protocol.
E. If using SCEP, ensure that TCP port 22 traffic is permitted to the router.
Answer: D
Question: 53
DMVPN configuration uses which tunnel mode type on the tunnel interface?
A. DVMRP
B. IPsec IPv4
C. NHRP
D. GRE multipoint
Answer: D
Question: 54
What is true regarding the IKE security association?
A. The IPsec connection is in an idle state.

B. The IKE association is in the process of being set up.
C. The IKE status is authenticated.
D. The ISAKMP state is waiting for quick mode status to authenticate before IPsec parameters
are passed between peers.
Answer: C
Question: 55
Drop
Page 20 of 45
Answer:
Question: 56
When configuring a Cisco Easy VPN server, what must be configured prior to entering VPN
configuration parameters?
A. AAA
B. ISAKMP peer authentication method
C. XAuth
D. SSH
E. crypto ACL
F. NTP
Answer: A
Question: 57
Which parameter is configured under the router(config-isakmp)# configuration mode?
A. Use of digital certificates for authentication

B. The IPsec transform set
C. The reference to the crypto ACL
D. The IPsec peer IP address
E. The pre-shared key value
Answer: A
Question: 58
Which two statements are correct regarding Network Address Translation and IPsec
interoperability? (Choose two.)
A. ESP does not work with NAT.

B. AH does not work with NAT.
C. ESP does not work with PAT.
D. NAT-T uses TCP port 4500.
E. NAT-T sends NAT discovery packets after IKE Phase 2 establishment.
Answer: B, C
Page 21 of 45
Question: 59
If the show crypto isakmp sa output shows a state of "QM_IDLE" with the "Active" status, what
does that most likely indicate?
A. IKE Phase 1 quick mode negotiation has failed.

B. The security association is waiting for the timeout to expire before retrying the ISAKMP SA
establishment.
C. An ISAKMP SA exists.
D. Peer authentication has failed during IKE Phase 1.
E. IKE Phase 1 is in the negotiation state.
Answer: C
Question: 60
Which is the correct sequence of the Cisco Easy VPN remote connection process steps?
1. VPN client establishes an ISAKMP SA

2. Cisco Easy VPN server initiates a username and password challenge
3. The MODE configuration process is initiated
4. IPsec quick mode completes the connection process
5. VPN client initiates IKE Phase 1
6. The RRI process is initiated
7. Cisco Easy VPN server accepts the SA proposal
I. Step 1
II. Step 2
III. Step 3
IV. Step 4
V. Step 5
VI. Step 6
VII. Step 7
A. I-5,II-1,III-7,IV-2,V-3,VI-6,VII-4
B. I-5,II-1,III-7,IV-3,V-2,VI-6,VII-4
C. I-5,II-1,III-7,IV-2,V-3,VI-4,VII-6
D. I-5,II-1,III-7,IV-3,V-2,VI-4,VII-6
Answer: A
Question: 61
You are the security administrator for companyand you need to know what CBAC does on the
Cisco IOS Firewall. Which one of these is the best answer?
A. Creates specific security policies for each user at companyInc.

B. Provides additional visibility at intranet, extranet, and Internet perimeters at companyInc.
C. Protects the network from internal attacks and threats at companyInc.
D. Provides secure, per-application access control across network perimeters at companyInc.
Answer: D
Question: 62
By default, how many half-open sessions need to be in the state table before CBAC will begin to
delete the half-open sessions?
A. 500
Page 22 of 45
B. 250
C. 1000
D. 2000
Answer: A
Question: 63
The authentication proxy feature has been configured on one of the companyrouters. What does
authentication proxy on the Cisco IOS Firewall do?
A. Creates specific authorization policies for each user with Cisco Secure ACS, dynamic, per-
user security and authorization
B. Provides additional visibility at intranet, extranet, and Internet perimeters
C. Creates specific security policies for each user with Cisco Secure ACS, dynamic, per-user
authentication and authorization
D. Provides secure, per-application access control across network perimeters
Answer: C
Question: 64
You are the Cisco Configuration Assistant in pass4usre.com. Which configuration is not required
to enable the Cisco IOS Firewall to inspect a user-defined application which uses TCP ports 8000
and 8001? (Choose three.)
A. access-list 101 permit tcp any any eq 8000 access-list 101 permit tcp any any eq 8001 class-
map user-10 match access-group 101
B. ip port-map user-10 port tcp 8000 8001 description "TEST PROTOCOL"
C. ip inspect name test user-10
D. int {type|number} ip inpsect name test in
Answer: B, C, D
Question: 65
Which item is true about the relationship between the CLI command and its definition? Not all
commands will be used.
1. clear crypto sa
2. clear crypto isakmp
3. show crypto map
4. show crypto ipsec transform-set
5. show crypto isakmp policy
6. show crypto isakmp sa
7. show crypto ipsec sa
I. Clear active IKE connections

II. Verify the IPsec protection policy settings
III. Verify current IPsec settings in use by the security associations
IV. Delete IPsec security association
V.Verify crypto configurations and show SA lifetimes
A. I-2, II-4, III-7, IV-1, V-3

B. I-2, II-5, III-7, IV-1, V-3
C. I-2, II-4, III-7, IV-3, V-1
D. I-2, II-5, III-7, IV-3, V-1
Page 23 of 45
Answer: A
Question: 66
You are configuring the authentication feature on a new companyrouter. Which of the following
correctly sets the IOS Firewall authentication-proxy idle timer to 20 minutes?
A. ip auth-proxy auth-cache 20
B. ip auth-proxy auth-time 20
C. ip auth-proxy auth-cache-time 20
D. ip auth-proxy idle 20
Answer: C
Question: 67
You are in charge of Securing Networks Cisco Routers and Switches companyWhen
troubleshooting site-to-site IPsec VPN, you see this console message: %CRYPTO-6-
IKMP_SA_NOT_OFFERED: Remote peer %15i responded with attribute [chars] not offered or
changed. Which configuration should you verify?
A. the crypto ACL

B. the crypto map
C. the IPsec transform set
D. the ISAKMP policies
Answer: D
Question: 68
You are the Cisco Configuration Assistant in pass4usre.com. When you configure a site-to-site
IPsec VPN tunnel, which configuration must be the exact reverse of the other IPsec peer?
A. IPsec policy
B. ISAKMP policy
C. pre-shared key
D. crypto ACL
Answer: D
Question: 69
You are configuring the authentication feature on a new companyrouter. Which of the following
configures an authentication proxy rule for the IOS Firewall?
A. ip inspect-proxy name proxyname http

B. ip auth-proxy name proxyname http
C. ip auth-rule proxyname http
D. ip proxy-name proxyname http
Answer: B
Question: 70
You are the Cisco Configuration Assistant in pass4usre.com. When you implement 802.1x
authentication, which other ACS component will refer the RACs configured under the Shared
Profile Components in the ACS?
A. user setup
B. group setup
Page 24 of 45
C. NAP authentication policy

D. NAP authorization policy
Answer: D
Question: 71
Which item is correct about the relationship between the command and its WebVPN
troubleshooting function?
1. debug webvpn aaa

2. debug webvpn port-forward
3. debug webvpn webservice
4. debug webvpn dns
I. users having problems with the thin-client operations
II. users having problems logging into WebVPN
III. users getting unable to connect to server error message when trying to access the
http://www.xyz.com URL
A. I-2,II-1,III-4
B. I-2,II-4,III-1
C. I-1,II-2,III-4
D. I-1,II-4,III-2
Answer: A
Question: 72
The authentication proxy feature has been configured on one of the companyrouters. Where are
access profiles stored with the authentication proxy features of the Cisco IOS Firewall?
A. PIX Firewall
B. Cisco router
C. Cisco VPN Concentrator
D. Cisco Secure ACS authentication server
Answer: D
Question: 73
You are the network administrator for pass4usre.com When you implement IBNS, what is defined
using the Tunnel-Private-Group-ID RADIUS attribute?
A. the EAP type

B. pre-shared key
C. the ACL type
D. the VLAN name
Answer: D
Question: 74
Refer to the output of a "sh ip auth-proxy cache" command issued on companyrouter below.
Which port is being used by the client? P4S2 # sh ip auth-proxy cache Authentication Proxy
CacheClient Name aaauser,Client IP 10.0.2.12, Port 2636, timeout 5, Time Remaining 3,
stateESTAB Based on this information, which port is being used by the client?
A. 1645
B. 1646
Page 25 of 45
C. 1812
D. 2636
Answer: D
Question: 75
How does a user on the companyLAN trigger the authentication proxy after the idle timer has
expired?
A. The proxy authenticates the user

B. The user initiates another HTTP session
C. The user enters a new username and password
D. The user enters a valid username and password
Answer: B
Question: 76
A new companyrouter is being configured for IDS services. Choose the two types of signature
implementations that the IOS Firewall IDS can detect. (Choose two.)
A. Atomic
B. Dynamic
C. Regenerative
D. Compound
Answer: A, D
Question: 77
When you enter the P4S-S(config)#aaa authentication dot1x default group radius command on a
Cisco Catalyst switch, the Cisco IOS parser returns with the "invalid input detected" error
message. What can be the cause of this error?
A. You must use the dot1x system-auth-control command first to globally enable 802.1x.
B. You must define the RADIUS server IP address first, using the P4S-S(config)# radius-server
host ip-address command.
C. You must enter the aaa new-model command first.
D. The local option is missing in the command.
Answer: C
Question: 78
When you implement Cisco IOS WebVPN on a Cisco router using a self-signed certificate, you
notice that the router is not generating a self-signed certificate. What should you check to
troubleshoot this issue?
A. Verify the ip http server configuration.

B. Verify the WebVPN group policy configuration.
C. Verify the AAA authentication configuration.
D. Verify that the WebVPN gateway is inservice.
Answer: D
Question: 79
Which item is correct about the relationship between the Cisco IOS SEAP feature and its
description? Not all the features are used.
Page 26 of 45
1.signature fidelity rating

2.alert severity rating
3.target value rating
4.risk rating
5.event action filers
6.event action overrides
I. user's perceived value of the target host

II. remove action(s) from an event
III. a way to add event actions globally
A. I-3,II-5,III-6
B. I-3,II-6,III-5
C. I-2,II-5,III-6
D. I-2,II-6,III-5
Answer: A
Question: 80
Cisco IOS Intrusion Prevention System (IPS) is an inline, deep-packet inspection feature that
effectively mitigates a wide range of network attacks .When verifying Cisco IOS IPS operations,
when should you expect Cisco IOS IPS to start loading the signatures?
A. After you configure the ip ips sdf location flash:filename command

B. After you configure the ip ips sdf builtin command
C. After you configure a Cisco IOS IPS rule in the global configuration
D. when the first Cisco IOS IPS rule is enabled
Answer: D
Question: 81
Cisco Secure Access Control Server (ACS) is a highly scalable, high-performance access control
server that provides a comprehensive identity networking solution. Which of these statements is
correct regarding user setup on ACS 4.0?
A. Users are assigned to the default group.

B. A user can belong to more than one group.
C. The username can contain characters such as "#" and "?".
D. The settings at the group level override the settings configured at the user level
Answer: A
Question: 82
A new companyswitch has been installed and you wish to secure it. Which Cisco Catalyst IOS
command can be used to mitigate a CAM table overflow attack?
A. P4S-S(config-if)# port-security maximum 1

B. P4S-S(config)# switchport port-security
C. P4S-S(config-if)# port-security
D. P4S-S(config-if)# switchport port-security maximum 1
Answer: D
Question: 83
Please match NFP feature to the correct description
Page 27 of 45
1.Flexible Packet Matching

2.Control Plane Protection
3.Control Plane Policing
(I)applies to all (caggregated) control-plane traffic

(II)applies to a control-plane sub-if,example,host or transit or cef-exception
(III)applies to data plane traffic
A. (I)-1 (II)-2 (III)-3

B. (I)-2 (II)-3 (III)-1
C. (I)-3 (II)-1 (III)-2
D. (I)-3 (II)-2 (III)-1
Answer: D
Question: 84
When an active signature is detected, Cisco IOS IPS can take specific actions. Which option is
correct about the relationship between the action and its correct definition?
1. Deny Attacker Inline
2. Deny Connection Inline
3. Deny Packet Inline
4. Produce Alert
5. Reset TCP Connection
I. Do not transmit this packet (inline only)

II. Drop the packet and all future packets from the TCP flow
III. Send resets to terminate the TCP flow
IV.Create an ACL that denies all traffic from the suspected source IP address
V.Generate an alarm message
A. I-3,II-5,III-2,IV-1,V-4
B. I-3,II-5,III-2,IV-4,V-1
C. I-3,II-5,III-1,IV-2,V-4
D. I-3,II-5,III-1,IV-4,V-2
Answer: A
Question: 85
You want to increase the security of a newly installed switch. Which Cisco Catalyst IOS command
is used to mitigate a MAC spoofing attack?
A. P4S-S(config-if)# port-security mac-address 0000.ffff.aaaa

B. P4S-S(config)# switchport port-security mac-address 0000.ffff.aaaa
C. P4S-S(config-if)# switchport port-security mac-address 0000.ffff.aaaa
D. P4S-S(config)# port-security mac-address 0000.ffff.aaaa
Answer: C
Question: 86
Based on the following configuration. Which two statements are correct? (Choose two.)
Ip ips name MYIPS

!
Interface GigabitEthernet 0/1
Ip address 10.1.1.16 255.255.255.0
Page 28 of 45
Ip ip MYIPS IN
!
A. SDEE alert messages will be enabled

B. The basic signatures will be used
C. The built-in signatures will be used.
D. Cisco IOS IPS will fail-open.
Answer: C, D
Question: 87
The security administrator for companyInc. is working on defending the network against SYN
flooding attacks. Which of the following are tools to protect the network from TCP SYN attacks?
A. Route authentication
B. Encryption
C. ACLs
D. TCP intercept
Answer: D
Question: 88
Which of the following IOS commands will you advise the companytrainee technician to use when
setting the timeout for router terminal line?
A. exec-timeout minute [seconds]

B. line-timeout minute [seconds]
C. timeout console minute [seconds]
D. exec-time minutes [seconds]
Answer: A
Question: 89
The companynetwork is implementing IBNS. In a Cisco Identity-Based Networking Service
(IBNS) implementation, the endpoint that is seeking network access is known as what?
A. Host
B. Authentication
C. PC
D. Supplicant
Answer: D
Question: 90
A new IBNS system is being installed in the companynetwork. The Cisco Identity-Based
Networking Services (IBNS) solution is based on which two standard implementations? (Choose
two.)
A. TACACS+
B. RADIUS
C. 802.11
D. 802.1x
Answer: B, D
Page 29 of 45
Question: 91
In IKE phase1, IKE creates an authenticated, secure channel between the two IKE peers, called
the IKE security association. The Diffie-Hellman key agreement is always performed in this
phase. What are the three authentication methods that you can use during IKE Phase 1?
(Choose three.)
A. AAA Authentication
B. pre-shared key
C. RSA signature
D. RSA encrypted nonce
Answer: B, C, D
Question: 92
You wish to configure 802.1X port control on your switch. Which three keywords are used with
the dot1x port-control command? (Choose three.)
A. enable
B. force-authorized
C. force-unathorized
D. auto
Answer: B, C, D
Question: 93
The PHDF defines the structure of a particular packet and adds the protocol inspection
capabilities to Cisco IOS Software .The PHDF stored in the router flash memory is required for
which of these applications to function?
A. NBAR
B. CAC
C. PAM
D. FPM
Answer: D
Question: 94
The companynetwork has rolled out an 802.1X based system. In an 802.1x implementation, the
authenticator acts as a gateway to which device?
A. Host
B. Authenticator
C. PC
D. Authentication server
Answer: D
Question: 95
You are in charge of Securing Networks Cisco Routers and Switches in companyPlease point out
two benefits of using an IPsec GRE tunnel. (Choose two.)
A. It requires a more restrictive crypto ACL to provide finer security control

B. It has less overhead than running IPsec in tunnel mode.
C. It allows IP multicast traffic.
D. It allows dynamic routing protocol to run over the tunnel interface.
Page 30 of 45
Answer: C, D
Question: 96
Which two are typical Layer 2 attacks? (Choose two.)
A. MAC spoofing
B. CAM table overflow
C. Route poisoning
D. DHCP Starvation
Answer: A, B
Question: 97
You want to increase the security levels at layer 2 within the companyswitched LAN. Which three
are typical Layer 2 attack mitigation techniques? (Select three)
A. 802.1x authentication
B. Port security
C. ARP snooping
D. DHCP snooping
Answer: A, B, D
Question: 98
The companysecurity administrator is in charge of creating a security policy for the company.
Which two statements about the creation of a security policy are true? (Choose two)
A. It helps Chief Information Officers determine the return on investment of network security at
companyInc.
B. It defines how to track down and prosecute policy offenders at companyInc.
C. It provides a process to audit existing network security at companyInc.
D. It defines which behavior is and is not allowed at companyInc.
Answer: C, D
Question: 99
You are the network consultant from pass4usre.com. Cisco IOS Zone-Based Firewall uses which
of the following to identify a service or application from traffic flowing through the firewall?
A. Network Based Application Recognition

B. extended access list
C. deep packet inspection
D. PAM table
Answer: D
Question: 100
Router P4S1 is configured with the IOS firewall feature set to prevent TCP based attacks. How
many incomplete connections must this router have by default before TCP Intercept will start
dropping incomplete connections?
A. 500
B. 1100
C. 700
Page 31 of 45
D. 900
Answer: B
Question: 101
Which of the following represents the behavior of the CBAC aggressive mode in a Cisco IOS
firewall?
A. Delete all half-open session

B. Re-initiate half open session
C. Complete all half open sessions, make the full open session
D. Delete half-open session as needed to accommodate new connection requests
Answer: D
Question: 102
The Dynamic Multipoint VPN (DMVPN) feature allows users to better scale large and small IP
Security (IPsec) Virtual Private Networks (VPNs) by combining generic routing encapsulation
(GRE) tunnels, IPsec encryption, and Next Hop Resolution Protocol (NHRP).Referring to a
DMVPN hub router tunnel interface configuration, what will fail if the ip nhrp map multicast
dynamic command is missing on the tunnel interface?
A. The NHRP request and response.

B. The GRE tunnel
C. The IPsec peering
D. The dynamic routing protocol.
Answer: D
Question: 103
What OSI layers can CBAC filter on? Select all that apply.
A. Layer 4
B. Layer 3
C. Layer 2
D. Layer 7
Answer: A, B, D
Question: 104
Router P4S1 has been upgraded with the Cisco firewall IOS. Which of the following cannot be
configured on a router unless the IOS Firewall feature set is installed?(Select all that apply)
A. PAM
B. Authentication Proxy
C. IDS
D. CBAC
Answer: A, B, C, D
Question: 105
While logged into companyrouter, which of the following commands specifies that the IOS
Firewall IDS engine drops packets and resets TCP connections for information signatures?
A. ip audit name audit1 info attack drop reset
Page 32 of 45
B. ip audit name audit1 info action drop reset

C. ip audit name audit1 info sig action drop reset
D. ip audit name audit1 sig info drop reset
Answer: D
Question: 106
Select two issues that you should consider when implementing IOS Firewall IDS. (Choose two)
A. The memory usage

B. The number of DMZs
C. The signature coverage
D. The number of router interfaces
Answer: A, C
Question: 107
You are the Cisco Configuration Assistant in pass4usre.com. Which command will would you use
totrigger the router to request certificates from the CA for the router RSA key pair?
A. crypto pki enroll CA-Name

B. enrollment url http://CA-Name:80
C. crypto pki trustpoint CA-Name
D. crypto pki authenticate CA-Name
Answer: A
Question: 108
The companynetwork is concerned about SPAM and wants to use IOS tools to prevent SPAM
attacks. By default, how many message recipients must an email have for the IOS Firewall to
consider it a spam attack?
A. 250
B. 500
C. 100
D. 25
Answer: A
Question: 109
You are the Cisco Configuration Assistant in pass4usre.com. You are configuring ACS 4.0
Network Access Profiles, which three things can be used to determine how an access request is
classified and mapped to a profile? (Choose three.)
A. Network Access Filters

B. RADIUS Authorization Components
C. the protocol types
D. advance filtering
Answer: A, C, D
Question: 110
The security administrator at companyis seeing a large number of half opened TCP sessions.
What are half open TCP sessions?
Page 33 of 45
A. Sessions that were denied.

B. Sessions that have not reached the established state.
C. Sessions where the three-way handshake has been completed.
D. Sessions where the firewall detected return traffic.
Answer: B
Question: 111
You are the Cisco Configuration Assistant in pass4usre.com. What additional configuration is
required for the Cisco IOS Firewall to reset the TCP connection if any peer-to-peer, tunneling, or
instant messaging traffic is detected over HTTP based on the following configuration? appfw
policy-name mypolicy applicatin http strict-http action reset alarm content-length maximum 1
action reset alarm content-type-verification match-req-rsp action reset alarm max-header-length
request 1 response 1 action reset alarm max-url-length 1 1action reset alarm request-method rfc
put action reset alarm transfer-encoding type default reset alarm
!
ip inspect name firewall appfw mypolicy ip inspect name firewall http
!
interface FastEthernet0/0 ip inspect firewall in
A. class-map configuration
B. the PAM configuration
C. the ip inspect name firewall im, ip inspect name firewall p2p, and ip inspect name firewall
tunnel commands
D. the port-misuse default action reset alarm command in the HTTP application firewall policy
configuration
Answer: D
Question: 112
What command configures the amount of time CBAC will wait for a TCP session to become
established before dropping the connection in the state table?
A. ip inspect global syn-establish (seconds)

B. ip inspect tcp global syn-time (seconds)
C. ip inspect global tcp syn (seconds)
D. ip inspect tcp synwait-time (seconds)
Answer: D
Question: 113
You are the Cisco Configuration Assistant in pass4usre.com.. What can you determine based on
the following configuration? Crypto ipsec transform-set MINE esp-des ! Crypto map MYMAP 10
ipsec-isakmp Set peer 172.30.5.2 Set transform-set MINE Match address 101
A. The authentication method used between the IPsec peers is pre-shared key.
B. ESP tunnel mode will not be used.
C. This is a dynamic crypto map.
D. ESP tunnel mode will be used.
Answer: D
Question: 114
Page 34 of 45
Which option is correct about the output of the Cisco IOS IPS configuration displayed in the
following exhibit?
A. Inline IPS is applied in the outbound direction on the interfaces.

B. The router will drop all packets if the IPS engine is unable to scan data.
C. The basic signatures set has been disabled.
D. The signature delta file is stored in the IPS directory in flash.
Answer: D
Question: 115
Page 35 of 45
You have been tasked with setting up a new router with CBAC. How do you configure the CBAC
global UDP idle session timeout?
A. ip inspect udp-session-timeout (seconds)

B. ip inspect udp-idle (seconds)
C. ip inspect udp-timeout (seconds)
D. ip inspect udp idle-time (seconds)
Answer: D
Question: 116
You have been tasked with setting up a new companyrouter with CBAC. How do you set the
threshold of half-open sessions CBAC will allow per minute before deleting them?
A. ip inspect one-minute incomplete (number)

B. ip inspect one-minute (number)
C. ip inspect one-minute high (number)
D. ip inspect one-minute high incomplete (number)
Answer: C
Question: 117
You are the Cisco Configuration Assistant in pass4usre.com. Which TCP port would you use to
access the Cisco ACS web interface?
A. 22
B. 80
C. 127
D. 2002
Answer: D
Question: 118
You are in charge of Securing Networks Cisco Routers and Switches in company. Why is the
Cisco IOS Firewall authentication proxy not working based on the following configuration?
aaa new model

aaa authentication login default group tacacs
aaa authentication auth-proxy default group tacacs+
aaa accounting auth-proxy default start-stop group tacacs+ enable password TeSt_123
ip auto-proxy name pxy http ip auto-proxy auth-proxy-banner interface Ethernet0/1
ip address 192.168.1.1 255.255.255.0
ip auto-proxy pxy no ip http server
tacacs-server host 192.168.123.14 tacacs-server key cisco !Output omitted
A. The aaa authentication auth-proxy default group tacacs+ command is missing

B. The router local username and password database is not configured.
C. You forgot to enable HTTP server and AAA authentication
D. Cisco IOS authentication proxy not support TACACS+.
Answer: C
Question: 119
You are setting up a new companyrouter with CBAC. Which of the following commands will alter
the CBAC DNS timeout timer to 10 seconds?
Page 36 of 45
A. ip inspect dns-server-timeout 10
B. ip inspect dns-server-timer 10
C. ip inspect dns-timeout 10
D. ip inspect dns-timer 10
Answer: C
Question: 120
You are setting up a new companyrouter with CBAC. If CBAC is configured to inspect telnet
traffic on an interface, how should outbound telnet traffic be configured in any ACL's?
A. Outbound telnet should be permitted in any acl's

B. Outbound telnet should be denied in any acl's
C. Telnet should not be referenced at all in the acl
D. Outbound telnet should be denied only if inbound telnet is allowed
Answer: A
Question: 121
CBAC has been configured on router P4S1 to increase the security of the companynetwork.
CBAC intelligently filters TCP and UDP packets based on which protocol-session information?
A. Network layer
B. Transport layer
C. Data-link
D. Application layer
Answer: D
Question: 122
You are the Cisco Configuration Assistant in pass4usre.com. After you enable all the
authentication protocols under the Global Authentication Setup in Cisco ACS, how can you select
a specific EAP type to use for 802.1x authentication?
A. Specify the particular EAP type to use when you configure the RAC.
B. Specify the particular EAP type to use when you configure the NAF
C. Specify the particular EAP type to use when you configure the NAP authentication policy
D. Specify the particular EAP type to use when you configure the NAP authorization policy
Answer: C
Question: 123
John and Kathy are working on configuring the IOS firewall together. They are figuring out what
CBAC uses for inspection rules to configure on a per-application protocol basis. Which one of
these is the correct one?
A. ODBC filtering
B. Tunnel, transport models, or both
C. Alerts and audit trails
D. Stateful failover
Answer: C
Page 37 of 45
Case Study# 1
Scenario:
This item contains three questions that you must answer. In order to answer the question, you
need to examine the SDM screens by clicking on the SDM button to the left. View the question
by clicking on the Questions button to the left. Then, choose the correct answer from among the
options.
Note: Not all the SDM screen functions are implemented in this simulation. If a certain method to
access the desired SDM screen is not available, please try to use an alternate method to access the
required SDM screen to answer the question.
SDM:
Page 38 of 45
Topology:
Page 39 of 45
Case Study#1 (Questions)
Question: 1
Referring to the appropriate SDM screen(s), which two statements regarding the Cisco IOS Zone-
Based Firewall configuration are correct? (Choose two)
A. The “reset” action is applied to any HTTP request sourced from the “in” zone and destined to
the “out” zone, which also has a request Uniform Resource Identifier (URI) that is greater
than 500 bytes in length.
B. The “pass” action is applied to HTTP traffic sourced from the “out” zone and destined to the
“in” zone.
C. The “inspect” action is applied to Internet Control Message Protocol (ICMP) traffic sourced
from the “in” zone and destined to the “out” zone.
D. The “http-policy” inspection policy map is applied to all HTTP and HTTPS traffic sourced from
the “in” zone and destined to the “out” zone.
E. The “testpnn” inspection policy map is applied to the “ inout” zone-pair.
Answer: A, E
Question: 2
Page 40 of 45
Referring to the appropriate SDM screen(s), what is the User Datagram Protocol (UDP) idle time
set for any HTTP traffic that is sources from the “in” zone and destined to the “out” zone?
A. 10 seconds
B. 15 seconds
C. 30 seconds
D. 35 seconds
E. 60 seconds
Answer: D
Question: 3
Referring to the appropriate SDM screen(s), why are outside hosts unable to initiate Telnet (port
23) traffic to the 172.16.1.10 inside host?
A. Static NAT is not correctly enabled to translate the 172.16.1.10 inside host address.
B. The 172.16.1.10 inside host is using dynamic Port Address Translation (PAT).
C. There is no zone-based firewall policy applied to the traffic source d from the “out” zone and
destined to the “in” zone.
D. The implicit deny access control list (ACL) entry on the inbound ACL is applied to the outside
interface.
E. The implicit deny ACL entry on the inbound ACL is applied to the inside interface.
Answer: C
Page 41 of 45
Case Study# 2
Scenario:
This item contains three questions that you must answer. You can view the question by clicking
on the Questions button to the left. In order to answer the question, you need to examine the SDM
screens by clicking on the SDM button to the left. View the question by clicking on the Questions
button to the left. Then, choose the correct answer from among the options.
Note: Not all the SDM screen functions are implemented in this simulation. If a certain method to
access the desired SDM screen is not available, please try to use an alternate method to access the
required SDM screen to answer the question.
SDM:
Page 42 of 45
Topology:
Page 43 of 45
Case Study# 2 (Questions)
Question: 1
What is the Fidelity Rating of the DDoS Trinoo IPS signature (signature ID 4608, subsignature-id
3)?
A. 0
B. 50
C. 100
D. 150
E. 200
Answer: C
Question: 2
What is the value of the user defined variable used to indicate the criticality of the 10.10.10
99 host? This value is used in the Risk Rating calculations.
A. Low
B. Medium
C. High
D. Mission Critical
Page 44 of 45
Answer: D
Question: 3
Which Signature Engine supports Cisco IPS Signature ID 9423?
A. atomic-ip
B. string-tcp
C. service-http
D. string-udp
E. service-smb-advanced
Answer: B
End of Document
Page 45 of 45

642-504 129Q

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

642-504 129Q

Uploaded by

Copyright:

Available Formats

Exam Name: Securing Networks with Cisco Routers and Switches

Exam Type: Cisco Case Studies 2

A. Cisco IOS Flexible Packet Matching

A. AAA authentication dot1x default group radius

A. Provides self-contained end-user authentication capabilities

A. A central policy is defined at the ACS (AAA) server.

A. Dynamic physical interface IP address at the spoke routers

A. By default, Management Plane Protection is enabled on all interfaces.

A. zone-pair security test source Z1 destination Z2

A. The policy is configured to use an authentication key of 'rsa-sig'.

A. SDF files (128MB.sdf, 256MB.sdf, attack.drop.sdf)

A. Zone descriptions and assigned interfaces

A. Uses a Java applet

A. IKE Phase 1 first-message exchange

A. Protects against worms, malicious users, and denial of service

A. Define a stack of protocol headers.

A. Synchronize the router's clock to the PC before configuring Auto Update.

A. The outgoing ACL on the fa0/1 interface is not set.

A. To migrate the built-in signatures to the SDF format

A. The built-in signatures will be used.

A. Serial0/0/0 is the outside NAT interface.

A. Using the router local user database

A. Signature Fidelity Rating

B. Attack Severity Rating

A. The policy is applied unidirectionally between two security zones.

A. The NAD IP address

A. The hub router needs to have EIGRP split horizon disabled.

A. Key server IP address

A. Groups ports into an isolated community when configured on multiple ports

A. Enable port security on the interface

A. MAC Authentication Bypass

A. Disabling EIGRP ip next-hop-self

A. The crypto map is not correctly configured.

B. The crypto ACL is not correctly configured.

A. A static crypto map should be used instead of a dynamic crypto map.

A. Contact the registration authority to obtain the enrollment URL.

A. The IPsec connection is in an idle state.

A. Use of digital certificates for authentication

A. ESP does not work with NAT.

A. IKE Phase 1 quick mode negotiation has failed.

1. VPN client establishes an ISAKMP SA

A. Creates specific security policies for each user at companyInc.

I. Clear active IKE connections

A. I-2, II-4, III-7, IV-1, V-3

A. the crypto ACL

A. ip inspect-proxy name proxyname http

C. NAP authentication policy

1. debug webvpn aaa

A. the EAP type

A. The proxy authenticates the user

A. Verify the ip http server configuration.

1.signature fidelity rating

I. user's perceived value of the target host

A. After you configure the ip ips sdf location flash:filename command

A. Users are assigned to the default group.

A. P4S-S(config-if)# port-security maximum 1

1.Flexible Packet Matching

(I)applies to all (caggregated) control-plane traffic

A. (I)-1 (II)-2 (III)-3

I. Do not transmit this packet (inline only)

A. P4S-S(config-if)# port-security mac-address 0000.ffff.aaaa

Ip ips name MYIPS

A. SDEE alert messages will be enabled