CCNP2 03-08-2010

Cisco_CertifyMe_642-825_v2010-08-03_234q_By-Jenifer
Number: 642-825
Passing Score: 800
Time Limit: 120 min
File Version: 2010-08-03
Exam - Cisco
Code - 642-825
Version - 2010-08-03
Few Questions modified...
Best of luck
By - Jenifer
Exam A
QUESTION 1
Which two statements about common network attacks are true? (Choose two.) Select 2 response(s).
A. Access attacks can consist of password attacks, trust exploitation, port redirection, and man-in-the-
middle attacks.
B. Access attacks can consist of password attacks, ping sweeps, port scans, and man-in-the-middle
attacks.
C. Access attacks can consist of packet sniffers, ping sweeps, port scans, and man-in-the-middle attacks.
D. Reconnaissance attacks can consist of password attacks, trust exploitation, port redirection and Internet
information queries.
E. Reconnaissance attacks can consist of packet sniffers, port scans, ping sweeps, and Internet
F. Reconnaissance attacks can consist of ping sweeps, port scans, man-in-middle attacks and Internet
Answer: AE
Section: (none)
Explanation/Reference:
QUESTION 2
Which two statements about management protocols are true? (Choose two.) Select 2 response(s).
A. Syslog version 2 or above should be used because it provides encryption of the syslog messages.
B. NTP version 3 or above should be used because these versions support a cryptographic authentication
mechanism between peers.
C. SNMP version 3 is recommended since it provides authentication and encryption services for
management packets.
D. SSH, SSL and Telnet are recommended protocols to remotely manage infrastructure devices.
E. TFTP authentication (username and password) is sent in an encrypted format, and no additional
encryption is required.
Answer: BC
Section: (none)
QUESTION 3
Refer to the exhibit. Which two statements about the AAA configuration are true? (Choose two.)
Select 2 response(s).
A. A good security practice is to have the none parameter configured as the final method used to ensure
that no other authentication method will be used.
B. If a TACACS+ server is not available, then a user connecting via the console port would not be able to
gain access since no other authentication method has been defined.
C. If a TACACS+ server is not available, then the user Bob could be able to enter privileged mode as long
as the proper enable password is entered.
D. The aaa new-model command forces the router to override every other authentication method previously
configured for the router lines.
E. To increase security, group radius should be used instead of group tacacs+.
F. Two authentication options are prescribed by the displayed aaa authentication command.
Answer: DF
Section: (none)
QUESTION 4
What are the two main features of Cisco IOS Firewall? (Choose two.) Select 2 response(s).
A. TACACS+
B. AAA
C. Cisco Secure Access Control Server
D. Intrusion Prevention System
E. Authentication Proxy
Answer: DE
Section: (none)
QUESTION 5
What three features does Cisco Security Device Manager (SDM) offer? (Choose three.) Select 3 response
(s).
A. smart wizards and advanced configuration support for NAC policy features
B. single-step mitigation of Distributed Denial of Service (DDoS) attacks
C. one-step router lockdown
D. security auditing capability based upon CERT recommendations
E. multi-layered defense against social engineering
F. single-step deployment of basic and advanced policy settings
Answer: ACF
Section: (none)
QUESTION 6
What are three objectives that the no ip inspect command achieves? (Choose three.) Select 3 response(s).
A. removes the entire CBAC configuration

B. removes all associated static ACLs
C. turns off the automatic audit feature in SDM
D. denies HTTP and Java applets to the inside interface but permits this traffic to the DMZ
E. resets all global timeouts and thresholds to the defaults
F. deletes all existing sessions
Answer: AEF
Section: (none)
QUESTION 7
Which three features are benefits of using GRE tunnels in conjunction with IPsec for building site-to-site
VPNs? (Choose three.)
A. allows dynamic routing over the tunnel

B. supports multi-protocol (non-IP) traffic over the tunnel
C. reduces IPsec headers overhead since tunnel mode is used
D. simplifies the ACL used in the crypto map
E. uses Virtual Tunnel Interface (VTI) to simplify the IPsec VPN configuration
Answer: ABD
Section: (none)
QUESTION 8
Which three IPsec VPN statements are true? (Choose three.) Select 3 response(s).
A. IKE keepalives are unidirectional and sent every ten seconds.

B. IKE uses the Diffie-Hellman algorithm to generate symmetrical keys to be used by IPsec peers.
C. IPsec uses the Encapsulating Security Protocol (ESP) or the Authentication Header (AH) protocol for
exchanging keys.
D. Main mode is the method used for the IKE phase two security association negotiations.
E. Quick mode is the method used for the IKE phase one security association negotiations.
F. To establish IKE SA, main mode utilizes six packets while aggressive mode utilizes only three packets.
Answer: ABF
Section: (none)
QUESTION 9
Which three statements are true about Cisco IOS Firewall? (Choose three.) Select 3 response(s).
A. It can be configured to block Java traffic.

B. It can be configured to detect and prevent SYN-flooding denial-of-service (DoS) network attacks.
C. It can only examine network layer and transport layer information.
D. It can only examine transport layer and application layer information.
E. The inspection rules can be used to set timeout values for specified protocols.
F. The ip inspect cbac-name command must be configured in global configuration mode.
Answer: ABE
Section: (none)
QUESTION 10
Refer to the exhibit. On the basis of the partial configuration, which two statements are true? (Choose two.)
A. A CBAC inspection rule is configured on router RTA.

B. A named ACL called SDM_LOW is configured on router RTA.
C. A QoS policy has been applied on interfaces Serial 0/0 and FastEthernet 0/1.
D. Interface Fa0/0 should be the inside interface and interface Fa0/1 should be the outside interface.
E. On interface Fa0/0, the ip inspect statement should be incoming.
F. The interface commands ip inspect SDM_LOW in allow CBAC to monitor multiple protocols.
Answer: AF
Section: (none)
QUESTION 11
Which two statements describe the functions and operations of IDS and IPS systems? (Choose two.)
A. A network administrator entering a wrong password would generate a true-negative alarm.
B. A false positive alarm is generated when an IDS/IPS signature is correctly identified.
C. An IDS is significantly more advanced over IPS because of its ability to prevent network attacks.
D. Cisco IDS works inline and stops attacks before they enter the network.
E. Cisco IPS taps the network traffic and responds after an attack.
F. Profile-based intrusion detection is also known as "anomaly detection".
Answer: BF
Section: (none)
QUESTION 12
Refer to the exhibit. What statement is true about the interface S1/0 on router R1? Select the best
response.
A. Labeled packets can be sent over an interface.

B. MPLS Layer 2 negotiations have occurred.
C. IP label switching has been disabled on this interface.
D. None of the MPLS protocols have been configured on the interface.
Answer: D
Section: (none)
QUESTION 13
Which two network attack statements are true? (Choose two.) Select 2 response(s).
A. Access attacks can consist of password attacks, trust exploitation, port redirection, and man-in-the-
middle attacks.
B. Access attacks can consist of UDP and TCP SYN flooding, ICMP echo-request floods, and ICMP
directed broadcasts.
C. DoS attacks can be reduced through the use of access control configuration, encryption, and RFC 2827
filtering.
D. DoS attacks can consist of IP spoofing and DDoS attacks.
E. IP spoofing can be reduced through the use of policy-based routing.
F. IP spoofing exploits known vulnerabilities in authentication services, FTP services, and web services to
gain entry to web accounts, confidential databases, and other sensitive information.
Answer: AD
Section: (none)
QUESTION 14
What are the four steps, in their correct order, to mitigate a worm attack? Select the best response.
A. contain, inoculate, quarantine, and treat

B. inoculate, contain, quarantine, and treat
C. quarantine, contain, inoculate, and treat
D. preparation, identification, traceback, and postmortem
E. preparation, classification, reaction, and treat
F. identification, inoculation, postmortem, and reaction
Answer: A
Section: (none)
QUESTION 15
If an edge Label Switch Router (LSR) is properly configured, which three combinations are possible?
(Choose three.)
A. A received IP packet is forwarded based on the IP destination address and the packet is sent as an IP
packet.
B. An IP destination exists in the IP forwarding table. A received labeled packet is dropped because the
label is not found in the LFIB table.
C. There is an MPLS label-switched path toward the destination. A received IP packet is dropped because
the destination is not found in the IP forwarding table.
D. A received IP packet is forwarded based on the IP destination address and the packet is sent as a
labeled packet.
E. A received labeled IP packet is forwarded based upon both the label and the IP address.
F. A received labeled packet is forwarded based on the label. After the label is swapped, the newly labeled
packet is sent.
Answer: ADF
Section: (none)
QUESTION 16
Which three techniques should be used to secure management protocols? (Choose three.) Select 3
response(s).
A. Configure SNMP with only read-only community strings.

B. Encrypt TFTP and syslog traffic in an IPSec tunnel.
C. Implement RFC 3704 filtering at the perimeter router when allowing syslog access from devices on the
outside of a firewall.
D. Synchronize the NTP master clock with an Internet atomic clock.
E. Use SNMP version 2.
F. Use TFTP version 3 or above because these versions support a cryptographic authentication
mechanism between peers.
Answer: ABC
Section: (none)
QUESTION 17
Which statement describes Reverse Route Injection (RRI)? Select the best response.
A. A static route that points towards the Cisco Easy VPN server is created on the remote client.
B. A static route is created on the Cisco Easy VPN server for the internal IP address of each VPN client.
C. A default route is injected into the route table of the remote client.
D. A default route is injected into the route table of the Cisco Easy VPN server.
Answer: B
Section: (none)
QUESTION 18
What are two possible actions an IOS IPS can take if a packet in a session matches a signature? (Choose
two.)
A. reset the connection

B. forward the packet
C. check the packet against an ACL
D. drop the packet
Answer: AD
Section: (none)
QUESTION 19
Refer to the exhibit. Which two statements about the Network Time Protocol (NTP) are true? (Choose two.)
A. Router RTA will adjust for eastern daylight savings time.
B. To enable authentication, the ntp authenticate command is required on routers RTA and RTB.
C. To enable NTP, the ntp master command must be configured on routers RTA and RTB.
D. Only NTP time requests are allowed from the host with IP address 10.1.1.1.
E. The preferred time source located at 130.207.244.240 will be used for synchronization regardless of the
other time sources.
Answer: AB
Section: (none)
QUESTION 20
What is a reason for implementing MPLS in a network? Select the best response.
A. MPLS eliminates the need of an IGP in the core.

B. MPLS reduces the required number of BGP-enabled devices in the core.
C. Reduces routing table lookup since only the MPLS core routers perform routing table lookups.
D. MPLS eliminates the need for fully meshed connections between BGP enabled devices.
Answer: B
Section: (none)
QUESTION 21
Refer to the exhibit. The show mpls interfaces detail command has been used to display information about
the interfaces on router R1 that have been configured for label switching. Which statement is true about the
MPLS edge router R1?
Select the best response.
A. Packets can be labeled and forwarded out interface Fa0/1 because of the MPLS operational status of
the interface.
B. Because LSP tunnel labeling has not been enabled on interface Fa0/1, packets cannot be labeled and
forwarded out interface Fa0/1.
C. Packets can be labeled and forwarded out interface Fa1/1 because MPLS has been enabled on this
interface.
D. Because the MTU size is increased above the size limit, packets cannot be labeled and forwarded out
interface Fa1/1.
Answer: A
Section: (none)
QUESTION 22
Refer to the exhibit. MPLS has been configured on all routers in the domain. In order for R2 and R3 to
forward frames between them with label headers, what additional configuration will be required on devices
that are attached to the LAN segment? Select the best response.
A. Decrease the maximum MTU requirements on all router interfaces that are attached to the LAN
segment.
B. Increase the maximum MTU requirements on all router interfaces that are attached to the LAN segment.
C. No additional configuration is required. Interface MTU size will be automatically adjusted to
accommodate the larger size frames.
D. No additional configuration is required. Frames with larger MTU size will be automatically fragmented
and forwarded on all LAN segments.
Answer: B
Section: (none)
QUESTION 23
Which three statements about IOS Firewall configurations are true? (Choose three.) Select 3 response(s).
A. The IP inspection rule can be applied in the inbound direction on the secured interface.
B. The IP inspection rule can be applied in the outbound direction on the unsecured interface.
C. The ACL applied in the outbound direction on the unsecured interface should be an extended ACL.
D. The ACL applied in the inbound direction on the unsecured interface should be an extended ACL.
E. For temporary openings to be created dynamically by Cisco IOS Firewall, the access-list for the returning
traffic must be a standard ACL.
F. For temporary openings to be created dynamically by Cisco IOS Firewall, the IP inspection rule must be
applied to the secured interface.
Answer: ABD
Section: (none)
QUESTION 24
What are three features of the Cisco IOS Firewall feature set? (Choose three.) Select 3 response(s).
A. network-based application recognition (NBAR)

B. authentication proxy
C. stateful packet filtering
D. AAA services
E. proxy server
F. IPS
Answer: BCF
Section: (none)
QUESTION 25
Which statement describes the Authentication Proxy feature? Select the best response.
A. All traffic is permitted from the inbound to the outbound interface upon successful authentication of the
user.
B. A specific access profile is retrieved from a TACACS+ or RADIUS server and applied to an IOS Firewall
based on user provided credentials.
C. Prior to responding to a proxy ARP, the router will prompt the user for a login and password which are
authenticated based on the configured AAA policy.
D. The proxy server capabilities of the IOS Firewall are enabled upon successful authentication of the user.
Answer: B
Section: (none)
QUESTION 26
Which two statements about an IDS are true? (Choose two.) Select 2 response(s).
A. The IDS is in the traffic path.

B. The IDS can send TCP resets to the source device.
C. The IDS can send TCP resets to the destination device.
D. The IDS listens promiscuously to all traffic on the network.
E. Default operation is for the IDS to discard malicious traffic.
Answer: BD
Section: (none)
QUESTION 27
Which statement about an IPS is true?
A. The IPS is in the traffic path.

B. Only one active interface is required.
C. Full benefit of an IPS will not be realized unless deployed in conjunction with an IDS.
D. When malicious traffic is detected, the IPS will only send an alert to a management station.
Answer: A
Section: (none)
QUESTION 28
Which three categories of signatures can a Cisco IPS microengine identify? (Choose three.) Select 3
response(s).
A. DDoS signatures
B. strong signatures
C. exploit signatures
D. numeric signatures
E. spoofing signatures
F. connection signatures
Answer: ACF
Section: (none)
QUESTION 29
During the Easy VPN Remote connection process, which phase involves pushing the IP address, Domain
Name System (DNS), and split tunnel attributes to the client? Select the best response.
A. mode configuration
B. the VPN client establishment of an ISAKMP SA
C. IPsec quick mode completion of the connection
D. VPN client initiation of the IKE phase 1 process
Answer: A
Section: (none)
QUESTION 30
When configuring the Cisco VPN Client, what action is required prior to installing Mutual Group
Authentication?
A. Transparent tunneling must be enabled.

B. A valid root certificate must be installed.
C. A group pre-shared secret must be properly configured.
D. The option to "Allow Local LAN Access" must be selected.
Answer: B
Section: (none)
QUESTION 31
When configuring the Cisco VPN Client with transparent tunneling, what is true about the IPSec over TCP
option?
A. The port number is negotiated automatically.

B. Clients will have access to the secured tunnel and local resources.
C. The port number must match the configuration on the secure gateway.
D. Packets are encapsulated using Protocol 50 (Encapsulating Security Payload, or ESP).
Answer: C
Section: (none)
QUESTION 32
Which two statements are true about signatures in a Cisco IOS IPS? (Choose two.) Select 2 response(s).
A. The action of a signature can be enabled on a per-TCP-session basis.

B. Common signatures are hard-coded into the IOS image.
C. IOS IPS signatures are propagated with the SDEE protocol.
D. IOS IPS signatures are stored in the startup config of the router.
E. Selection of an SDF file should be based on the amount of RAM memory available on the router.
Answer: BE
Section: (none)
QUESTION 33
Which two active response capabilities can be configured on an intrusion detection system (IDS) in
response to malicious traffic detection? (Choose two.) Select 2 response(s).
A. the initiation of dynamic access lists on the IDS to prevent further malicious traffic
B. the configuration of network devices to prevent malicious traffic from passing through
C. the shutdown of ports on intermediary devices
D. the transmission of a TCP reset to the offending end host
E. the invoking of SNMP-sourced controls
Answer: BD
Section: (none)
QUESTION 34
What two proactive preventive actions are taken by an intrusion prevention system (IPS) when malicious
traffic is detected? (Choose two.)
A. The IPS shuts down intermediary ports.

B. The IPS invokes SNMP-enabled controls.
C. The IPS sends an alert to the management station.
D. The IPS enables a dynamic access list.
E. The IPS denies malicious traffic.
Answer: CE
Section: (none)
QUESTION 35
Refer to the exhibit. What is the VPN IPv4 label for the network 172.16.13.0/24?
A. 17
B. 17, 12308
C. 12308
D. 11
Answer: C
Section: (none)
QUESTION 36
Refer to the exhibit. What does the "26" in the first two hop outputs indicate?
A. the outer label used to determine the next hop

B. the IPv4 label for the destination network
C. the IPv4 label for the forwarding router
D. the IPv4 label for the destination router
Answer: B
Section: (none)
QUESTION 37
How can virus and Trojan horse attacks be mitigated? Select the best response.
A. Disable port scan.

B. Deny echo replies on all edge routes.
C. Implement RFC 2827 filtering.
D. Use antivirus software.
E. Enable trust levels.
Answer: D
Section: (none)
QUESTION 38
What are two ways to reduce the risk of an application-layer attack? (Choose two.) Select 2 response(s).
A. Disable port scans.

B. Deny echo replies on all edge routers.
C. Implement RFC 2827 filtering.
D. Use intrusion detection systems (IDS).
E. Read operating system and network log files.
Answer: DE
Section: (none)
QUESTION 39
What three classifications reflect the different approaches used to identify malicious traffic? (Choose three.)
A. platform based
B. signature based
C. policy based
D. regular-expression based
E. symbol based
F. anomaly based
Answer: BCF
Section: (none)
QUESTION 40
Which Security Device Manager (SDM) feature expedites the deployment of the default intrusion
preventions system (IPS) settings and provides configuration steps for interface and traffic flow selection,
SDF location, and signature deployment? Select the best response.
A. IPS Edit menu

B. IPS Command wizard
C. IPS Policies wizard
D. IPS Signature Definition File (SDF) menu
Answer: C
Section: (none)
QUESTION 41
What are three options for viewing Security Device Event Exchange (SDEE) messages in Security Device
Manager (SDM)? (Choose three.)
A. to view SDEE status messages

B. to view SDEE keepalive messages
C. to view all SDEE messages
D. to view SDEE statistics
E. to view SDEE alerts
F. to view SDEE actions
Answer: ACE
Section: (none)
QUESTION 42
What are three configurable parameters when editing signatures in Security Device Manager (SDM)?
(Choose three.)
A. AlarmSeverity
B. AlarmKeepalive
C. AlarmTraits
D. EventMedia
E. EventAlarm
F. EventAction
Answer: ACF
Section: (none)
QUESTION 43
Refer to the exhibit. Which order correctly identifies the steps to provision a cable modem to connect to a
headend as defined by the DOCSIS standard? Select the best response.
A. A, D, C, G, E, F, B
B. A, D, E, G, C, F, B
C. C, D, F, G, E, A, B
D. C, D, F, G, A, E, B
E. F, D, C, G, A, E, B
F. F, D, C, G, E, A, B
Answer: E
Section: (none)
QUESTION 44
Refer to the exhibit. Which statement about the authentication process is true? Select the best response.
A. The LIST1 list will disable authentication on the console port.

B. Because no method list is specified, the LIST1 list will not authenticate anyone on the console port.
C. All login requests will be authenticated using the group tacacs+ method.
D. All login requests will be authenticated using the local database method.
E. The default login authentication will automatically be applied to all login connections.
Answer: A
Section: (none)
QUESTION 45
Refer to the exhibit. A network administrator wishes to mitigate network threats. Given that purpose, which
two statements about the IOS firewall configuration that is revealed by the output are true? (Choose two.)
A. The command ip inspect FIREWALL_ACL out must be applied on interface FastEthernet 0/0.
B. The command ip inspect FIREWALL_ACL out must be applied on interface FastEthernet 0/1.
C. The command ip access-group FIREWALL_ACL in must be applied on interface FastEthernet 0/0.
D. The command ip access-group FIREWALL_ACL in must be applied on interface FastEthernet 0/1.
E. The configuration excerpt is an example of a CBAC list.
F. The configuration excerpt is an example of a reflexive ACL.
Answer: BE
Section: (none)
QUESTION 46
Which two statements about the Security Device Manager (SDM) Intrusion Prevention System (IPS) Rule
wizard are true? (Choose two.)
A. By default, the Use Built-In Signatures (as backup) checkbox is not selected.
B. Changes to the IPS rules can be made using the Configure IPS tab.
C. Changes to the IPS rules can be made using the Edit Firewall Policy/ACL tab.
D. Once all interfaces have rules applied to them, you can re-initiate the IPS Rule wizard to make changes.
E. Once all interfaces have rules applied to them, you cannot re-initiate the IPS Rule wizard to make
changes.
F. When using the wizard for the first time, you will be prompted to enable the Security Device Event
Exchange (SDEE).
Answer: DF
Section: (none)
QUESTION 47
Refer to the exhibit. Which two statements about the SDF Locations window of the IPS Rule wizard are
true? (Choose two.)
A. An HTTP SDF file location can be specified by clicking the Add button.
B. If all specified SDF locations fail to load, the signature file that is named default.sdf will be loaded.
C. The Autosave feature automatically saves the SDF alarms if the router crashes.
D. The Autosave feature is automatically enabled for the default built-in signature file.
E. The name of the built-in signature file is default.sdf.
F. The Use Built-In Signatures (as backup) check box is selected by default.
Answer: AF
Section: (none)
QUESTION 48
Refer to the exhibit. On the basis of the information in the exhibit, which two statements are true? (Choose
two.)
A. Any traffic matching signature 1107 will generate an alarm, reset the connection, and be dropped.
B. Signature 1102 has been modified, but the changes have not been applied to the router.
C. Signature 1102 has been triggered because of matching traffic.
D. The Edit IPS window is currently displaying the Global Settings information.
E. The Edit IPS window is currently displaying the signatures in Details view.
F. The Edit IPS window is currently displaying the signatures in Summary view.
Answer: BE
Section: (none)
QUESTION 49
Refer to the exhibit. On the basis of the information that is provided, which two statements are true?
(Choose two.)
A. An IPS policy can be edited by choosing the Edit button.

B. Right-clicking on an interface will display a shortcut menu with options to edit an action or to set severity
levels.
C. The Edit IPS window is currently in Global Settings view.
D. The Edit IPS window is currently in IPS Policies view.
E. The Edit IPS window is currently in Signatures view.
F. To enable an IPS policy on an interface, click on the interface and deselect Disable.
Answer: AD
Section: (none)
QUESTION 50
Refer to the exhibit. Based on the configuration, what will happen to the IPSec VPN between the Remote
router and the Head-End router with IP address 172.31.1.100 if no dead-peer detection hello messages are
received for 20 seconds?
A. The IPSec VPN will transition with no down-time to a peering relationship with the Head-End router at
172.31.1.200.
B. The IPSec VPN will transition to a peering relationship with the Head-End router at 172.31.1.200, with a
down-time determined by the time required to tear-down and build the peerings.
C. The IPSec VPN will not be affected.
D. The IPSec VPN will terminate but will rebuild with the same peer because 3 hello messages have not yet
been missed.
Answer: C
Section: (none)
QUESTION 51
Which four outbound ICMP message types would normally be permitted? (Choose four.) Select 4 response
(s).
A. echo reply
B. time exceeded
C. echo
D. parameter problem
E. packet too big
F. source quench
Answer: CDEF
Section: (none)
QUESTION 52
Refer to the exhibit. What information can be derived from the SDM firewall configuration that is shown?
A. Access-list 100 was configured for the trusted interface, and access-list 101 was configured for the
untrusted interface.
B. Access-list 101 was configured for the trusted interface, and access-list 100 was configured for the
untrusted interface.
C. Access-list 100 was configured for the inbound direction, and access-list 101 was configured for the
outbound direction on the trusted interface.
D. Access-list 100 was configured for the inbound direction, and access-list 101 was configured for the
outbound direction on the untrusted interface.
Answer: A
Section: (none)
QUESTION 53
Which three statements about hybrid fiber-coaxial (HFC) networks are true? (Choose three.) Select 3
response(s).
A. A tap produces a significantly larger output signal.

B. An amplifier divides the input RF signal power to provide subscriber drop connections.
C. Baseband sends multiple pieces of data simultaneously to increase the effective rate of transmission.
D. Downstream is the direction of an RF signal transmission (TV channels and data) from the source
(headend) to the destination (subscribers).
E. The term CATV refers to residential cable systems.
F. Upstream is the direction from subscribers to the headend.
Answer: DEF
Section: (none)
QUESTION 54
Which two statements about the transmission of signals over a cable network are true? (Choose two.)
A. Downstream signals travel from the cable operator to the subscriber and use frequencies in the range of
5 to 42 MHz.
B. Downstream signals travel from the cable operator to the subscriber and use frequencies in the range of
50 to 860 MHz.
C. Downstream and upstream signals operate in the same frequency ranges.
D. Upstream signals travel from the subscriber to the cable operator and use frequencies in the range of 5
to 42 MHz.
E. Upstream signals travel from the subscriber to the cable operator and use frequencies in the range of 50
to 860 MHz.
Answer: BD
Section: (none)
QUESTION 55
What are the four steps that occur with an IPsec VPN setup? Select the best response.
A. Step 1: Interesting traffic initiates the IPsec process.

Step 2: AH authenticates IPsec peers and negotiates IKE SAs.
Step 3: AH negotiates IPsec SA settings and sets up matching IPsec SAs in the peers.
Step 4: Data is securely transferred between IPsec peers.
B. Step 1: Interesting traffic initiates the IPsec process.
Step 2: ESP authenticates IPsec peers and negotiates IKE SAs.
Step 3: ESP negotiates IPsec SA settings and sets up matching IPsec SAs in the peers.
C. Step 1: Interesting traffic initiates the IPsec process.
Step 2: IKE authenticates IPsec peers and negotiates IKE SAs.
Step 3: IKE negotiates IPsec SA settings and sets up matching IPsec SAs in the peers.
D. Step 1: Interesting traffic initiates the IPsec process.
Step 2: IKE negotiates IPsec SA settings and sets up matching IPsec SAs in the peers.
Step 3: IKE authenticates IPsec peers and negotiates IKE SAs.
Answer: C
Section: (none)
QUESTION 56
Which IOS command will display IPS default values that may not be displayed using the show running-
config command?
A. show ip ips session

B. show ip ips interface
C. show ip ips statistics
D. show ip ips configuration
E. show ip ips running-config
Answer: D
Section: (none)
QUESTION 57
Refer to the exhibit. Which of the configuration tasks would allow you to quickly deploy default signatures?
A. firewall and ACLs

B. security audit
C. routing
D. NAT
E. intrusion prevention
F. NAC
Answer: E
Section: (none)
QUESTION 58
What are two possible actions Cisco IOS IPS can take if a packet in a session matches a signature?
(Choose two.)
A. drop the packet

B. forward the packet
C. quartile the packet
D. reset the connection
E. check the packet against an ACL
Answer: AD
Section: (none)
QUESTION 59
A router interface is configured with an inbound access control list and an inspection rule. How will an
inbound packet on this interface be processed? Select the best response.
A. It will be processed by the inbound ACL. If the packet is dropped by the ACL, then it will be processed by
the inspection rule.
B. It will be processed by the inbound ACL. If the packet is not dropped by the ACL, then it will be
processed by the inspection rule.
C. It will be processed by the inspection rule. If the packet matches the inspection rule, the inbound ACL
will be invoked.
D. It will be processed by the inspection rule. If the packet does not match the inspection rule, the inbound
ACL will be invoked.
Answer: B
Section: (none)
QUESTION 60
Which two features can be implemented using the Cisco SDM Advanced Firewall wizard? (Choose two.)
A. DMZ support
B. custom rules
C. firewall signatures
D. application security
E. IP unicast reverse path forwarding
Answer: AB
Section: (none)
QUESTION 61
Which two statements are true about the Cisco Classic (CBAC) IOS Firewall set? (Choose two.)
A. It can be used to block bulk encryption attacks.

B. It can be used to protect against denial of service attacks.
C. Traffic originating from the router is considered trusted, so it is not inspected.
D. Based upon the custom firewall rules, an ACL entry is statically created and added to the existing ACL
permanently.
E. Temporary ACL entries that allow selected traffic to pass are created and persist for the duration of the
communication session.
Answer: BE
Section: (none)
QUESTION 62
Refer to the exhibit. Which Cisco SDM feature is illustrated? Select the best response.
A. ACL Editor
B. Easy VPN Wizard
C. Security Audit
D. Site-to-Site VPN
E. Inspection Rules
F. Reset to Factory Defaults
Answer: C
Section: (none)
QUESTION 63
Which two statements about management protocols are true? (Choose two.) Select 2 response(s).
A. IGMP should be enabled on edge interfaces to allow remote testing.

B. NTP version 3 or later should be used because these versions support the use of a cryptographic
authentication mechanism between peers.
C. SNMP version 3 is recommended since it provides authentication and encryption services for
management packets.
D. NTP version 3 or later should be used because these versions support the use of a RADIUS-based
authentication mechanism between peers.
E. SNMP version 3 is recommended since it provides a RADIUS-based authentication mechanism between
peers.
Answer: BC
Section: (none)
QUESTION 64
Which two of these are required in order to implement SSH on a router? (Choose two.) Select 2 response
(s).
A. the Cisco IPS Feature Set is installed on the router

B. the router is configured to perform authentication
C. the router is using the correct domain name for the network
D. the Cisco IOS Firewall Feature Set is installed on the router
E. an ACL is configured on the VTY lines to block Telnet access
Answer: BC
Section: (none)
QUESTION 65
Refer to the exhibit. Routers RTB and RTC have established LDP neighbor sessions. During
troubleshooting, you discovered that labels are being distributed between the two routers but no label
swapping information is in the LFIB. What is the most likely cause of this problem? Select the best
response.
A. The IGP is summarizing the address space.
B. IP Cisco Express Forwarding has not been enabled on both RTB and RTC.
C. BGP neighbor sessions have not been configured on both routers.
D. LDP has been enabled on one router and TDP has been enabled on the other.
Answer: B
Section: (none)
QUESTION 66
Refer to the exhibit. The show mpls interfaces detail command has been used to display information about
the interfaces on MPLS edge router R1 that have been configured for label switching. Which statement
about R1 is true?
A. MPLS is not operating on Fa1/0, because the MTU size has exceeded the 1500 limit of Ethernet.
B. The router has established a TDP session with its neighbor on Fa0/1. Packets can be labeled and
forwarded out that interface.
C. LSP tunnel labeling has not been enabled on either interface Fa0/0 or Fa1/1, therefore MPLS is not
operating on Fa0/1.
D. The router has established an LDP session with its neighbor on Fa1/1. However, packets cannot be
forwarded out that interface because MPLS is not operational.
Answer: B
Section: (none)
QUESTION 67
Refer to the exhibit. Which statement about this Cisco IOS Firewall configuration is true?
A. Outbound TCP sessions are blocked, preventing inside users from browsing the Internet.
B. INSIDEACL permits outbound HTTP sessions; INSIDEACL is applied to the outside interface in the
inbound direction.
C. OUTSIDEACL permits inbound SMTP and HTTP; OUTSIDEACL is applied to the inside interface in the
outbound direction.
D. ICMP unreachable "packet-too-big" messages are rejected on all interfaces to prevent DDoS attacks.
E. The TCP inspection will automatically allow return traffic for the outbound HTTP sessions and inbound
SMTP and HTTP sessions.
Answer: E
Section: (none)
QUESTION 68
What is an MPLS forwarding equivalence class?
A. a set of destination networks forwarded from the same ingress router

B. a set of destination networks forwarded to the same egress router
C. a set of source networks forwarded from the same ingress router
D. a set of source networks forwarded to the same egress router
Answer: B
Section: (none)
QUESTION 69
Which approach for identifying malicious traffic involves looking for a fixed sequence of bytes in a single
packet or in predefined content?
A. policy-based
B. anomaly-based
C. honeypot-based
D. signature-based
E. regular-expression-based
Answer: D
Section: (none)
QUESTION 70
Which Cisco SDM feature expedites the deployment of the default IPS settings and provides configuration
steps for interface and traffic flow selection, SDF location, and signature deployment?
A. IPS Edit menu

B. IPS Command wizard
C. IPS Policies wizard
D. IPS Signature wizard
Answer: C
Section: (none)
QUESTION 71
In an MPLS VPN implementation, how are overlapping customer prefixes propagated? Select the best
response.
A. A unique route target is attached to each customer routing update.

B. Separate BGP sessions are established between each pair of customer edge LSRs.
C. Each customer is given a unique set of edge LSPs.
D. A route distinguisher is attached to each customer prefix.
E. Each customer is given a unique IGP instance.
Answer: D
Section: (none)
QUESTION 72
In an MPLS VPN implementation, how are overlapping customer prefixes propagated? Select the best
response.
A. A separate instance of the core IGP is used for each customer.

B. Separate BGP sessions are established between each customer edge LSR.
C. Because customers have their own unique LSPs, address space is kept separate.
D. A route distinguisher is attached to each customer prefix.
E. Because customers have their own interfaces, distributed CEFs keep the forwarding tables separate.
Answer: D
Section: (none)
QUESTION 73
Which two statements are true about the Data-over-Cable Service Interface Specifications? (Choose two.)
A. DOCSIS is an international standard developed by CableLabs.

B. DOCSIS defines cable operations at Layer 1, Layer 2, and Layer 3 of the OSI model.
C. Cable operators employ DOCSIS to provide cable access over their existing IP infrastructures.
D. DOCSIS defines a set of frequency allocation bands that are common to both U.S. and European cable
systems.
E. Compliance with DOCSIS has been mandated by the major governmental regulatory agencies in both
the U.S. and Europe.
F. Euro-DOCSIS requires the European cable channels to conform to PAL-based standards, whereas
DOCSIS requires the North American cable channels to conform to the NTSC standard.
Answer: AF
Section: (none)
QUESTION 74
Refer to the exhibit. What information can be derived from this show ip cef command output?
A. This router will use a label of "21" to reach the destination network of 150.1.12.16.
B. This router will use a PHP label to reach the destination network of 150.1.12.16.
C. This router will advertise a label of "19" for the destination network of 150.1.12.16.
D. This router will advertise a label of "21" for the destination network of 150.1.12.16.
Answer: D
Section: (none)
QUESTION 75
Refer to the exhibit. Why does the third hop only have one label?
A. MPLS is not enabled on that link, so only the VPN label is needed.
B. MPLS is not enabled on that link, so only the LSP label is needed.
C. That link is directly connected to the customer, so only the VPN label is needed.
D. That link is directly connected to the customer, so only the LSP label is needed.
E. The PHP process on that link has removed the LSP label, leaving only the VPN label.
F. The PHP process on that link has removed the VPN label, leaving only the LSP label.
Answer: E
Section: (none)
QUESTION 76
If you disable Cisco Express Forwarding on a P router in an MPLS network, what will the router do?
A. stop forwarding all traffic

B. stop advertising MPLS labels
C. start forwarding MPLS packets using process switching
D. start advertising all destination networks with an implicit null label value
E. start stripping the MPLS labels off of packets and forwarding them using the destination IP addresses
Answer: B
Section: (none)
QUESTION 77
Refer to the exhibit. What type of high-availability option is being implemented? Select the best response.
A. IPsec stateful failover
B. IPsec dead peer detection
C. Hot Standby Router Protocol
D. GRE's Keepalive Mechanism
E. backing up a WAN connection with an IPsec VPN
Answer: B
Section: (none)
QUESTION 78
Refer to the exhibit. What type of high-availability option is being implemented?

B. IPSec dead peer detection
Answer: C
Section: (none)
QUESTION 79
Which two of these would be classified as reconnaissance attacks? (Choose two.) Select 2 response(s).
A. port scans
B. ping sweeps
C. port redirection
D. trust exploitation
E. denial of service attacks
F. man-in-the-middle attacks
Answer: AB
Section: (none)
QUESTION 80
Which three of these would be classified as access attacks? (Choose three.) Select 3 response(s).
A. port scans
B. ping sweeps
C. port redirection
D. trust exploitation
E. denial of service attacks
F. man-in-the-middle attacks
Answer: CDF
Section: (none)
QUESTION 81
Refer to the exhibit. Which three statements about user access are true? (Choose three.)
A. The user was attempting to access this device via a VTY.

B. The user was attempting to access this device via the console port.
C. The user was validated against the local AAA database.
D. The user was validated against a remote AAA server database.
E. The user was denied user-level access to this device.
F. The user was granted user-level access to this device.
Answer: ACF
Section: (none)
QUESTION 82
Refer to the exhibit. The ACL in this configuration is used to mitigate which of these?
A. DOS smurf attacks

B. ICMP message attacks
C. TCP SYN DOS attacks
D. IP address spoofing attacks
E. traceroute message attacks
Answer: D
Section: (none)
QUESTION 83
Refer to the exhibit. Which type of attack does the ACL prevent the internal user from successfully
launching?
A. DOS smurf attack

B. ICMP message attack
C. TCP SYN DOS attacks
D. IP address spoofing attack
E. traceroute message attacks
Answer: D
Section: (none)
QUESTION 84
Which three of these are required before you can configure your routers for SSH server operations?
(Choose three.)
A. each of the target routers has a unique hostname

B. each of the target routers is configured to enable secret passwords
C. a user is define in either the local database or on a remote AAA server
D. each of the target routers has a password configured on the VTY interface
E. each of the target routers is using the correct domain name of your network
Answer: ACE
Section: (none)
QUESTION 85
Which two actions can a Cisco IOS Firewall take when the threshold for the number of half-opened TCP
sessions is exceeded? (Choose two.) Select 2 response(s).
A. It can send a reset message to the endpoints of the oldest half-opened session.
B. It can send a reset message to the endpoints of the newest half-opened session.
C. It can send a reset message to the endpoints of a random half-opened session.
D. It can block all EST packets temporarily for the duration configured by the threshold value.
E. It can block all SYN packets temporarily for the duration configured by the threshold value.
F. It can block all reset packets temporarily for the duration configured by the threshold value.
Answer: AE
Section: (none)
QUESTION 86
Refer to the exhibit. In this firewall implementation, inside users should be permitted to browse the Internet.
However, users have indicated that all attempts fail. As a result of troubleshooting, you have determined that
the issue is related to the firewall implementation.
What corrective action should you take?
A. Add the global command line ip inspect name INSIDE www.

B. Add the global command line ip inspect name OUTSIDE www.
C. Add the ACL command line permit tcp any any eq 80 to INSIDEACL.
D. Add the ACL command line permit tcp any any eq 80 to OUTSIDEACL.
E. Change the access group on Fa0/0 from the inbound direction to the outbound direction.
F. Change the access group on Fa0/1 from the inbound direction to the outbound direction.
Answer: C
Section: (none)
QUESTION 87
Refer to the exhibit. In this firewall implementation, outside clients should be allowed to communicate with
the SMTP server (200.1.2.1) located in the enterprise DMZ. However, users have indicated that all attempts
fail. As a result of troubleshooting, you have determined that the issue is related to the firewall
implementation.
What corrective action should you take?
A. Add the global command line ip inspect name INSIDE smtp.

B. Add the global command line ip inspect name OUTSIDE smtp.
C. Add the ACL command line permit tcp any host 200.1.2.1 eq 25 to DMZACL.
D. Add the ACL command line permit tcp any host 200.1.2.1 eq 25 to OUTSIDEACL.
E. Change the access group on Fa0/0 from the inbound direction to the outbound direction.
F. Change the access group on Fa0/2 from the inbound direction to the outbound direction.
Answer: D
Section: (none)
QUESTION 88
Refer to the exhibit. FastEthernet0/0 has been assigned a network address of 200.0.1.2/24 and no ACL has
been applied to that interface. Serial0/0/0 has been assigned a network address of 200.0.0.1/30. Assuming
that there are no network-related problems, which ping will be successful?
A. from 200.0.0.1 to 200.0.0.2

B. from 200.0.0.2 to 200.0.0.1
C. from 200.0.0.2 to 200.0.1.1
D. from 200.0.0.2 to 200.0.1.2
E. from 200.0.1.1 to 200.0.0.2
F. from 200.0.1.2 to 200.0.0.2
Answer: A
Section: (none)
QUESTION 89
Refer to the exhibit. Which three statements about this DMZ configuration are true? (Choose three.)
A. The device being enabled is a web server.
B. The device being enabled is an FTP server.
C. The device being enabled is located in the DMZ.
D. The device being enabled has been assigned an IP address of 192.168.0.2.
E. FTP-based packets with a destination of 192.168.0.2 will be allowed through the DMZ to the web server
located on the untrusted network.
F. Web-based packets with a destination of 192.168.0.2 will be allowed through the DMZ to the web server
located on the trusted network.
Answer: ACD
Section: (none)
QUESTION 90
What is a possible way to prevent a worm attack on a host PC?
A. Enable SSH.
B. Enable encryption.
C. Implement TACACS+.
D. Keep the operating system current with the latest patches.
Answer: D
Section: (none)
QUESTION 91
Refer to the exhibit
What is the result of the ACL configuration that is displayed?
A. Inbound packets to request a TCP session with the 10.10.10.0/24 network are allowed.
B. TCP responses from the outside network for TCP connections that originated on the inside network are
allowed.
C. TCP responses from the inside network for TCP connections that originated on the outside network are
denied.
D. Any inbound packet with the SYN flag set to be routed is permitted.
Answer: B
Section: (none)
QUESTION 92
Which two statements are true about the Cisco lOS Firewall set? (Choose two.)
A. protects against denial of service (DoS) attacks

B. An ACL entry is statically created and added to the existing, permanent ACL.
C. Traffic originating within the router is not inspected.
D. Temporary ACL entries are created and persist for the duration of the communication session.
Answer: AD
Section: (none)
QUESTION 93
Which statement is true about the SDM Basic Firewall wizard?
A. The wizard applies predefined rules to protect the private and DMZ networks.
B. The wizard can configure multiple DMZ interfaces for outside users.
C. The wizard permits the creation of a custom application security policy.
D. The wizard configures one outside interface and one or more inside interfaces.
Answer: D
Section: (none)
QUESTION 94
Which three statements about frame-mode MPLS are true? (Choose three.)
A. MPLS has three distinct components consisting of the data plane, the forwarding plane, and the control
plane.
B. The control plane is a simple label-based forwarding engine that is independent of the type of routing
protocol or label exchange protocol.
C. The CEF FIB table contains information about outgoing interfaces and their corresponding Layer 2
header.
D. The MPLS data plane takes care of forwarding based on either destination addresses or labels.
E. To exchange labels, the control plane requires protocols such as Tag Distribution Protocol (TDP) or
MPLS Label Distribution Protocol (LDP).
F. Whenever a router receives a packet that should be CEF-switched, but the destination is not in the FIB,
the packet is dropped.
Answer: DEF
Section: (none)
QUESTION 95
Which three statements about the Cisco Easy VPN feature are true? (Choose three.)
A. It the VPN server is configured for Xauth, the VPN client waits for a username / password challenge.
B. The Cisco Easy VPN feature only supports transform sets that provide authentication and encryption.
C. The VPN client initiates aggressive mode (AAA) if a pre-shared key is used for authentication during the
IKE phase 1 process.
D. The VPN client verifies a server username/password challenge by using a AAA authentication server
that supports TACACS+ or RADIUS.
E. The VPN server can only be enabled on Cisco PIX Firewalls and Cisco VPN 3000 series concentrators.
F. When connecting with a VPN client, the VPN server must be configured for ISAKMP group 1.2 or 5.
Answer: ABC
Section: (none)
QUESTION 96
Which two statements are true about the use of SDM to configure the Cisco Easy VPN feature on a router?
(Choose two.)
A. An Easy VPN connection is a connection that is configured between two Easy VPN clients.
B. The Easy VPN server address must be configured when configuring the SDM Easy VPN Server wizard.
C. The SDM Easy VPN Sewer wizard displays a summary of the configuration before applying the VPN
configuration.
D. The SDM Easy VPN Sewer wizard can be used to configure a GRE over IPSec site-to-site VPN or a
dynamic multipoint VPN (DMVPN).
E. The SDM Easy VPN Sewer wizard can be used to configure user XAuth authentication locally on the
router or externally with a RADIUS sewer.
F. The SDM Easy VPN Server wizard recommends using the Quick setup feature when configuring a
dynamic multipoint VPN.
Answer: CE
Section: (none)
QUESTION 97
Which three statements are true when configuring Cisco 103 Firewall features using the SDM? (Choose
three.)
A. A custom application security policy can be configured in the Advanced Firewall Security Configuration
dialog box.
B. An optional DMZ interface can be specified in the Advanced Firewall Interface Configuration dialog box.
C. Custom application policies for e-mail, instant messaging, HTTP, and peer-to-peer services can be
created using the Intermediate Firewall wizard.
D. Only the outside (untrusted) interface is specified in the Basic Firewall Interface Configuration dialog
box.
E. The outside interface that SDM can be launched from is configured in the Configuring Firewall for
Remote Access dialog box.
F. The SDM provides a basic, intermediate, and advanced firewall wizard.
Answer: ABE
Section: (none)
QUESTION 98
Which device is responsible for attaching a VPN label to a packet traversing an MPLS network?
A. the provider (P) router

B. the provider edge (PE) router
C. the customer edge (CE) router
D. the customer (C) router
Answer: B
Section: (none)
QUESTION 99
Refer to the exhibit.
Given the partial tunnel configuration that is shown, which tunneling encapsulation is set?
A. GRE
B. GRE multipoint
C. cayman
D. DVMRP
Answer: A
Section: (none)
QUESTION 100
Which statement is correct about Security Device Event Exchange (SDEE) messages?
A. SDEE messages can be viewed in real time using SDM.

B. SDEE messages displayed at the SDM window cannot be filtered.
C. SDFE messages are the SDM version of syslog messages.
D. SDEE specifies the IPS/IDS message exchange format between an IPS/IDS device and IPS the
management/monitoring station.
E. For SDEE messages to be viewed, the show ip ips all or show logging commands must be given first.
Answer: D
Section: (none)
QUESTION 101
Refer to the exhibit
What are the ramifications of Fail Closed being enabled under Engine Options?
A. The router will drop all packets that arrive on the affected interface.
B. If the IPS engine is unable to scan data, the router will drop all packets.
C. If the IPS detects any malicious traffic, it will cause the affected interlace to close any open TCP
connections.
D. The IPS engine is enabled to scan data and drop packets depending upon the signature of the flow.
Answer: B
Section: (none)
QUESTION 102
Assume that a signature can identity an IP address as the source of an attack. Which action would
automatically create an ACL that denies all traffic from an attacking IP address?
A. Alarm
B. Drop
C. Reset
D. Deny Flow ln line
E. denyattackerlnline
F. Deny-connection-inline
Answer: E
Section: (none)
QUESTION 103
A site requires support for skinny and H.323 voice protocols. How is this configured on an lOS firewall using
the SDM?
A. The Basic Firewall wizard is executed and the High Security Application policy is selected.
B. The Advanced Firewall wizard is executed and a custom Application Security policy is selected in place
of the default Application Security policies.
C. The Application Security tab is used to create a policy with voice support before the Firewall wizard is
run.
D. The Application Security tab is used to modify the SDM_High policy to add voice support prior to the
Firewall wizard being run.
Answer: B
Section: (none)
QUESTION 104
The Basic Firewall wizard has been used to configure a router. What is the purpose of the highlighted
access list statement?
A. To prevent spoofing by blocking traffic entering interface Fa0/0 with a source address in the same
subnet as interface VLAN10
B. To prevent spoofing by blocking traffic entering Fa0/0 with a source address in the RFC 1916 private
address space
C. To establish a DMZ by preventing traffic from interface VLAN10 being sent out interface Fa0/0
D. To establish a DMZ by preventing traffic from interface Fa0/0 being sent out interface VLAN10
Answer: A
Section: (none)
QUESTION 105
When establishing a VPN connection from the Cisco software VPN client to an Easy VPN server router
using pre-shared key authentication, what is entered in the configuration GUI of the Cisco software VPN
client to identify the group profile that is associated with this VPN client?
A. Group name
B. Client name
C. Distinguished name
D. Organizational unit
Answer: A
Section: (none)
QUESTION 106
An lOS firewall has been configured to support skinny and H.323. Voice traffic is not passing through the
firewall as expected. What needs to be corrected in this configuration?
A. Access list 100 needs to permit skinny and H.323.

B. Access list 101 needs to permit skinny and H.323.
C. The ip inspect Voice in command on interface FastEthernet 0/1 should be applied in the outbound
direction.
D. The ip inspect Voice out command should be applied to interface FastEthernet 0/0.
Answer: C
Section: (none)
QUESTION 107
During the Easy VPN Remote connection process, which phase involves pushing the IP address, Domain
Name System (DNS), and split tunnel attributes to the client?
A. mode configuration
B. the VPN client establishment of an ISAKMP SA
C. IPsec quick mode completion of the connection
D. VPN client initiation of the IKE phase 1 process
Answer: A
Section: (none)
QUESTION 108
When entering the Group Authentication information while configuring the Cisco VPN Client on a
PC, what information is entered in the "Name" field?
A. login name of the user (such as "jsmith")

B. client name of the device (such as "jsmith-laptop")
C. IPsec group information (such as "Engineering")
D. the group pre-shared secret (such as "CiNl1iNFTW")
E. host name of the remote VPN device (such as "vpna.cisco.com")
Answer: C
Section: (none)
QUESTION 109
What phrase best describes a Handler in a distributed denial of service (DDoS) attack?
A. Person who launches the attack

B. Host that generates a stream of packets that is directed toward the intended victim
C. Host running the attacker program
D. Host being attacked
Answer: C
Section: (none)
QUESTION 110
Which PPPoA configuration statement is true?
A. The dsl operating-mode auto command is required if the default mode has been changed.
B. The encapsulation ppp command is required.
C. The ip mtu 1492 command must be applied on the dialer interface.
D. The ip mtu 1496 command must be applied on the dialer interface.
E. The ip mtu 1492 command must be applied on the Ethernet interface.
F. The ip mtu 1496 command must be applied on the Ethernet interface.
Answer: A
Section: (none)
QUESTION 111
What is a recommended practice for secure configuration management?
A. Disable port scan.

B. Use SSH or SSL.
C. Deny echo replies on all edge routers.
D. Enable trust levels.
E. Use secure Telnet.
Answer: B
Section: (none)
QUESTION 112
Which IPsec VPN backup technology statement is true?
A. Each Hot Standby Routing Protocol (HSRP) standby group has two well-known MAC addresses and a
virtual IP address.
B. Reverse Route Injection (RRI) is configured on at the remote site to inject the central site networks.
C. The crypto isakmp keepalive command is used to configure the Stateful Switchover (SSO) protocol.
D. The crypto isakmp keepalive command is used to configure stateless failover.
E. The reverse-route command should be applied directly to the outside interface.
Answer: D
Section: (none)
QUESTION 113
Which three DSL technologies support an analog POTS channel and utilize the entire bandwidth of the
copper to carry data? (Choose three.)
A. ADSL
B. IDSL
C. SDSL
D. RADSL
E. VDSL
Answer: ADE
Section: (none)
QUESTION 114
What actions can be performed by the Cisco IOS IPS when suspicious a tivity is detected? (Choose four.)
A. Send an alarm to a syslog server or a centralized management interface

B. Initiate antivirus software to clean the packet
C. Drop the packet
D. Reset the connection
E. Request packet to be resent
F. Deny traffic from the source IP address associated with the connection
Answer: ACDF
Section: (none)
QUESTION 115
Internet Protocol Security (IPsec) is a suite of protocols for securing Internet Protocol (IP) communications
by authenticating and encrypting each IP packet of a data stream. Which command can be used to show
the configurations used by the current IPsec security associations?
A. show crypto isakmp key

B. debug crypto isakmp sa
C. show crypto isakmp sa
D. show crypto ipsec sa
Answer: D
Section: (none)
QUESTION 116
Which two statements are true about the troubleshooting of VPN connectivity on a Cisco router?
(Choose two.)
A. SDM can be used to provide statistical output that is related to IPsec SAs.
B. The debug crypto isakmp command output displays detailed IKE phase 1 and phase 2 negotiation
processes.
C. SDM can be used to perform advance troubleshooting.
D. Knowledge of Cisco IOS CLI commands is required.
E. The Monitor Tunnel Operation page in SDM is the primary tool for troubleshooting VPN connectivity.
Answer: BD
Section: (none)
QUESTION 117
Which statement about the aaa authentication enable default group radius enable command is true?
A. If the radius server returns an error, the enable password will be used.
B. If the radius server returns a 'failed' message, the enable password will be used.
C. The command login authentication group will associate the AAA authentication to a specified interface.
D. If the group database is unavailable, the radius server will be used.
Answer: A
Section: (none)
QUESTION 118
DSL (Digital Subscriber Line) is a technology for bringing high- bandwidth information to homes and small
businesses over ordinary copper telephone lines. Which form of DSL technology is typically used to replace
T1 lines?
A. VDSL
B. HDSL
C. ADSL
D. SDSL
Answer: B
Section: (none)
QUESTION 119
According to the following presented information, which two items are correct regarding user access?
(Choose two.)
A. Telnet access to this device is not possible because login access has not been configured.
B. Access to the console port of this device may be gained by use of the "con2access" password.
C. A username and password are needed to log in to a Telnet session to this device.
D. A username and password are needed to log in to the console port of this device.
Answer: CD
Section: (none)
QUESTION 120
What are two principles to follow when configuring ACLs with IOS Firewall? (Choose two.)
A. Prevent traffic that will be inspected by IOS Firewall from leaving the network through the firewall.
B. Configure extended ACLs to prevent IOS Firewall return traffic from entering the network through the
firewall.
C. Configure an ACL to deny traffic from the protected networks to the unprotected networks.
D. Permit broadcast messages with a source address of 255.255.255.255.
E. Allow traffic that will be inspected by IOS Firewall to leave the network through the firewall.
Answer: BE
Section: (none)
QUESTION 121
With MPLS, what is the function of the protocol ID (PID) in a Layer 2 header?
A. It specifies that the bottom-of-stack bit immediately follows.
B. It specifies that the payload starts with a label and is followed by an IP header.
C. It specifies that the receiving router use the top label only.
D. It specifies how many labels immediately follow.
Answer: B
Section: (none)
QUESTION 122
Which statement identifies a limitation in the way Cisco IOS Firewall tracks UDP connections versus TCP
connections?
A. It cannot track the source IP.

B. It cannot track the source port.
C. It cannot track the destination IP.
D. It cannot track the destination port.
E. It cannot track sequence numbers and flags.
F. It cannot track multicast or broadcast packets.
Answer: E
Section: (none)
QUESTION 123
What are three methods of network reconnaissance? (Choose three.)
A. IP spoofing
B. One-time password
C. Dictionary attack
D. Packet sniffer
E. Ping sweep
F. Port scan
Answer: DEF
Section: (none)
QUESTION 124
PPPoE, Point-to-Point Protocol over Ethernet, is a network protocol for encapsulating Point-to-Point
Protocol (PPP) frames inside Ethernet frames. What is the possible cause for the failure of the
establishment of the PPPoE client session?
A. The PPP LCP phase has failed because the correct DSL operating mode (DSL modulation) is not
configured on the PG-CPE router.
B. The PPP authentication phase has failed at the PG-CPE.
C. The PPP LCP phase has failed because of excessive link noise.
D. The PPP NCP phase has failed because the local router cannot successfully initialize the DSLAM.
Answer: B
Section: (none)
QUESTION 125
According to the following graphic, can you tell me which VPN IPv4 label is for the network 172.16.13.0/24?
A. 11
B. 17
C. 12308
D. 17, 12308
Answer: C
Section: (none)
QUESTION 126
What are two ways to mitigate IP spoofing attacks? (Choose two.)
A. Disable ICMP echo.

B. Use RFC 3704 filtering (formerly know as RFC 2827).
C. Use encryption.
D. Configure trust levels.
E. Use NBAR.
F. Use MPLS.
Answer: BC
Section: (none)
QUESTION 127
What technology must be enabled as a prerequisite to running MPLS on a Cisco router?
A. Process switching
B. Routing-table driven switching
C. Cache driven switching
D. CEF switching
E. Fast switching
Answer: D
Section: (none)
QUESTION 128
Which two of following belong to reconnaissance attacks? (Choose two.)
A. Port scans
B. Ping sweeps
C. Denial of service attacks
D. Man-in-the-middle attacks
Answer: AB
Section: (none)
QUESTION 129
Refer to the exhibit. Which of these statements about the configured IPsec transform set is correct?
A. Only the data field of the packet will be hashed using SHA.
B. Only the address fields of the packet will be hashed using SHA.
C. Only the data field of the packet will be encrypted by the AES algorithm using a 256-bit key.
D. Only the address fields of the packet will be encrypted by the AES algorithm using a 256-bit key.
E. The data field of the packet will be encrypted by the AES algorithm using a 256-bit key, while the
address fields of the packet will be hashed using SHA.
F. The address fields of the packet will be encrypted by the AES algorithm using a 256-bit key, while the
data field of the packet will be hashed using SHA.
Answer: E
Section: (none)
QUESTION 130
Which two statements about the AutoSecure feature are true? (Choose two.)
A. AutoSecure automatically disables the CDP feature.

B. If you enable AutoSecure, the minimum length of the login and enable passwords is set to 6 characters.
C. The auto secure full command automatically configures the management and forwarding planes without
any user interaction.
D. To enable AutoSecure, the auto secure global configuration command must be used.
E. Once AutoSecure has been configured, the user can launch the SDM Web interface to perform a
security audit.
Answer: AB
Section: (none)
QUESTION 131
Refer to the exhibit. Host 1 cannot ping Server 1. In the course of troubleshooting, you have eliminated all
network issues. Based upon the partial configuration shown, what is the issue?
A. No routing protocol is running on R 1 and R 2.

B. An encryption algorithm has been configured on R 1 and R 2.
C. The tunnel destinations on R 1 and R 2 are not on the same subnet.
D. R 1 has the wrong tunnel source configured under the tunnel interface.
E. R 2 has the wrong tunnel source configured under the tunnel interface.
F. The tunnel numbers (interface tunnel 0 and interface tunnel 1) on R 1 and R 2 do not match.
Answer: D
Section: (none)
QUESTION 132
When configuring backup IPsec VPNs with Cisco IOS Release 12.2(8)T or later, what are the default
parameters?
A. Cisco IOS keepalives are sent every 10 seconds if there is no traffic to send.
B. Dead peer detection (DPD) hello messages are sent every 10 seconds if there is no traffic to send.
C. Cisco IOS keepalives are sent every 10 seconds if the router has traffic to send.
D. DPD hello messages are sent every 10 seconds if the router has traffic to send.
Answer: D
Section: (none)
QUESTION 133
Observe the following exhibit carefully, the output is produced by which Cisco security feature?
A. CBAC
B. IPS
C. SSH
D. AutoSecure
Answer: D
Section: (none)
QUESTION 134
CBAC provides advanced traffic filtering functionality and can be used as an integral part of your network
firewall. Which two descriptions are correct about the Cisco Classic (CBAC) IOS Firewall set? (Choose two.)
A. It can block bulk encryption attacks.

B. It can protect against denial of service attacks.
C. Temporary ACL entries that allow selected traffic to pass are created and persist for the duration of the
communication session.
D. Traffic originating from the router is considered trusted, so it is not inspected.
Answer: BD
Section: (none)
QUESTION 135
Look at the following exhibit carefully, LDP neighbor sessions have been built between PG-RTB and PG-
RTC. In the process of troubleshooting, it is found that labels are being distributed between the two routers,
however LFIB has no label swapping information. Why?
A. BGP neighbor sessions have not been established on both routers.

B. IP Cisco Express Forwarding has not been enabled on both PG-RTB and PG-RTC.
C. LDP has been enabled on one router and TDP has been enabled on the other.
D. The IGP is summarizing the address space.
Answer: B
Section: (none)
QUESTION 136
What is the reason for the ping between the PG-HQ router and the 192.168.1.193 interface on the PG-
Branch2 router failing?
A. The default route is missing from the PG-Branch2 router.
B. When running EIGRP over GRE tunnels, you must manually configure the neighbor address using the
eigrp neighbor ipaddress command.
C. The tunnel numbers for the tunnel between the PG-HQ router and the PG-Branch2 router do not match.
D. The tunnel source is incorrect on the PG-Branch2 router. It should be serial 2/0.
E. The AS number for the EIGRP process on PG-Branch2 should be 1 and not 11.
Answer: E
Section: (none)
QUESTION 137
What are two steps that must be taken when mitigating a worm attack? (Choose two.)
A. Inoculate systems by applying update patches.

B. Limit traffic rate.
C. Apply authentication.
D. Quarantine infected machines.
E. Enable anti-spoof measures
Answer: AD
Section: (none)
QUESTION 138
To implement Easy VPN Remote capabilities, which requirement must be met?
A. The destination peer must be a Cisco Easy VPN Server or VPN Concentrator supporting Cisco Easy
VPN Server.
B. The source peer must be a Cisco Easy VPN Server or VPN Concentrator supporting Cisco Easy VPN
Server.
C. The destination peer must be a Cisco Easy VPN Remote device.
D. The destination peer must support all available encryption and authentication types.
Answer: A
Section: (none)
QUESTION 139
At what size should the MTU on LAN interfaces be set in the implementation of MPLS VPNs with traffic
engineering?
A. 1512 bytes
B. 1516 bytes
C. 1520 bytes
D. 1524 bytes
E. 1528 bytes
F. 1532 bytes
Answer: A
Section: (none)
QUESTION 140
Which two devices serve as the main endpoint components in a DSL data service network? (Choose two.)
A. SOHO workstation
B. ATU-R
C. ATU-C
D. POTS splitter
E. CO switch
Answer: B
Section: (none)
I don't know the other choice.
QUESTION 141
Which three protocols are available for local redundancy in a backup VPN scenario? (Choose three.)
A. VRRP
B. A routing protocol
C. RSVP
D. HSRP
E. Proxy ARP
F. GLBP
Answer: ADF
Section: (none)
QUESTION 142
Which PPPoE configuration statement is true?
A. A PVC must be created before the pppoe enable command on the Ethernet interface is entered.
B. The dsl operating-mode auto command is required.
C. The encapsulation ppp command must be applied on the Ethernet interface.
D. The ip mtu 1492 command must be applied on the dialer interface.
E. The ip mtu 1496 command must be applied on the Ethernet interface.
F. When the pppoe enable command is applied on the Ethernet interface, a PVC will be created.
Answer: D
Section: (none)
QUESTION 143
The Cisco SOHO 77 ADSL router provides an affordable, secure, multiuser digital subscriber line (DSL)
access solution to small office/home office customers while reducing deployment and operational costs for
service providers. Refer to the exhibit, which shows a PPPoA diagram and partial SOHO77 configuration.
Which command needs to be applied to the SOHO77 to complete the configuration?
A. Encapsulation aal5mux ppp dialer applied to the PVC
B. Encapsulation aal5ciscoppp applied to the PVC
C. Encapsulation aal5mux ppp dialer applied to the ATM0 interface
D. Encapsulation aal5ciscoppp applied to the ATM0 interface
Answer: A
Section: (none)
QUESTION 144
Which three methods are of network reconnaissance? (Choose three.)
A. Packet sniffer
B. Ping Sweep
C. Dictionary attack
D. Port scan
Answer: ABD
Section: (none)
QUESTION 145
In terms of the exhibit below. Router PassGuide-R is unable to establish an ADSL connection with its
provider. What action should be taken to correct this problem?
A. On the Dialer0 interface, add the pppoe enable command.

B. On the Ethernet 0/1 interface, add the dialer pool-member 0 command.
C. On the Ethernet 0/1 interface, add the dialer pool-member 1 command.
D. On the Dialer0 interface, change the MTU value to 1500 using the ip mtu 1500 command.
E. On the Ethernet 0/1 interface, add the pppoe-client dial-pool-number 0 command.
F. On the Ethernet 0/1 interface, add the pppoe-client dial-pool-number 1 command.
Answer: F
Section: (none)
QUESTION 146
You work as a network technician at PassGuide.com, study the exhibit carefully. What type of security
solution will be provided for the inside network?
A. The router will intercept the traceroute messages. It will validate the connection requests before
forwarding the packets to the inside network.
B. The router will reply to the TCP connection requests. If the three-way handshake completes
successfully, the router will establish a TCP connection between itself and the server.
C. The TCP traffic that matches the ACL will be allowed to pass through the router and create a TCP
connection with the server.
D. The TCP connection that matches the defined ACL will be reset by the router if the connection does not
complete the three-way handshake within the defined time period.
Answer: B
Section: (none)
QUESTION 147
Which three descriptions are correct about frame-mode MPLS? (Choose three.)
A. MPLS has three distinct components consisting of the data plane, the forwarding plane, and the control
plane.
B. The MPLS data plane takes care of forwarding based on either destination addresses or labels.
C. To exchange labels, the control plane requires protocols such as Tag Distribution Protocol (TDP) or
MPLS Label Distribution Protocol (LDP).
D. Whenever a router receives a packet that should be CEF-switched, but the destination is not in the FIB,
the packet is dropped.
Answer: BCD
Section: (none)
QUESTION 148
Authentication is the process of determining whether someone or something is, in fact, who or what it is
declared to be. On the basis of the exhibit. Which two statements correctly describe the authentication
method used to authenticate users who want privileged access into PG-R1? (Choose two.)
A. All users will be authenticated using the RADIUS server. If the RADIUS server is unavailable, the
authentication process stops and no other authentication method is attempted.
B. All users will be authenticated using the RADIUS server. If the RADIUS server is unavailable, the router
will attempt to authenticate the user using its local database.
C. All users will be authenticated using the RADIUS server. If the user authentication fails, the router will
attempt to authenticate the user using its local database.
D. All users will be authenticated using the RADIUS server. If the user authentication fails, the
Answer: BD
Section: (none)
QUESTION 149
You work as a network technician, refer to the exhibit. Which description is correct about the partial MPLS
configuration that is shown?
A. The route-target both 100:2 command sets import and export route-targets for vrf2.
B. The route-target both 100:2 command changes a VPNv4 route to a IPv4 route.
C. The route-target import 100:1 command sets import route-targets routes specified by the route map.
D. The route-target import 100:1 command sets import route-targets for vrf2 that override the other route-
target configuration.
Answer: A
Section: (none)
QUESTION 150
Refer to the exhibit. Based on the presented information, which description is correct?
A. The IOS firewall has allowed an HTTP session between two devices.
B. A TCP session that started between 192.168.1.116 and 192.168.101.115 caused dynamic ACL entries
to be created.
C. A UDP session that started between 192.168.1.116 and 192.168.101.115 caused dynamic ACL entries
to be created.
D. Telnet is the only protocol allowed through this IOS firewall configuration.
Answer: B
Section: (none)
QUESTION 151
A.
Answer: A
Section: (none)
QUESTION 152
Drag and drop the Cisco IOS commands that would be used to configure the physical interface portion of a
PPPoE client configuration. Drag and Drop question, drag each item to its proper location.
A.
Answer: A
Section: (none)
QUESTION 153
Drag the correct statements about MPLS-based VPN on the left to the boxes on the right.(Not all statements
will be used)
A.
Answer: A
Section: (none)
QUESTION 154
Drag the IPsec protocol description from the above to the correct protocol type on the below.(Not all
descriptions will be used) Drag and Drop question, drag each item to its proper location.
A.
Answer: A
Section: (none)
QUESTION 155
Drag and drop each management protocol on the above to the correct category on the below.
A.
Answer: A
Section: (none)
QUESTION 156
Drag and drop each function on the above to the hybrid fiber-coaxial architecture component that it
describes on the below.
A.
Answer: A
Section: (none)
QUESTION 157
Drag the DSL technologies on the left to their maximum(down/up) data rate values on the below. Answer &
Explanation Correct Answer Explanations No more information available
A.
Answer: A
Section: (none)
QUESTION 158
Drag the DSL local loop topic on the left to the correct descriptions on the right. Answer & Explanation
Correct Answer Explanations No more information available
A.
Answer: A
Section: (none)
QUESTION 159
Drag the IOS commands from the left that would be used to implement a GRE tunnel using the 10.1.1.0.30
network on interface serial 0/0 to the correct target area on the right. Answer & Explanation Correct Answer
Explanations No more information available
A.
Answer: A
Section: (none)
QUESTION 160
Identify the recommended steps for worm attack mitigation by dragging and dropping them into the target
area in the correct order.
A.
Answer: A
Section: (none)
QUESTION 161
Drag and drop the xDSL type on the above to the appropriate xDSL description on the below.
A.
Answer: A
Section: (none)
QUESTION 162
Match the xDSL type on the above to the most appropriate implementation on the below. Answer &
A.
Answer: A
Section: (none)
QUESTION 163
Drag each element of the Cisco IOS Firewall Feature Set from the above and drop onto its description on
the below.
Answer & Explanation Correct Answer Explanations No more information available
A.
Answer: A
Section: (none)
QUESTION 164
Drag the protocols that are used to distribute MPLS labels from the above to the target area on the below.
(Not all options will be used)
Answer & Explanation Correct Answer Explanations No more information available
A.
Answer: A
Section: (none)
QUESTION 165
Drag and drop question. The upper gives the MPLS functions, the bottom describes the planes. Drag the
above items to the proper location at the below. Answer & Explanation Correct Answer Explanations No
more information available
A.
Answer: A
Section: (none)
QUESTION 166
Drag and drop question. The left gives some blank boxes for Ipsec VPN, the right gives some IPsec VPN
descriptions, drag the correct descriptions on the right to the left boxes. Answer & Explanation Correct
Answer Explanations No more information available
A.
Answer: A
Section: (none)
QUESTION 167
Drag and drop question. The left gives some blank boxes for ADSL POTS splitter, the right gives some
ADSL POTS splitter descriptions, drag the correct descriptions on the right to the left boxes. Answer &
A.
Answer: A
Section: (none)
QUESTION 168
Drag and drop question. Drag the ordered steps below to the correct DSL ATM interface configuration
sequence above Answer & Explanation Correct Answer Explanations No more information available
A.
Answer: A
Section: (none)
QUESTION 169
Drag and drop question. Drag the above Cisco IOS commands to the proper location to implement a two
interface IOS firewall at the below. Answer & Explanation Correct Answer Explanations No more information
available
A.
Answer: A
Section: (none)
QUESTION 170
Drag each description to the correct IPsec security feature.
A.
Answer: A
Section: (none)
QUESTION 171
Drag each type of attack on the left to the description on the left.
A.
Answer: A
Section: (none)
QUESTION 172
Drag the worm attack mitigation step on the left to the description on the right. Answer & Explanation
Correct Answer Explanations No more information available
A.
Answer: A
Section: (none)
QUESTION 173
Drag and drop the Cisco IOS commands that would be used to configure the dialer Interface portion of a
PPPoE client implementation where the client is facing the internet and private IP addressing is used on the
internal network. Answer & Explanation Correct Answer Explanations No more information available
A.
Answer: A
Section: (none)
QUESTION 174
Drop
A.
Answer: A
Section: (none)
QUESTION 175
PassGuide is a small export company.
This firm has an existing enterprise network that is made up exclusively of routers that are using EIGRP as
the IGP.
Its network is up and operating normally. As part of its network expansion, PassGuides has decided to
connect to the internet by a broadband cable ISP. Your task is to enable this connection by use of the
information below.
Connection Encapsulation: PPP

Connection Type: PPPoE client
Connection Authentication: None
Connection MTU: 1492 bytes
Address: Dynamically assigned by the ISP Outbound
Interface: E0/0
You will know that the connection has been successfully enabled when you can ping the simulated Internet
address of 172.16.1.1
Note: Routing to the ISP: Manually configured default route
PassGuide-R# show ip route ....
Gateway of last resort is not set 192.168.1.0/27 is subnetted, 7 subnets C 192.168.1.0 is directly connected,
Ethernet0/1 D 192.168.1.32 [90/307200] via 192.168.1.2, 00:02:16,
Ethernet0/1 D 192.168.1.64 [90/307200] via 192.168.1.2, 00:02:17,
Ethernet0/1 D 192.168.1.96 [90/307200] via 192.168.1.2, 00:02:17,
Ethernet0/1 D 192.168.1.128 [90/307200] via 192.168.1.3, 00:02:17,
Ethernet0/1 D 192.168.1.192 [90/307200] via 192.168.1.3, 00:02:17,
Ethernet0/1 D 192.168.1.224 [90/307200] via 192.168.1.3, 00:02:17,
PassGuide-R# show run ....

no service password-encryption
! hostname PassGuide-R
! boot-start-marker boot-end-marker
! no aaa new-model resource policy clock timezone PST 0 ip subnet-zero no ip dhcp use vrf connected
! interface Ethernet0/0 description link to cable modem no ip address shutdown
! interface Ethernet0/1 description link to corporate nework ip address 192.168.1.1 255.255.255.224
! interface Ethernet0/2 no ip address
! interface Ethernet0/3 no ip address shutdown
! router eigrp 1 network 192.168.1.0 auto-summary
! line con 0 line vty 0 15
end
A. PassGuide-R>ena
PassGuide-R#conf t
PassGuide-R(config)#int e0/0
PassGuide-R(config-if)#pppoe enable
PassGuide-R(config-if)#pppoe-client dial-pool-number 1
PassGuide-R(config-if)#no shut
PassGuide-R(config-if)#exit
PassGuide-R(config)#vpdn enable
PassGuide-R(config)#vpdn-group 1
PassGuide-R(config-vpdn)#request-dialin
PassGuide-R(config-vpdn-req-in)#protocol pppoe
PassGuide-R(config-vpdn-req-in)#exit
PassGuide-R(config-vpdn)#exit
PassGuide-R(config)#dialer-list 1 protocol ip permit
PassGuide-R(config)#ip route 0.0.0.0 0.0.0.0 dialer1
PassGuide-R(config)#int dialer 1
PassGuide-R(config-if)#encapsulation ppp
PassGuide-R(config-if)#ip address negotiated
PassGuide-R(config-if)#dialer pool 1
PassGuide-R(config-if)#dialer-group 1
PassGuide-R(config-if)#ip mtu 1492
PassGuide-R(config-if)#no shut
PassGuide-R(config-if)#exit
PassGuide-R#ping 172.16.1.1
If ping is successful, you finished! If not, check the configuration.
Answer: A
Section: (none)
QUESTION 176
Click here to input the answer.
A. PassGuide-R1> enable
PassGuide-R1# conf t
PassGuide-R1(config)#aaa new-model
PassGuide-R1(config)#username BDnet1 password Wer#1
PassGuide-R1(config)#tacacs-server host 10.6.6.254 key training
PassGuide-R1(config)#aaa authentication login default local
PassGuide-R1(config)#aaa authentication login vty group tacacs+
PassGuide-R1(config)#aaa authorization exec vty group tacacs+
PassGuide-R1(config)#line vty 0 4
PassGuide-R1(config)#authorization exec vty
PassGuide-R1(config)# login authentication vty
PassGuide-R1(config)#end
PassGuide-R1#copy run start
#Test:
PassGuide-R2#ssh 10.2.1.1 -l cisco <Enter> password: Cisco123
Answer: A
Section: (none)
QUESTION 177
A.
Answer: A
Section: (none)
QUESTION 178
A company in installed new router R1 in their network. As a administrator you need to configure TACACS
for the router with following configuration given below.
1. Enable the TACACS server in R1
2. Configure console and Aux for default authentication
3. Cinfigure VTY for TACACS server authentication
4. Configure the Tacacs server ip 10.2.2.2 and share key 123
5. Login to R2 using provided username and password (username R2, password COL)
6. From R2 login to R1 using SSH and check the R1 TACACS (username R1, Passwork TAC)
A. R1(Config)# aaa new-model
R1(Config)# tacacs-server host 10.2.2.2 key 123 ( IP and Key may change)
R1(Config)# aaa authentication login default local
R1(Config)# aaa authentication login CUSTOM_LIST group tacacs+ ( Only required to allow TACACS )
R1(Config)# line console 0
R1(Config)# login authentication default
R1(Config)# line aux 0
R1(Config)# login authentication default
R1(Config)# line vty 0 4
R1(Config)# login authentication CUSTOM_LIST
R1(Config)# line vty 5 15
R1(Config)# login authentication CUSTOM_LIST
R1(Config)# exit
R1# copy run start
Login to R2 with provided credentials.
R2>username R2 password COL
R2#ssh <ip from R1> -l R1 password TAC
Answer: A
Section: (none)
QUESTION 179
.
1. Which defined peer IP address and local subnet belong to Crete?(Choose two.)
A. peer address 192.168.55.159

B. peer address 192.168.77.120
C. peer address 192.168.167.85
D. subnet 10.5.15.0/24
E. subnet 10.8.28.0/24
F. subnet 10.5.33.0/24
Answer: AD
Section: (none)
2. Which IPSec rule is used for the Olympia branch and what does it define? (Choose two.)
A. 102
B. 116
C. 127
D. IP traffic sourced from 10.10.10.0/24 destined to 10.5.15.0/24 will use the VPN. E. IP traffic sourced from
10.10.10.0/24 destined to 10.8.28.0/24 will use the VPN. F. IP traffic sourced from 10.10.10.0/24 destined to
10.5.33.0/24 will use the VPN.
Answer: B,E
3. Which algorithm as defined by the transform set is used for providing data confidentiality when connected
to Type?
A. ESP-3DES-SHA
B. ESP-3DES-SHA1
C. ESP-3DES-SHA2
D. ESP-3DES
E. ESP-SHA-HMAC
Answer: D
4. Which peer authentication method and which IPSec mode is used to connect to the branch locations?
(Choose two.)
A. Digital Certificate
B. Pre-Shared Key
C. Transport Mode
D. Tunnel Mode
D. GRE/IPSEC Transport Mode
E. GRE/IPSEC Tunnel Mode
Answer: B,D
QUESTION 180
1. What is preventing the HQ router and the Branch1 router from establishing an EIGRP neighbor
relationship?
A: The tunnel source is incorrect on the Branch1 router. It should be serial 2/0.
B: When running EIGRP over GRE tunnels, you must manually configure the neighbor address using the
C: The default route is missing from the Branch1 router.
D: The tunnel interface numbers for the tunnel between the HQ router and Branch1 router do not match.
E: The tunnel destination address is incorrect on the HQ router. It should be 10.2.1.1 to match the interface
address of the Branch1 router.
A.
B.
C.
D.
Answer: B
Section: (none)
2. Why is the ping between the HQ router and the 192.168.1.193 interface on the Branch2 router failing?
A: The AS number for the EIGRP process on Branch2 should be 1 and not 11.
B: The tunnel numbers for the tunnel between the HQ router and the Branch2 router do not match.
C: The default route is missing from the Branch2 router.
D: The tunnel source is incorrect on the Branch2 router. It should be serial 2/0.
E: When running EIGRP over GRE tunnels, you must manually configure the neighbor address using the
Answer: E
3. What is preventing a successful ping between the HQ router and the 192.168.1.10 interface on the
Branch3 router?
A: The tunnel interface numbers for the tunnel between the HQ router and the Branch3 router do not match.
B: The IP address on the tunnel interface for the Branch3 router has wrong IP mask. It should be
255.255.255.252.
C: The network statement under router EIGRP on the Branch3 router is incorrect. It should be network
192.168.2.0.0.0.0.255.
D: The default route is missing from the Branch3 router.
E: The tunnel source is incorrect on the Branch3 router. It should be serial 2/0.
Answer: C
QUESTION 181
Which two statements about the Cisco Autosecure feature are true? (Choose two.)
A. All passwords entered during the Autosecure configuration must be a minimum of 8 characters in length.
B. Cisco 123 would be a valid password for both the enable password and the enable secret commands.
C. The auto secure command can be used to secure the router login as well as the NTP and SSH
protocols.
D. For an interactive full session of AutoSecure, the auto secure login command should be used.
E. If the SSH server was configured, the 1024 bit RSA keys are generated after the auto secure command
is enabled.
Answer: CE
Section: (none)
QUESTION 182
Which three statements are correct about MPLS-based VPNs? (Choose three.)
A. Route Targets (RTs) are attributes attached to a VPNv4 BGP route to indicate its VPN membership.
B. Scalability becomes challenging for a very large, fully meshed deployment.
C. Authentication is done using a digital certificate or pre-shared key.
D. A VPN client is required for client-iniated deployments.
E. A VPN client is not required for users to interact with the network.
F- An MPLS-based VPN is highly scalable because no site-to-site peering is required.
Answer: AE
Section: (none)
QUESTION 183
Which IPsec mode will encrypt a GRE tunnel to provide multiprotocol support and reduced overhead?
A. 3DES
B. multipoint GRE
C. tunnel
D. transport
Answer: D
Section: (none)
QUESTION 184
Which two statements are true about broadband cable (HFC) systems? (Choose two.)
A. Cable modems only operate at Layer 1 of the OSI model.
B. Cable modems operate at Layers 1 and 2 of the OSI model.
C. Cable modems operate at Layers 1, 2, and 3 of the OSI model.
D. A function of the cable modem termination system (CMTS) is to convert the modulated signal from the
cable modem into a digital signal.
E. A function of the cable modem termination system is to convert the digital data stream from the end user
host into a modulated RF signal for transmission onto the cable system.
Answer: BD
Section: (none)
QUESTION 185
Which two statements are correct about mitigating attacks by the use of access control lists (ACLs)?
(Choose two.)
A. Extended ACLs on routers should always be placed as close to the destination as possible.
B. Each ACL that is created ends with an implicit permit all statement.
C. Ensure that earlier statements in the ACL do not negate any statements that are found later in the list.
D. Denied packets should be logged by an ACL that traps informational (level 6) messages.
E. IP packets that contain the source address of any internal hosts or networks inbound to a private
network should be permitted.
F. More specific ACL statements should be placed earlier in the ACL.
Answer: DF
Section: (none)
QUESTION 186
What is needed to complete the PPPoA configuration?
A. A static route to the ISP needs to be configured.

B. The VPDN group needs to be created.
C. The ATM PVC needs to be configured.
D. PPP0E encapsulation needs to be configured on the ATM interface.
E. PAP authentication needs to be configured.
Answer: C
Section: (none)
QUESTION 187
Which three configuration steps must be taken to connect a DSL ATM interface to a service provider?
(Choose three.)
A. Enable VPDN.
B. Configure PPP0E on the VPDN group.
C. Configure the ATM PVC.
D. Assign a VPDN group name.
E. Configure a dialer interface.
F. Configure the correct PPP encapsulation on the ATM virtual circuit.
Answer: CEF
Section: (none)
QUESTION 188
When configuring the Cisco software VPN client on a PC, which values need to be entered to complete the
setup when pre-shared key authentication is used?
A. IP address of server, groupname, and password

B. IP address of server, groupname and password, and default gateway
C. IP address of server, groupname and password, default gateway, and DNS servers
D. IP address of server, groupname and password, default gateway, DNS servers, and local IP address
Answer: A
Section: (none)
QUESTION 189
What is one benefit of AutoSecure?
A. By default, all passwords are encrypted with level 7 encryption.

B. By default, a password is enabled on all ports.
C. Command line questions are created that automate the configuration of security features.
D. A multiuser logon screen is created with different privileges assigned to each member.
Answer: C
Section: (none)
QUESTION 190
What is meant by the attack classification of "false positive" on a Cisco IPS device?
A. A signature is fired for nonmalicious traffic, benign activity.

B. A signature is not fired when offending traffic is detected.
C. A signature is correctly fired when offending traffic is detected and an alarm is generated.
D. A signature is not fired when non-offending traffic is captured and analyzed.
Answer: A
Section: (none)
QUESTION 191
When packets in a session match a signature, what are three actions that the Cisco lOS Firewall IPS can
take? (Choose three.)
A. Notify a centralized management interface of a false positive

B. Remove the virus or worm from the packets
C. Use the signature micro-engine to prevent a CAM Table Overflow Attack
D. Reset the connection
E. Drop the packets
F. Send an alarm to a syslog server
Answer: DEF
Section: (none)
QUESTION 192
SDM has added the commands in the exhibit to the router's configuration. What are the three objectives that
these commands accomplish? (Choose three.)
A. Forces the user to authenticate twice to prevent man-in-the-middle attacks

B. Inspects SSH packets across all enabled interfaces every 60 seconds
C. Specifies SSH for remote management access
D. Prevents Telnet access to the device unless it is from the SDM workstation
E. Sets the SSH timeout value to 60 seconds, a value that causes incomplete SSH connections to shut
down after 60 seconds
F. Sets the maximum number of unsuccessful SSH login attempts to two before locking access to the
router
Answer: CEF
Section: (none)
QUESTION 193
Which three MPLS statements are true? (Choose three.)
A. Cisco Express Forwarding (CEF) must be enabled as a prerequisite to running MPLS on a Cisco router.
B. Frame-mode MPLS inserts a 32-bit label between the Layer 3 and Layer 4 headers.
C. MPLS is designed for use with frame-based Layer 2 encapsulation protocols such as Frame Relay, but
is not supported by ATM because of ATM fixed-length cells.
D. OSPF, EIGRP, IS-IS, RIP, and SGP can be used in the control plane.
E. The control plane is responsible for forwarding packets.
F. The two major components of MPLS include the control plane and the data plane.
Answer: ADF
Section: (none)
QUESTION 194
The configuration in the exhibit is found on an Internet service provider (ISP) Multiprotocol Label Switching
(MPLS) network. What is its purpose?
A. To prevent man-in-the-middle attacks

B. To use OBAC to shut down Distributed Denial of Service attacks
C. To use IPS to protect against session-replay attacks
D. To prevent customers from running TDP with the ISP routers
E. To prevent customers from running LDP with the ISP routers
F. To prevent other ISPs from running LDP with the ISP routers
Answer: D
Section: (none)
QUESTION 195
What are the four main steps in configuring an IPsec site-to-site VPN tunnel on Cisco routers? (Choose
four.)
A. Define the ISAKMP policy.
B. Define the IPsec transform set.
C. Define the pre-shared key used in the DH (Diffie-Hellman) exchange.
D. Create a crypto access list to define which traffic should be sent through the tunnel.
E. Create a crypto map and apply it to the outgoing interface of the VPN device.
F. Configure dynamic routing over the IPsec tunnel interface.
Answer: ABDE
Section: (none)
QUESTION 196
Which statement is true about an IPsec/GRE tunnel?
A. The GRE tunnel source and destination addresses are specified within the IPsec transform set.
B. An IPsec/GRE tunnel must use IPsec tunnel mode.
C. GRE encapsulation occurs before the IPsec encryption process.
D. Crypto map ACL is not needed to match which traffic will be protected.
Answer: C
Section: (none)
QUESTION 197
Which feature is an accurate description of the Diffie-Hellman (DH) exchange between two IPsec peers?
A. Allows the two peers to communicate the pre-shared secret key to each other during IKE phase 1
B. Allows the two peers to communicate its digital certificate to each other during IKE phase 1
C. Allows the two peers to jointly establish a shared secret key over an insecure communications channel
D. Allows the two peers to negotiate its IPsec transforms during IKE phase 2
E. Allows the two peers to authenticate each other over an insecure communications channel
Answer: C
Section: (none)
QUESTION 198
Which three modulation signaling standards are used in broadband cable technology? (Choose three.)
A. S-Video
B. PAL
C. NTSC
D. SECAM
E. FDM
F. FEC
Answer: BCD
Section: (none)
QUESTION 199
Which can be used to mitigate Trojan horse attacks?
A. The use or an antivirus software

B. The disabling of port redirection
C. RFC 2827 filtering
D. Implementation of traffic rate limiting
E. Implementing anti-Dos features
Answer: A
Section: (none)
QUESTION 200
Which two statements are true about the configuration of the Cisco IOS Firewall using the SDM? (Choose
two.)
A. Cisco IOS Firewall features may be configured by choosing the Additional Tasks wizard.
B. Firewall policies can be viewed from the Home screen of the SDM.
C. To simplify the Firewall configuration task, the SDM provides Basic Firewall, Intermediate Firewall, and
Advanced Firewall wizards.
D. The Basic Firewall Configuration wizard applies default access rules to the inside (trusted), outside
(untrusted) and DMZ interfaces
E. The Advanced Firewall Configuration wizard applies access rules to the inside (trusted), outside
(untrusted) and DMZ interfaces.
Answer: BE
Section: (none)
QUESTION 201
A site-to-site VPN connection has been configured using SDM. What option can aid in the configuration of
the VPN on the peer router?
A. The Generate Mirror option on the VPN Edit tab

B. The Monitor Mode option on the VPN Status tab
C. The VPN Components option on the VPN tab
D. The IPSec Policies from the VPN Components tab
Answer: A
Section: (none)
QUESTION 202
What should a security administrator who uses SDM consider when configuring the firewall on an interface
that is used in a VPN connection?
A. The firewall must permit traffic going out of the local interface only.
B. The firewall must permit traffic to a VPN concentrator only.
C. The firewall must permit encrypted traffic between the local and remote VPN peers.
D. The firewall cannot be configured in conjunction with a VPN.
Answer: C
Section: (none)
QUESTION 203
Which three benefits does IPsec VPNs provide? (Choose three.)
A. Origin authentication
B. Adaptive threat defense
C. Confidentiality
D. Qos
E. Data integrity
F. A fully-meshed topology with low overhead
Answer: ACE
Section: (none)
QUESTION 204
Study the exhibit carefully.
Which description is true about the results of clicking the OK button in the Security Device Manager (SDM)
Add a Signature Location window?
A. SDM will respond with a message asking for the URL that points to the 256MB.sdf file.
B. Cisco IOS IPS will choose to load the 256MB.sdf only if the Built-in Signatures (as backup) check box is
unchecked.
C. If Cisco IOS IPS fails to load the 256MB.sdf, it will load the built-in signatures provided the Built-in
Signatures (as backup) check box is checked.
D. Cisco IOS IPS will choose to load the 256MB.sdf and then also add the Cisco IOS built-in signatures.
Answer: C
Section: (none)
QUESTION 205
Which two statements about worms, viruses, or Trojan horses are true? (Choose two.)
A. A Trojan horse has three components: an enabling vulnerability, a propagation mechanism, and a
payload.
B. A Trojan horse virus propagates itself by infecting other programs on the same computer.
C. A virus cannot spread to a new computer without human assistance.
D. A virus has three components: an enabling vulnerability, a propagation mechanism, and a payload.
E. A worm can spread itself automatically from one computer to the next over an unprotected network.
F. A worm is a program that appears desirable but actually contains something harmful.
Answer: CE
Section: (none)
QUESTION 206
Which two Network Time Protocol (NTP) statements are true? (Choose two.) Select 2 response(s).
A. A stratum 0 time server is required for NTP operation.

B. NTP is enabled on all interfaces by default, and all interfaces receive NTP packets.
C. NTP operates on IP networks using User Datagram Protocol (UDP) port 123.
D. The ntp server global configuration is used to configure the NTP master clock to which other peers
synchronize themselves.
E. The show ntp status command displays detailed association information of all NTP peers.
F. Whenever possible, configure NTP version 5 because it automatically provides authentication and
encryption services.
Answer: BC
Section: (none)
QUESTION 207
Which two statements about packet sniffers or packet sniffing are true? (Choose two.) Select 2 response(s).
A. To reduce the risk of packet sniffing, traffic rate limiting and RFC 2827 filtering should be used.
B. Packet sniffers can only work in a switched Ethernet environment.
C. To reduce the risk of packet sniffing, cryptographic protocols such as Secure Shell Protocol (SSH) and
Secure Sockets Layer (SSL) should be used.
D. To reduce the risk of packet sniffing, strong authentication, such as one time passwords, should be
used.
Answer: CD
Section: (none)
QUESTION 208
Which statement is true about Cisco Easy VPN?
A. Easy VPN Server supports DH group 1.

B. Easy VPN Server supports DH group 5.
C. The Cisco Easy VPN Remote feature supports transform sets that provide encryption without
authentication.
D. NAT interoperability is not supported in client mode with split tunneling.
Answer: D
Section: (none)
QUESTION 209
Refer to the exhibit. On the basis of the information presented, which configuration change would correct
the Secure Shell (SSH) problem?
A. Configure router RTA with the ip domain name domain-name global configuration command.
B. Configure router RTA with the crypto key generate rsa general-keys modulus modulus-number global
configuration command.
C. Configure router RTA with the crypto key generate rsa usage-keys modulus modulus-number global
configuration command.
D. Configure router RTA with the transport input ssh vty line configuration command.
E. Configure router RTA with the no transport input telnet vty line configuration command.
Answer: D
Section: (none)
QUESTION 210
Refer to the exhibit. Routers RTB and RTC have established LDP neighbor sessions. Troubleshooting
discovered that labels are being distributed between the two routers but no label swapping information is in
the LFIB. What is the most likely cause of this problem?

A. The IGP is summarizing the address space.
B. IP CEF has not been enabled on both routers RTB and RTC.
C. BGP neighbor sessions have not been configured on both routers.
D. LDP has been enabled on one router and TDP has been enabled on the other.
E. LDP is using the loopback address as the LDP ID and the loopback address is not in the routing table.
Answer: B
Section: (none)
QUESTION 211
Refer to the exhibit. All routers participate in the MPLS domain. An IGP propagates the routing information
for network 10.10.10.0/24 from R5 to R1. However, router R3 summarizes the routing information to
10.10.0.0/16. How will the routes be propagated through the MPLS domain?
A. R3, using LDP, will advertise labels for both networks, and the information will be propagated throughout
the MPLS domain.
B. R3 will label the summary route using a pop label. The route will then be propagated through the rest of
the MPLS domain. R3 will label the 10.10.10.0/24 network and forward to R2 where the network will be
dropped.
C. R3 will label the 10.10.10.0/24 network using a pop label which will be propagated through the rest of the
MPLS domain. R3 will label the summary route and forward to R2 where the network will be dropped.
D. None of the networks will be labeled and propagated through the MPLS domain because aggregation
breaks the MPLS domain.
Answer: B
Section: (none)
QUESTION 212
What are the four fields in an MPLS label? (Choose four.) Select 4 response(s).
A. version
B. experimental
C. label
D. protocol
E. TTL
F. bottom-of-stack indicator
Answer: BCEF
Section: (none)
QUESTION 213
Which action can be taken by Cisco IOS IPS when a packet matches a signature pattern? Select the best
response.
A. drop the packet

B. reset the UDP connection
C. block all traffic from the destination address for a specified amount of time
D. perform a reverse path verification to determine if the source of the malicious packet was spoofed
E. forward the malicious packet to a centralized NMS where further analysis can be taken
Answer: A
Section: (none)
QUESTION 214
What is required when configuring IOS Firewall using the CLI? Select the best response.
A. IOS IPS enabled on the untrusted interface

B. NBAR enabled to perform protocol discovery and deep packet inspection
C. route-map to define the trusted outgoing traffic
D. route-map to define the application inspection rules
E. an inbound extended ACL applied to the untrusted interface
Answer: E
Section: (none)
QUESTION 215
Refer to the exhibit. What information can be derived from the output of the show ip cef command?
A. IP CEF has not been configured properly to enable MPLS forwarding.

B. The 10.11.11.11 next-hop address is not reachable and will be tagged with an outer label of 17.
C. The 10.11.11.11 destination network is reachable and will be tagged with a IPv4 label of 17.
D. The 10.11.11.11 next-hop address is reachable and will be tagged with an outer label of 17.
Answer: D
Section: (none)
QUESTION 216
Which approach for identifying malicious traffic looks for a fixed sequence of bytes in a single packet or a
predefined content?
A. signature based
B. anomaly based
C. honeypot based
D. policy based
E. regular-expression based
Answer: A
Section: (none)
QUESTION 217
Which statement about DSL is true?
A. Attenuation of signal strength is due to untwisted or poorly twisted wiring.

B. An impedance mismatch can be caused by a change in wire gauge, which results in a degraded signal.
C. Noise and reflection is due to missing bridge taps, which terminate the cable end connected to the local
loop.
D. Shorter local loop distance is due to missing load coils, which are required to condition the line.
Answer: B
Section: (none)
QUESTION 218
Refer to the exhibit. Which two statements are true about the authentication method used to authenticate
users who want privileged access into Router1? (Choose two.) Select 2 response(s).
A. All users will be authenticated using the RADIUS server. If the RADIUS server is unavailable, the router
will attempt to authenticate the user using its local database.
B. All users will be authenticated using the RADIUS server. If the RADIUS server is unavailable, the
C. All users will be authenticated using the RADIUS server. If the user authentication fails, the router will
attempt to authenticate the user using its local database.
D. All users will be authenticated using the RADIUS server. If the user authentication fails, the
E. The default login authentication method is applied automatically to all lines including console, auxiliary,
TTY, and VTY lines.
Answer: AD
Section: (none)
QUESTION 219
Refer to the exhibit. How will DDoS attacks be prevented? Select the best response.
A. The ACL will block the ICMP responses to the UDP traceroute packets that are used to discover subnets
and hosts on the remote access LAN.
B. The ACL will block the ICMP Time Exceeded Message (TEM) that is used to provide a trace of the path
the packet took to reach the destination.
C. The ACL will block the ICMP requests that are used by the ICMP ping packets that in turn are used to
determine the IP addresses of destination hosts.
D. The ACL will block the ICMP packets that are destined to both the network and the broadcast addresses
of the remote access LAN.
Answer: C
Section: (none)
QUESTION 220
Refer to the exhibit. Which statement is true?
A. A PPPoE session is established.

B. A PPPoE session is rejected because of the per-MAC session limit.
C. The MAC address of the remote router is 0001.c9f0.0c1c.
D. The CPE router is configured as a PPPoE client over an Ethernet interface.
Answer: A
Section: (none)
QUESTION 221
Refer to the exhibit. The configuration has been applied to router RTA to mitigate the threat of certain types
of ICMP-based attacks. However, the configuration is incorrect. On the basis of the information in the
exhibit, which configuration option would correctly configure router RTA? Select the best response.
A. ACL 112 should have been applied to interface Fa0/0 in an inbound direction.
B. ACL 112 should have been applied to interface Fa0/1 in an outbound direction.
C. The first three statements of ACL 112 should have permitted the ICMP traffic and the last statement
should deny the identified traffic.
D. The last statement of ACL 112 should have been access-list 112 deny icmp any 10.1.1.0 0.0.0.255.
E. The last statement of ACL 112 should have been access-list 112 deny icmp any 10.2.1.0 0.0.0.255.
F. The last statement of ACL 112 should have been access-list 112 permit icmp any 10.2.1.0 0.0.0.255.
Answer: F
Section: (none)
QUESTION 222
Refer to the exhibit. On the basis of the partial output that is displayed in the exhibit, which two statements
are true? (Choose two.)
A. The ISP router initiated the connection to the CPE router.

B. The output is the result of the debug pppoe events command.
C. The output is the result of the debug ppp authentication command.
D. The output is the result of the debug ppp negotiation command.
E. This is the CPE router.
F. This is the ISP router.
Answer: CE
Section: (none)
QUESTION 223
An administrator is troubleshooting an ADSL connection. For which OSI layer is the ping atm interface
command useful for probing problems?
A. Layer 1
B. Layer 2
C. Layer 3
D. Layer 4
Answer: B
Section: (none)
QUESTION 224
Refer to the exhibit. Based on this partial configuration, which two statements are true? (Choose two.)
A. You can log into the console using either the "cisco" or "sanfran" password.
B. The local parameter is missing at the end of each aaa authentication LOCAL-AUTH command.
C. The aaa authentication default command should be issued for each line instead of the login
authentication LOCAL_AUTH command.
D. This is an example of a self-contained AAA configuration using the local database.
E. To make the configuration more secure, the none parameter should be added to the end of the aaa
authentication login LOCAL_AUTH local command.
F. To successfully establish a Telnet session with RTA, a user can enter the username Bob and password
cisco.
Answer: DF
Section: (none)
QUESTION 225
Refer to the exhibit. The DSL router with this partial configuration is connected to a service provider using a
PPPoE session over an ATM interface. FTP traffic, generated from inside the network 10.92.1.0/24, fails to
reach the PPPoE server. What should be configured on the DSL Router to fix the problem?
A. The ip mtu command with a bytes argument set greater than 1492 needs to be configured for the
Dialer1 interface.
B. The ip mtu command with a bytes argument set lower than 1492 needs to be configured for the Dialer1
interface.
C. The ip mtu command with a bytes argument set greater than 1492 needs to be configured for the ATM0
interface.
D. The ip mtu command with a bytes argument set lower than 1492 needs to be configured for the ATM0
interface.
Answer: B
Section: (none)
QUESTION 226
Refer to the exhibit. Which of these statements is true? Select the best response.
A. The router failed to train or successfully initialize because of a Layer 1 issue.

B. The router cannot activate the line because of a Layer 2 authentication issue.
C. The router failed to train or successfully initialize because of a PPP negotiation issue.
D. The router cannot activate the line because the ISP has not provided the requested IP address.
Answer: A
Section: (none)
QUESTION 227
Refer to the exhibit. Host 1 cannot ping Server 1. In the course of troubleshooting, you have eliminated all
network issues. Based upon the partial configuration shown, what is the issue?
A. No routing protocol is running on R 1 and R 2.

B. An encryption algorithm has been configured on R 1 and R 2.
C. The tunnel destinations on R 1 and R 2 are not on the same subnet.
D. R 1 has the wrong tunnel source configured under the tunnel interface.
E. R 2 has the wrong tunnel source configured under the tunnel interface.
F. The tunnel numbers (interface tunnel 0 and interface tunnel 1) on R 1 and R 2 do not match.
Answer: E
Section: (none)
QUESTION 228
Refer to the exhibit. What type of high-availability option is being implemented? Select the best response.
B. IPsec dead peer detection
Answer: A
Section: (none)
QUESTION 229
If you want to authenticate the NTP associations with other systems for security purposes, which key type
algorithm or algorithms are supported? Select the best response.
A. MD5 only
B. MD7 only
C. plain text only
D. MD5 and MD7
E. plain text and MD5
F. plain text and MD7
Answer: A
Section: (none)
QUESTION 230
Which two qualities of PKI key exchange overcome asymmetric cryptography scalability issues? (Choose
two.) Select 2 response(s).
A. The trusted introducer uses the signed certificates of the endpoints that need to communicate.
B. PKI uses only a single trusted introducer.
C. The trusted introducer uses the private key of each enrolling user and the public key of the introducer as
the signed certificate.
D. Only the public key of the introducer has to be initially known and verified by all other entities.
E. The introducer digitally signs the public key of the user with the public key of the introducer to generate a
signed certificate.
Answer: BD
Section: (none)
QUESTION 231
What are three objectives that the no ip inspect command achieves? (Choose three.) Select 3 response(s).
A. removes the entire CBAC configuration

B. removes all associated static ACLs
C. turns off the automatic audit feature in SDM
D. denies HTTP and Java applets to the inside interface but permits this traffic to the DMZ
E. resets all global timeouts and thresholds to the defaults
F. deletes all existing sessions
Answer: AEF
Section: (none)
QUESTION 232
Which three of these are required before you can configure your routers for SSH server operations?
(Choose three.)
A. each of the target routers has a unique hostname

B. each of the target routers is configured to enable secret passwords
C. a user is define in either the local database or on a remote AAA server
D. each of the target routers has a password configured on the VTY interface
E. each of the target routers is using the correct domain name of your network
Answer: ACE
Section: (none)
QUESTION 233
A.
Answer: A
Section: (none)
QUESTION 234
Which action can be taken by Cisco IOS IPS when a packet matches a signature pattern? Select the best
response.
A. drop the packet

B. reset the UDP connection
C. block all traffic from the destination address for a specified amount of time
D. perform a reverse path verification to determine if the source of the malicious packet was spoofed
E. forward the malicious packet to a centralized NMS where further analysis can be taken
Answer: A
Section: (none)

CCNP2 03-08-2010

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CCNP2 03-08-2010

Uploaded by

Copyright:

Available Formats

Cisco_CertifyMe_642-825_v2010-08-03_234q_By-Jenifer

Few Questions modified...

A. removes the entire CBAC configuration

A. allows dynamic routing over the tunnel

A. IKE keepalives are unidirectional and sent every ten seconds.

A. It can be configured to block Java traffic.

A. A CBAC inspection rule is configured on router RTA.

A. Labeled packets can be sent over an interface.

A. contain, inoculate, quarantine, and treat

A. Configure SNMP with only read-only community strings.

A. reset the connection

A. MPLS eliminates the need of an IGP in the core.

A. network-based application recognition (NBAR)

A. The IDS is in the traffic path.

A. The IPS is in the traffic path.

A. Transparent tunneling must be enabled.

A. The port number is negotiated automatically.

A. The action of a signature can be enabled on a per-TCP-session basis.

A. The IPS shuts down intermediary ports.

Select the best response.

Select the best response.

A. the outer label used to determine the next hop

A. Disable port scan.

A. Disable port scans.

A. IPS Edit menu

A. to view SDEE status messages

A. The LIST1 list will disable authentication on the console port.

A. An IPS policy can be edited by choosing the Edit button.

A. A tap produces a significantly larger output signal.

A. Step 1: Interesting traffic initiates the IPsec process.

A. show ip ips session

Select the best response.

A. firewall and ACLs

A. drop the packet

A. It can be used to block bulk encryption attacks.

A. IGMP should be enabled on edge interfaces to allow remote testing.

A. the Cisco IPS Feature Set is installed on the router

A. a set of destination networks forwarded from the same ingress router

A. IPS Edit menu

A. A unique route target is attached to each customer routing update.

A. A separate instance of the core IGP is used for each customer.

A. DOCSIS is an international standard developed by CableLabs.

Select the best response.

Select the best response.

A. stop forwarding all traffic

Select the best response.

A. The user was attempting to access this device via a VTY.

Select the best response.

A. DOS smurf attacks

Select the best response.

A. DOS smurf attack

A. each of the target routers has a unique hostname

Select the best response.

A. Add the global command line ip inspect name INSIDE www.

What corrective action should you take?

Select the best response.

A. Add the global command line ip inspect name INSIDE smtp.

A. from 200.0.0.1 to 200.0.0.2

A. protects against denial of service (DoS) attacks

A. the provider (P) router

A. SDEE messages can be viewed in real time using SDM.

A. Access list 100 needs to permit skinny and H.323.

A. login name of the user (such as "jsmith")