Professional Documents
Culture Documents
Number: 642-825
Passing Score: 800
Time Limit: 120 min
File Version: 2010-08-03
Exam - Cisco
Code - 642-825
Version - 2010-08-03
Best of luck
By - Jenifer
Exam A
QUESTION 1
Which two statements about common network attacks are true? (Choose two.) Select 2 response(s).
A. Access attacks can consist of password attacks, trust exploitation, port redirection, and man-in-the-
middle attacks.
B. Access attacks can consist of password attacks, ping sweeps, port scans, and man-in-the-middle
attacks.
C. Access attacks can consist of packet sniffers, ping sweeps, port scans, and man-in-the-middle attacks.
D. Reconnaissance attacks can consist of password attacks, trust exploitation, port redirection and Internet
information queries.
E. Reconnaissance attacks can consist of packet sniffers, port scans, ping sweeps, and Internet
information queries.
F. Reconnaissance attacks can consist of ping sweeps, port scans, man-in-middle attacks and Internet
information queries.
Answer: AE
Section: (none)
Explanation/Reference:
QUESTION 2
Which two statements about management protocols are true? (Choose two.) Select 2 response(s).
A. Syslog version 2 or above should be used because it provides encryption of the syslog messages.
B. NTP version 3 or above should be used because these versions support a cryptographic authentication
mechanism between peers.
C. SNMP version 3 is recommended since it provides authentication and encryption services for
management packets.
D. SSH, SSL and Telnet are recommended protocols to remotely manage infrastructure devices.
E. TFTP authentication (username and password) is sent in an encrypted format, and no additional
encryption is required.
Answer: BC
Section: (none)
Explanation/Reference:
QUESTION 3
Refer to the exhibit. Which two statements about the AAA configuration are true? (Choose two.)
Select 2 response(s).
A. A good security practice is to have the none parameter configured as the final method used to ensure
that no other authentication method will be used.
B. If a TACACS+ server is not available, then a user connecting via the console port would not be able to
gain access since no other authentication method has been defined.
C. If a TACACS+ server is not available, then the user Bob could be able to enter privileged mode as long
as the proper enable password is entered.
D. The aaa new-model command forces the router to override every other authentication method previously
configured for the router lines.
E. To increase security, group radius should be used instead of group tacacs+.
F. Two authentication options are prescribed by the displayed aaa authentication command.
Answer: DF
Section: (none)
Explanation/Reference:
QUESTION 4
What are the two main features of Cisco IOS Firewall? (Choose two.) Select 2 response(s).
A. TACACS+
B. AAA
C. Cisco Secure Access Control Server
D. Intrusion Prevention System
E. Authentication Proxy
Answer: DE
Section: (none)
Explanation/Reference:
QUESTION 5
What three features does Cisco Security Device Manager (SDM) offer? (Choose three.) Select 3 response
(s).
A. smart wizards and advanced configuration support for NAC policy features
B. single-step mitigation of Distributed Denial of Service (DDoS) attacks
C. one-step router lockdown
D. security auditing capability based upon CERT recommendations
E. multi-layered defense against social engineering
F. single-step deployment of basic and advanced policy settings
Answer: ACF
Section: (none)
Explanation/Reference:
QUESTION 6
What are three objectives that the no ip inspect command achieves? (Choose three.) Select 3 response(s).
Explanation/Reference:
QUESTION 7
Which three features are benefits of using GRE tunnels in conjunction with IPsec for building site-to-site
VPNs? (Choose three.)
Select 3 response(s).
Answer: ABD
Section: (none)
Explanation/Reference:
QUESTION 8
Which three IPsec VPN statements are true? (Choose three.) Select 3 response(s).
Answer: ABF
Section: (none)
Explanation/Reference:
QUESTION 9
Which three statements are true about Cisco IOS Firewall? (Choose three.) Select 3 response(s).
Answer: ABE
Section: (none)
Explanation/Reference:
QUESTION 10
Refer to the exhibit. On the basis of the partial configuration, which two statements are true? (Choose two.)
Select 2 response(s).
Answer: AF
Section: (none)
Explanation/Reference:
QUESTION 11
Which two statements describe the functions and operations of IDS and IPS systems? (Choose two.)
Select 2 response(s).
A. A network administrator entering a wrong password would generate a true-negative alarm.
B. A false positive alarm is generated when an IDS/IPS signature is correctly identified.
C. An IDS is significantly more advanced over IPS because of its ability to prevent network attacks.
D. Cisco IDS works inline and stops attacks before they enter the network.
E. Cisco IPS taps the network traffic and responds after an attack.
F. Profile-based intrusion detection is also known as "anomaly detection".
Answer: BF
Section: (none)
Explanation/Reference:
QUESTION 12
Refer to the exhibit. What statement is true about the interface S1/0 on router R1? Select the best
response.
Answer: D
Section: (none)
Explanation/Reference:
QUESTION 13
Which two network attack statements are true? (Choose two.) Select 2 response(s).
A. Access attacks can consist of password attacks, trust exploitation, port redirection, and man-in-the-
middle attacks.
B. Access attacks can consist of UDP and TCP SYN flooding, ICMP echo-request floods, and ICMP
directed broadcasts.
C. DoS attacks can be reduced through the use of access control configuration, encryption, and RFC 2827
filtering.
D. DoS attacks can consist of IP spoofing and DDoS attacks.
E. IP spoofing can be reduced through the use of policy-based routing.
F. IP spoofing exploits known vulnerabilities in authentication services, FTP services, and web services to
gain entry to web accounts, confidential databases, and other sensitive information.
Answer: AD
Section: (none)
Explanation/Reference:
QUESTION 14
What are the four steps, in their correct order, to mitigate a worm attack? Select the best response.
Answer: A
Section: (none)
Explanation/Reference:
QUESTION 15
If an edge Label Switch Router (LSR) is properly configured, which three combinations are possible?
(Choose three.)
Select 3 response(s).
A. A received IP packet is forwarded based on the IP destination address and the packet is sent as an IP
packet.
B. An IP destination exists in the IP forwarding table. A received labeled packet is dropped because the
label is not found in the LFIB table.
C. There is an MPLS label-switched path toward the destination. A received IP packet is dropped because
the destination is not found in the IP forwarding table.
D. A received IP packet is forwarded based on the IP destination address and the packet is sent as a
labeled packet.
E. A received labeled IP packet is forwarded based upon both the label and the IP address.
F. A received labeled packet is forwarded based on the label. After the label is swapped, the newly labeled
packet is sent.
Answer: ADF
Section: (none)
Explanation/Reference:
QUESTION 16
Which three techniques should be used to secure management protocols? (Choose three.) Select 3
response(s).
Answer: ABC
Section: (none)
Explanation/Reference:
QUESTION 17
Which statement describes Reverse Route Injection (RRI)? Select the best response.
A. A static route that points towards the Cisco Easy VPN server is created on the remote client.
B. A static route is created on the Cisco Easy VPN server for the internal IP address of each VPN client.
C. A default route is injected into the route table of the remote client.
D. A default route is injected into the route table of the Cisco Easy VPN server.
Answer: B
Section: (none)
Explanation/Reference:
QUESTION 18
What are two possible actions an IOS IPS can take if a packet in a session matches a signature? (Choose
two.)
Select 2 response(s).
Answer: AD
Section: (none)
Explanation/Reference:
QUESTION 19
Refer to the exhibit. Which two statements about the Network Time Protocol (NTP) are true? (Choose two.)
Select 2 response(s).
A. Router RTA will adjust for eastern daylight savings time.
B. To enable authentication, the ntp authenticate command is required on routers RTA and RTB.
C. To enable NTP, the ntp master command must be configured on routers RTA and RTB.
D. Only NTP time requests are allowed from the host with IP address 10.1.1.1.
E. The preferred time source located at 130.207.244.240 will be used for synchronization regardless of the
other time sources.
Answer: AB
Section: (none)
Explanation/Reference:
QUESTION 20
What is a reason for implementing MPLS in a network? Select the best response.
Answer: B
Section: (none)
Explanation/Reference:
QUESTION 21
Refer to the exhibit. The show mpls interfaces detail command has been used to display information about
the interfaces on router R1 that have been configured for label switching. Which statement is true about the
MPLS edge router R1?
Select the best response.
A. Packets can be labeled and forwarded out interface Fa0/1 because of the MPLS operational status of
the interface.
B. Because LSP tunnel labeling has not been enabled on interface Fa0/1, packets cannot be labeled and
forwarded out interface Fa0/1.
C. Packets can be labeled and forwarded out interface Fa1/1 because MPLS has been enabled on this
interface.
D. Because the MTU size is increased above the size limit, packets cannot be labeled and forwarded out
interface Fa1/1.
Answer: A
Section: (none)
Explanation/Reference:
QUESTION 22
Refer to the exhibit. MPLS has been configured on all routers in the domain. In order for R2 and R3 to
forward frames between them with label headers, what additional configuration will be required on devices
that are attached to the LAN segment? Select the best response.
A. Decrease the maximum MTU requirements on all router interfaces that are attached to the LAN
segment.
B. Increase the maximum MTU requirements on all router interfaces that are attached to the LAN segment.
C. No additional configuration is required. Interface MTU size will be automatically adjusted to
accommodate the larger size frames.
D. No additional configuration is required. Frames with larger MTU size will be automatically fragmented
and forwarded on all LAN segments.
Answer: B
Section: (none)
Explanation/Reference:
QUESTION 23
Which three statements about IOS Firewall configurations are true? (Choose three.) Select 3 response(s).
A. The IP inspection rule can be applied in the inbound direction on the secured interface.
B. The IP inspection rule can be applied in the outbound direction on the unsecured interface.
C. The ACL applied in the outbound direction on the unsecured interface should be an extended ACL.
D. The ACL applied in the inbound direction on the unsecured interface should be an extended ACL.
E. For temporary openings to be created dynamically by Cisco IOS Firewall, the access-list for the returning
traffic must be a standard ACL.
F. For temporary openings to be created dynamically by Cisco IOS Firewall, the IP inspection rule must be
applied to the secured interface.
Answer: ABD
Section: (none)
Explanation/Reference:
QUESTION 24
What are three features of the Cisco IOS Firewall feature set? (Choose three.) Select 3 response(s).
Explanation/Reference:
QUESTION 25
Which statement describes the Authentication Proxy feature? Select the best response.
A. All traffic is permitted from the inbound to the outbound interface upon successful authentication of the
user.
B. A specific access profile is retrieved from a TACACS+ or RADIUS server and applied to an IOS Firewall
based on user provided credentials.
C. Prior to responding to a proxy ARP, the router will prompt the user for a login and password which are
authenticated based on the configured AAA policy.
D. The proxy server capabilities of the IOS Firewall are enabled upon successful authentication of the user.
Answer: B
Section: (none)
Explanation/Reference:
QUESTION 26
Which two statements about an IDS are true? (Choose two.) Select 2 response(s).
Answer: BD
Section: (none)
Explanation/Reference:
QUESTION 27
Which statement about an IPS is true?
Select the best response.
Answer: A
Section: (none)
Explanation/Reference:
QUESTION 28
Which three categories of signatures can a Cisco IPS microengine identify? (Choose three.) Select 3
response(s).
A. DDoS signatures
B. strong signatures
C. exploit signatures
D. numeric signatures
E. spoofing signatures
F. connection signatures
Answer: ACF
Section: (none)
Explanation/Reference:
QUESTION 29
During the Easy VPN Remote connection process, which phase involves pushing the IP address, Domain
Name System (DNS), and split tunnel attributes to the client? Select the best response.
A. mode configuration
B. the VPN client establishment of an ISAKMP SA
C. IPsec quick mode completion of the connection
D. VPN client initiation of the IKE phase 1 process
Answer: A
Section: (none)
Explanation/Reference:
QUESTION 30
When configuring the Cisco VPN Client, what action is required prior to installing Mutual Group
Authentication?
Select the best response.
Answer: B
Section: (none)
Explanation/Reference:
QUESTION 31
When configuring the Cisco VPN Client with transparent tunneling, what is true about the IPSec over TCP
option?
Select the best response.
Answer: C
Section: (none)
Explanation/Reference:
QUESTION 32
Which two statements are true about signatures in a Cisco IOS IPS? (Choose two.) Select 2 response(s).
Answer: BE
Section: (none)
Explanation/Reference:
QUESTION 33
Which two active response capabilities can be configured on an intrusion detection system (IDS) in
response to malicious traffic detection? (Choose two.) Select 2 response(s).
A. the initiation of dynamic access lists on the IDS to prevent further malicious traffic
B. the configuration of network devices to prevent malicious traffic from passing through
C. the shutdown of ports on intermediary devices
D. the transmission of a TCP reset to the offending end host
E. the invoking of SNMP-sourced controls
Answer: BD
Section: (none)
Explanation/Reference:
QUESTION 34
What two proactive preventive actions are taken by an intrusion prevention system (IPS) when malicious
traffic is detected? (Choose two.)
Select 2 response(s).
Answer: CE
Section: (none)
Explanation/Reference:
QUESTION 35
Refer to the exhibit. What is the VPN IPv4 label for the network 172.16.13.0/24?
A. 17
B. 17, 12308
C. 12308
D. 11
Answer: C
Section: (none)
Explanation/Reference:
QUESTION 36
Refer to the exhibit. What does the "26" in the first two hop outputs indicate?
Answer: B
Section: (none)
Explanation/Reference:
QUESTION 37
How can virus and Trojan horse attacks be mitigated? Select the best response.
Answer: D
Section: (none)
Explanation/Reference:
QUESTION 38
What are two ways to reduce the risk of an application-layer attack? (Choose two.) Select 2 response(s).
Answer: DE
Section: (none)
Explanation/Reference:
QUESTION 39
What three classifications reflect the different approaches used to identify malicious traffic? (Choose three.)
Select 3 response(s).
A. platform based
B. signature based
C. policy based
D. regular-expression based
E. symbol based
F. anomaly based
Answer: BCF
Section: (none)
Explanation/Reference:
QUESTION 40
Which Security Device Manager (SDM) feature expedites the deployment of the default intrusion
preventions system (IPS) settings and provides configuration steps for interface and traffic flow selection,
SDF location, and signature deployment? Select the best response.
Answer: C
Section: (none)
Explanation/Reference:
QUESTION 41
What are three options for viewing Security Device Event Exchange (SDEE) messages in Security Device
Manager (SDM)? (Choose three.)
Select 3 response(s).
Answer: ACE
Section: (none)
Explanation/Reference:
QUESTION 42
What are three configurable parameters when editing signatures in Security Device Manager (SDM)?
(Choose three.)
Select 3 response(s).
A. AlarmSeverity
B. AlarmKeepalive
C. AlarmTraits
D. EventMedia
E. EventAlarm
F. EventAction
Answer: ACF
Section: (none)
Explanation/Reference:
QUESTION 43
Refer to the exhibit. Which order correctly identifies the steps to provision a cable modem to connect to a
headend as defined by the DOCSIS standard? Select the best response.
A. A, D, C, G, E, F, B
B. A, D, E, G, C, F, B
C. C, D, F, G, E, A, B
D. C, D, F, G, A, E, B
E. F, D, C, G, A, E, B
F. F, D, C, G, E, A, B
Answer: E
Section: (none)
Explanation/Reference:
QUESTION 44
Refer to the exhibit. Which statement about the authentication process is true? Select the best response.
Answer: A
Section: (none)
Explanation/Reference:
QUESTION 45
Refer to the exhibit. A network administrator wishes to mitigate network threats. Given that purpose, which
two statements about the IOS firewall configuration that is revealed by the output are true? (Choose two.)
Select 2 response(s).
A. The command ip inspect FIREWALL_ACL out must be applied on interface FastEthernet 0/0.
B. The command ip inspect FIREWALL_ACL out must be applied on interface FastEthernet 0/1.
C. The command ip access-group FIREWALL_ACL in must be applied on interface FastEthernet 0/0.
D. The command ip access-group FIREWALL_ACL in must be applied on interface FastEthernet 0/1.
E. The configuration excerpt is an example of a CBAC list.
F. The configuration excerpt is an example of a reflexive ACL.
Answer: BE
Section: (none)
Explanation/Reference:
QUESTION 46
Which two statements about the Security Device Manager (SDM) Intrusion Prevention System (IPS) Rule
wizard are true? (Choose two.)
Select 2 response(s).
A. By default, the Use Built-In Signatures (as backup) checkbox is not selected.
B. Changes to the IPS rules can be made using the Configure IPS tab.
C. Changes to the IPS rules can be made using the Edit Firewall Policy/ACL tab.
D. Once all interfaces have rules applied to them, you can re-initiate the IPS Rule wizard to make changes.
E. Once all interfaces have rules applied to them, you cannot re-initiate the IPS Rule wizard to make
changes.
F. When using the wizard for the first time, you will be prompted to enable the Security Device Event
Exchange (SDEE).
Answer: DF
Section: (none)
Explanation/Reference:
QUESTION 47
Refer to the exhibit. Which two statements about the SDF Locations window of the IPS Rule wizard are
true? (Choose two.)
Select 2 response(s).
A. An HTTP SDF file location can be specified by clicking the Add button.
B. If all specified SDF locations fail to load, the signature file that is named default.sdf will be loaded.
C. The Autosave feature automatically saves the SDF alarms if the router crashes.
D. The Autosave feature is automatically enabled for the default built-in signature file.
E. The name of the built-in signature file is default.sdf.
F. The Use Built-In Signatures (as backup) check box is selected by default.
Answer: AF
Section: (none)
Explanation/Reference:
QUESTION 48
Refer to the exhibit. On the basis of the information in the exhibit, which two statements are true? (Choose
two.)
Select 2 response(s).
A. Any traffic matching signature 1107 will generate an alarm, reset the connection, and be dropped.
B. Signature 1102 has been modified, but the changes have not been applied to the router.
C. Signature 1102 has been triggered because of matching traffic.
D. The Edit IPS window is currently displaying the Global Settings information.
E. The Edit IPS window is currently displaying the signatures in Details view.
F. The Edit IPS window is currently displaying the signatures in Summary view.
Answer: BE
Section: (none)
Explanation/Reference:
QUESTION 49
Refer to the exhibit. On the basis of the information that is provided, which two statements are true?
(Choose two.)
Select 2 response(s).
Answer: AD
Section: (none)
Explanation/Reference:
QUESTION 50
Refer to the exhibit. Based on the configuration, what will happen to the IPSec VPN between the Remote
router and the Head-End router with IP address 172.31.1.100 if no dead-peer detection hello messages are
received for 20 seconds?
Select the best response.
A. The IPSec VPN will transition with no down-time to a peering relationship with the Head-End router at
172.31.1.200.
B. The IPSec VPN will transition to a peering relationship with the Head-End router at 172.31.1.200, with a
down-time determined by the time required to tear-down and build the peerings.
C. The IPSec VPN will not be affected.
D. The IPSec VPN will terminate but will rebuild with the same peer because 3 hello messages have not yet
been missed.
Answer: C
Section: (none)
Explanation/Reference:
QUESTION 51
Which four outbound ICMP message types would normally be permitted? (Choose four.) Select 4 response
(s).
A. echo reply
B. time exceeded
C. echo
D. parameter problem
E. packet too big
F. source quench
Answer: CDEF
Section: (none)
Explanation/Reference:
QUESTION 52
Refer to the exhibit. What information can be derived from the SDM firewall configuration that is shown?
Select the best response.
A. Access-list 100 was configured for the trusted interface, and access-list 101 was configured for the
untrusted interface.
B. Access-list 101 was configured for the trusted interface, and access-list 100 was configured for the
untrusted interface.
C. Access-list 100 was configured for the inbound direction, and access-list 101 was configured for the
outbound direction on the trusted interface.
D. Access-list 100 was configured for the inbound direction, and access-list 101 was configured for the
outbound direction on the untrusted interface.
Answer: A
Section: (none)
Explanation/Reference:
QUESTION 53
Which three statements about hybrid fiber-coaxial (HFC) networks are true? (Choose three.) Select 3
response(s).
Answer: DEF
Section: (none)
Explanation/Reference:
QUESTION 54
Which two statements about the transmission of signals over a cable network are true? (Choose two.)
Select 2 response(s).
A. Downstream signals travel from the cable operator to the subscriber and use frequencies in the range of
5 to 42 MHz.
B. Downstream signals travel from the cable operator to the subscriber and use frequencies in the range of
50 to 860 MHz.
C. Downstream and upstream signals operate in the same frequency ranges.
D. Upstream signals travel from the subscriber to the cable operator and use frequencies in the range of 5
to 42 MHz.
E. Upstream signals travel from the subscriber to the cable operator and use frequencies in the range of 50
to 860 MHz.
Answer: BD
Section: (none)
Explanation/Reference:
QUESTION 55
What are the four steps that occur with an IPsec VPN setup? Select the best response.
Answer: C
Section: (none)
Explanation/Reference:
QUESTION 56
Which IOS command will display IPS default values that may not be displayed using the show running-
config command?
Select the best response.
Answer: D
Section: (none)
Explanation/Reference:
QUESTION 57
Refer to the exhibit. Which of the configuration tasks would allow you to quickly deploy default signatures?
Answer: E
Section: (none)
Explanation/Reference:
QUESTION 58
What are two possible actions Cisco IOS IPS can take if a packet in a session matches a signature?
(Choose two.)
Select 2 response(s).
Answer: AD
Section: (none)
Explanation/Reference:
QUESTION 59
A router interface is configured with an inbound access control list and an inspection rule. How will an
inbound packet on this interface be processed? Select the best response.
A. It will be processed by the inbound ACL. If the packet is dropped by the ACL, then it will be processed by
the inspection rule.
B. It will be processed by the inbound ACL. If the packet is not dropped by the ACL, then it will be
processed by the inspection rule.
C. It will be processed by the inspection rule. If the packet matches the inspection rule, the inbound ACL
will be invoked.
D. It will be processed by the inspection rule. If the packet does not match the inspection rule, the inbound
ACL will be invoked.
Answer: B
Section: (none)
Explanation/Reference:
QUESTION 60
Which two features can be implemented using the Cisco SDM Advanced Firewall wizard? (Choose two.)
Select 2 response(s).
A. DMZ support
B. custom rules
C. firewall signatures
D. application security
E. IP unicast reverse path forwarding
Answer: AB
Section: (none)
Explanation/Reference:
QUESTION 61
Which two statements are true about the Cisco Classic (CBAC) IOS Firewall set? (Choose two.)
Select 2 response(s).
Answer: BE
Section: (none)
Explanation/Reference:
QUESTION 62
Refer to the exhibit. Which Cisco SDM feature is illustrated? Select the best response.
A. ACL Editor
B. Easy VPN Wizard
C. Security Audit
D. Site-to-Site VPN
E. Inspection Rules
F. Reset to Factory Defaults
Answer: C
Section: (none)
Explanation/Reference:
QUESTION 63
Which two statements about management protocols are true? (Choose two.) Select 2 response(s).
Answer: BC
Section: (none)
Explanation/Reference:
QUESTION 64
Which two of these are required in order to implement SSH on a router? (Choose two.) Select 2 response
(s).
Answer: BC
Section: (none)
Explanation/Reference:
QUESTION 65
Refer to the exhibit. Routers RTB and RTC have established LDP neighbor sessions. During
troubleshooting, you discovered that labels are being distributed between the two routers but no label
swapping information is in the LFIB. What is the most likely cause of this problem? Select the best
response.
A. The IGP is summarizing the address space.
B. IP Cisco Express Forwarding has not been enabled on both RTB and RTC.
C. BGP neighbor sessions have not been configured on both routers.
D. LDP has been enabled on one router and TDP has been enabled on the other.
Answer: B
Section: (none)
Explanation/Reference:
QUESTION 66
Refer to the exhibit. The show mpls interfaces detail command has been used to display information about
the interfaces on MPLS edge router R1 that have been configured for label switching. Which statement
about R1 is true?
Select the best response.
A. MPLS is not operating on Fa1/0, because the MTU size has exceeded the 1500 limit of Ethernet.
B. The router has established a TDP session with its neighbor on Fa0/1. Packets can be labeled and
forwarded out that interface.
C. LSP tunnel labeling has not been enabled on either interface Fa0/0 or Fa1/1, therefore MPLS is not
operating on Fa0/1.
D. The router has established an LDP session with its neighbor on Fa1/1. However, packets cannot be
forwarded out that interface because MPLS is not operational.
Answer: B
Section: (none)
Explanation/Reference:
QUESTION 67
Refer to the exhibit. Which statement about this Cisco IOS Firewall configuration is true?
Select the best response.
A. Outbound TCP sessions are blocked, preventing inside users from browsing the Internet.
B. INSIDEACL permits outbound HTTP sessions; INSIDEACL is applied to the outside interface in the
inbound direction.
C. OUTSIDEACL permits inbound SMTP and HTTP; OUTSIDEACL is applied to the inside interface in the
outbound direction.
D. ICMP unreachable "packet-too-big" messages are rejected on all interfaces to prevent DDoS attacks.
E. The TCP inspection will automatically allow return traffic for the outbound HTTP sessions and inbound
SMTP and HTTP sessions.
Answer: E
Section: (none)
Explanation/Reference:
QUESTION 68
What is an MPLS forwarding equivalence class?
Select the best response.
Answer: B
Section: (none)
Explanation/Reference:
QUESTION 69
Which approach for identifying malicious traffic involves looking for a fixed sequence of bytes in a single
packet or in predefined content?
Select the best response.
A. policy-based
B. anomaly-based
C. honeypot-based
D. signature-based
E. regular-expression-based
Answer: D
Section: (none)
Explanation/Reference:
QUESTION 70
Which Cisco SDM feature expedites the deployment of the default IPS settings and provides configuration
steps for interface and traffic flow selection, SDF location, and signature deployment?
Select the best response.
Answer: C
Section: (none)
Explanation/Reference:
QUESTION 71
In an MPLS VPN implementation, how are overlapping customer prefixes propagated? Select the best
response.
Answer: D
Section: (none)
Explanation/Reference:
QUESTION 72
In an MPLS VPN implementation, how are overlapping customer prefixes propagated? Select the best
response.
Answer: D
Section: (none)
Explanation/Reference:
QUESTION 73
Which two statements are true about the Data-over-Cable Service Interface Specifications? (Choose two.)
Select 2 response(s).
Answer: AF
Section: (none)
Explanation/Reference:
QUESTION 74
Refer to the exhibit. What information can be derived from this show ip cef command output?
A. This router will use a label of "21" to reach the destination network of 150.1.12.16.
B. This router will use a PHP label to reach the destination network of 150.1.12.16.
C. This router will advertise a label of "19" for the destination network of 150.1.12.16.
D. This router will advertise a label of "21" for the destination network of 150.1.12.16.
Answer: D
Section: (none)
Explanation/Reference:
QUESTION 75
Refer to the exhibit. Why does the third hop only have one label?
A. MPLS is not enabled on that link, so only the VPN label is needed.
B. MPLS is not enabled on that link, so only the LSP label is needed.
C. That link is directly connected to the customer, so only the VPN label is needed.
D. That link is directly connected to the customer, so only the LSP label is needed.
E. The PHP process on that link has removed the LSP label, leaving only the VPN label.
F. The PHP process on that link has removed the VPN label, leaving only the LSP label.
Answer: E
Section: (none)
Explanation/Reference:
QUESTION 76
If you disable Cisco Express Forwarding on a P router in an MPLS network, what will the router do?
Select the best response.
Answer: B
Section: (none)
Explanation/Reference:
QUESTION 77
Refer to the exhibit. What type of high-availability option is being implemented? Select the best response.
A. IPsec stateful failover
B. IPsec dead peer detection
C. Hot Standby Router Protocol
D. GRE's Keepalive Mechanism
E. backing up a WAN connection with an IPsec VPN
Answer: B
Section: (none)
Explanation/Reference:
QUESTION 78
Refer to the exhibit. What type of high-availability option is being implemented?
Answer: C
Section: (none)
Explanation/Reference:
QUESTION 79
Which two of these would be classified as reconnaissance attacks? (Choose two.) Select 2 response(s).
A. port scans
B. ping sweeps
C. port redirection
D. trust exploitation
E. denial of service attacks
F. man-in-the-middle attacks
Answer: AB
Section: (none)
Explanation/Reference:
QUESTION 80
Which three of these would be classified as access attacks? (Choose three.) Select 3 response(s).
A. port scans
B. ping sweeps
C. port redirection
D. trust exploitation
E. denial of service attacks
F. man-in-the-middle attacks
Answer: CDF
Section: (none)
Explanation/Reference:
QUESTION 81
Refer to the exhibit. Which three statements about user access are true? (Choose three.)
Select 3 response(s).
Answer: ACF
Section: (none)
Explanation/Reference:
QUESTION 82
Refer to the exhibit. The ACL in this configuration is used to mitigate which of these?
Answer: D
Section: (none)
Explanation/Reference:
QUESTION 83
Refer to the exhibit. Which type of attack does the ACL prevent the internal user from successfully
launching?
Answer: D
Section: (none)
Explanation/Reference:
QUESTION 84
Which three of these are required before you can configure your routers for SSH server operations?
(Choose three.)
Select 3 response(s).
Answer: ACE
Section: (none)
Explanation/Reference:
QUESTION 85
Which two actions can a Cisco IOS Firewall take when the threshold for the number of half-opened TCP
sessions is exceeded? (Choose two.) Select 2 response(s).
A. It can send a reset message to the endpoints of the oldest half-opened session.
B. It can send a reset message to the endpoints of the newest half-opened session.
C. It can send a reset message to the endpoints of a random half-opened session.
D. It can block all EST packets temporarily for the duration configured by the threshold value.
E. It can block all SYN packets temporarily for the duration configured by the threshold value.
F. It can block all reset packets temporarily for the duration configured by the threshold value.
Answer: AE
Section: (none)
Explanation/Reference:
QUESTION 86
Refer to the exhibit. In this firewall implementation, inside users should be permitted to browse the Internet.
However, users have indicated that all attempts fail. As a result of troubleshooting, you have determined that
the issue is related to the firewall implementation.
What corrective action should you take?
Answer: C
Section: (none)
Explanation/Reference:
QUESTION 87
Refer to the exhibit. In this firewall implementation, outside clients should be allowed to communicate with
the SMTP server (200.1.2.1) located in the enterprise DMZ. However, users have indicated that all attempts
fail. As a result of troubleshooting, you have determined that the issue is related to the firewall
implementation.
Answer: D
Section: (none)
Explanation/Reference:
QUESTION 88
Refer to the exhibit. FastEthernet0/0 has been assigned a network address of 200.0.1.2/24 and no ACL has
been applied to that interface. Serial0/0/0 has been assigned a network address of 200.0.0.1/30. Assuming
that there are no network-related problems, which ping will be successful?
Select the best response.
Answer: A
Section: (none)
Explanation/Reference:
QUESTION 89
Refer to the exhibit. Which three statements about this DMZ configuration are true? (Choose three.)
Select 3 response(s).
A. The device being enabled is a web server.
B. The device being enabled is an FTP server.
C. The device being enabled is located in the DMZ.
D. The device being enabled has been assigned an IP address of 192.168.0.2.
E. FTP-based packets with a destination of 192.168.0.2 will be allowed through the DMZ to the web server
located on the untrusted network.
F. Web-based packets with a destination of 192.168.0.2 will be allowed through the DMZ to the web server
located on the trusted network.
Answer: ACD
Section: (none)
Explanation/Reference:
QUESTION 90
What is a possible way to prevent a worm attack on a host PC?
A. Enable SSH.
B. Enable encryption.
C. Implement TACACS+.
D. Keep the operating system current with the latest patches.
Answer: D
Section: (none)
Explanation/Reference:
QUESTION 91
Refer to the exhibit
What is the result of the ACL configuration that is displayed?
A. Inbound packets to request a TCP session with the 10.10.10.0/24 network are allowed.
B. TCP responses from the outside network for TCP connections that originated on the inside network are
allowed.
C. TCP responses from the inside network for TCP connections that originated on the outside network are
denied.
D. Any inbound packet with the SYN flag set to be routed is permitted.
Answer: B
Section: (none)
Explanation/Reference:
QUESTION 92
Which two statements are true about the Cisco lOS Firewall set? (Choose two.)
Answer: AD
Section: (none)
Explanation/Reference:
QUESTION 93
Which statement is true about the SDM Basic Firewall wizard?
A. The wizard applies predefined rules to protect the private and DMZ networks.
B. The wizard can configure multiple DMZ interfaces for outside users.
C. The wizard permits the creation of a custom application security policy.
D. The wizard configures one outside interface and one or more inside interfaces.
Answer: D
Section: (none)
Explanation/Reference:
QUESTION 94
Which three statements about frame-mode MPLS are true? (Choose three.)
A. MPLS has three distinct components consisting of the data plane, the forwarding plane, and the control
plane.
B. The control plane is a simple label-based forwarding engine that is independent of the type of routing
protocol or label exchange protocol.
C. The CEF FIB table contains information about outgoing interfaces and their corresponding Layer 2
header.
D. The MPLS data plane takes care of forwarding based on either destination addresses or labels.
E. To exchange labels, the control plane requires protocols such as Tag Distribution Protocol (TDP) or
MPLS Label Distribution Protocol (LDP).
F. Whenever a router receives a packet that should be CEF-switched, but the destination is not in the FIB,
the packet is dropped.
Answer: DEF
Section: (none)
Explanation/Reference:
QUESTION 95
Which three statements about the Cisco Easy VPN feature are true? (Choose three.)
A. It the VPN server is configured for Xauth, the VPN client waits for a username / password challenge.
B. The Cisco Easy VPN feature only supports transform sets that provide authentication and encryption.
C. The VPN client initiates aggressive mode (AAA) if a pre-shared key is used for authentication during the
IKE phase 1 process.
D. The VPN client verifies a server username/password challenge by using a AAA authentication server
that supports TACACS+ or RADIUS.
E. The VPN server can only be enabled on Cisco PIX Firewalls and Cisco VPN 3000 series concentrators.
F. When connecting with a VPN client, the VPN server must be configured for ISAKMP group 1.2 or 5.
Answer: ABC
Section: (none)
Explanation/Reference:
QUESTION 96
Which two statements are true about the use of SDM to configure the Cisco Easy VPN feature on a router?
(Choose two.)
A. An Easy VPN connection is a connection that is configured between two Easy VPN clients.
B. The Easy VPN server address must be configured when configuring the SDM Easy VPN Server wizard.
C. The SDM Easy VPN Sewer wizard displays a summary of the configuration before applying the VPN
configuration.
D. The SDM Easy VPN Sewer wizard can be used to configure a GRE over IPSec site-to-site VPN or a
dynamic multipoint VPN (DMVPN).
E. The SDM Easy VPN Sewer wizard can be used to configure user XAuth authentication locally on the
router or externally with a RADIUS sewer.
F. The SDM Easy VPN Server wizard recommends using the Quick setup feature when configuring a
dynamic multipoint VPN.
Answer: CE
Section: (none)
Explanation/Reference:
QUESTION 97
Which three statements are true when configuring Cisco 103 Firewall features using the SDM? (Choose
three.)
A. A custom application security policy can be configured in the Advanced Firewall Security Configuration
dialog box.
B. An optional DMZ interface can be specified in the Advanced Firewall Interface Configuration dialog box.
C. Custom application policies for e-mail, instant messaging, HTTP, and peer-to-peer services can be
created using the Intermediate Firewall wizard.
D. Only the outside (untrusted) interface is specified in the Basic Firewall Interface Configuration dialog
box.
E. The outside interface that SDM can be launched from is configured in the Configuring Firewall for
Remote Access dialog box.
F. The SDM provides a basic, intermediate, and advanced firewall wizard.
Answer: ABE
Section: (none)
Explanation/Reference:
QUESTION 98
Which device is responsible for attaching a VPN label to a packet traversing an MPLS network?
Answer: B
Section: (none)
Explanation/Reference:
QUESTION 99
Refer to the exhibit.
Given the partial tunnel configuration that is shown, which tunneling encapsulation is set?
A. GRE
B. GRE multipoint
C. cayman
D. DVMRP
Answer: A
Section: (none)
Explanation/Reference:
QUESTION 100
Which statement is correct about Security Device Event Exchange (SDEE) messages?
Answer: D
Section: (none)
Explanation/Reference:
QUESTION 101
Refer to the exhibit
What are the ramifications of Fail Closed being enabled under Engine Options?
A. The router will drop all packets that arrive on the affected interface.
B. If the IPS engine is unable to scan data, the router will drop all packets.
C. If the IPS detects any malicious traffic, it will cause the affected interlace to close any open TCP
connections.
D. The IPS engine is enabled to scan data and drop packets depending upon the signature of the flow.
Answer: B
Section: (none)
Explanation/Reference:
QUESTION 102
Refer to the exhibit.
Assume that a signature can identity an IP address as the source of an attack. Which action would
automatically create an ACL that denies all traffic from an attacking IP address?
A. Alarm
B. Drop
C. Reset
D. Deny Flow ln line
E. denyattackerlnline
F. Deny-connection-inline
Answer: E
Section: (none)
Explanation/Reference:
QUESTION 103
A site requires support for skinny and H.323 voice protocols. How is this configured on an lOS firewall using
the SDM?
A. The Basic Firewall wizard is executed and the High Security Application policy is selected.
B. The Advanced Firewall wizard is executed and a custom Application Security policy is selected in place
of the default Application Security policies.
C. The Application Security tab is used to create a policy with voice support before the Firewall wizard is
run.
D. The Application Security tab is used to modify the SDM_High policy to add voice support prior to the
Firewall wizard being run.
Answer: B
Section: (none)
Explanation/Reference:
QUESTION 104
Refer to the exhibit.
The Basic Firewall wizard has been used to configure a router. What is the purpose of the highlighted
access list statement?
A. To prevent spoofing by blocking traffic entering interface Fa0/0 with a source address in the same
subnet as interface VLAN10
B. To prevent spoofing by blocking traffic entering Fa0/0 with a source address in the RFC 1916 private
address space
C. To establish a DMZ by preventing traffic from interface VLAN10 being sent out interface Fa0/0
D. To establish a DMZ by preventing traffic from interface Fa0/0 being sent out interface VLAN10
Answer: A
Section: (none)
Explanation/Reference:
QUESTION 105
When establishing a VPN connection from the Cisco software VPN client to an Easy VPN server router
using pre-shared key authentication, what is entered in the configuration GUI of the Cisco software VPN
client to identify the group profile that is associated with this VPN client?
A. Group name
B. Client name
C. Distinguished name
D. Organizational unit
Answer: A
Section: (none)
Explanation/Reference:
QUESTION 106
Refer to the exhibit.
An lOS firewall has been configured to support skinny and H.323. Voice traffic is not passing through the
firewall as expected. What needs to be corrected in this configuration?
Answer: C
Section: (none)
Explanation/Reference:
QUESTION 107
During the Easy VPN Remote connection process, which phase involves pushing the IP address, Domain
Name System (DNS), and split tunnel attributes to the client?
A. mode configuration
B. the VPN client establishment of an ISAKMP SA
C. IPsec quick mode completion of the connection
D. VPN client initiation of the IKE phase 1 process
Answer: A
Section: (none)
Explanation/Reference:
QUESTION 108
When entering the Group Authentication information while configuring the Cisco VPN Client on a
PC, what information is entered in the "Name" field?
Answer: C
Section: (none)
Explanation/Reference:
QUESTION 109
What phrase best describes a Handler in a distributed denial of service (DDoS) attack?
Answer: C
Section: (none)
Explanation/Reference:
QUESTION 110
Which PPPoA configuration statement is true?
A. The dsl operating-mode auto command is required if the default mode has been changed.
B. The encapsulation ppp command is required.
C. The ip mtu 1492 command must be applied on the dialer interface.
D. The ip mtu 1496 command must be applied on the dialer interface.
E. The ip mtu 1492 command must be applied on the Ethernet interface.
F. The ip mtu 1496 command must be applied on the Ethernet interface.
Answer: A
Section: (none)
Explanation/Reference:
QUESTION 111
What is a recommended practice for secure configuration management?
Answer: B
Section: (none)
Explanation/Reference:
QUESTION 112
Which IPsec VPN backup technology statement is true?
A. Each Hot Standby Routing Protocol (HSRP) standby group has two well-known MAC addresses and a
virtual IP address.
B. Reverse Route Injection (RRI) is configured on at the remote site to inject the central site networks.
C. The crypto isakmp keepalive command is used to configure the Stateful Switchover (SSO) protocol.
D. The crypto isakmp keepalive command is used to configure stateless failover.
E. The reverse-route command should be applied directly to the outside interface.
Answer: D
Section: (none)
Explanation/Reference:
QUESTION 113
Which three DSL technologies support an analog POTS channel and utilize the entire bandwidth of the
copper to carry data? (Choose three.)
A. ADSL
B. IDSL
C. SDSL
D. RADSL
E. VDSL
Answer: ADE
Section: (none)
Explanation/Reference:
QUESTION 114
What actions can be performed by the Cisco IOS IPS when suspicious a tivity is detected? (Choose four.)
Answer: ACDF
Section: (none)
Explanation/Reference:
QUESTION 115
Internet Protocol Security (IPsec) is a suite of protocols for securing Internet Protocol (IP) communications
by authenticating and encrypting each IP packet of a data stream. Which command can be used to show
the configurations used by the current IPsec security associations?
Answer: D
Section: (none)
Explanation/Reference:
QUESTION 116
Which two statements are true about the troubleshooting of VPN connectivity on a Cisco router?
(Choose two.)
A. SDM can be used to provide statistical output that is related to IPsec SAs.
B. The debug crypto isakmp command output displays detailed IKE phase 1 and phase 2 negotiation
processes.
C. SDM can be used to perform advance troubleshooting.
D. Knowledge of Cisco IOS CLI commands is required.
E. The Monitor Tunnel Operation page in SDM is the primary tool for troubleshooting VPN connectivity.
Answer: BD
Section: (none)
Explanation/Reference:
QUESTION 117
Which statement about the aaa authentication enable default group radius enable command is true?
A. If the radius server returns an error, the enable password will be used.
B. If the radius server returns a 'failed' message, the enable password will be used.
C. The command login authentication group will associate the AAA authentication to a specified interface.
D. If the group database is unavailable, the radius server will be used.
Answer: A
Section: (none)
Explanation/Reference:
QUESTION 118
DSL (Digital Subscriber Line) is a technology for bringing high- bandwidth information to homes and small
businesses over ordinary copper telephone lines. Which form of DSL technology is typically used to replace
T1 lines?
A. VDSL
B. HDSL
C. ADSL
D. SDSL
Answer: B
Section: (none)
Explanation/Reference:
QUESTION 119
According to the following presented information, which two items are correct regarding user access?
(Choose two.)
A. Telnet access to this device is not possible because login access has not been configured.
B. Access to the console port of this device may be gained by use of the "con2access" password.
C. A username and password are needed to log in to a Telnet session to this device.
D. A username and password are needed to log in to the console port of this device.
Answer: CD
Section: (none)
Explanation/Reference:
QUESTION 120
What are two principles to follow when configuring ACLs with IOS Firewall? (Choose two.)
A. Prevent traffic that will be inspected by IOS Firewall from leaving the network through the firewall.
B. Configure extended ACLs to prevent IOS Firewall return traffic from entering the network through the
firewall.
C. Configure an ACL to deny traffic from the protected networks to the unprotected networks.
D. Permit broadcast messages with a source address of 255.255.255.255.
E. Allow traffic that will be inspected by IOS Firewall to leave the network through the firewall.
Answer: BE
Section: (none)
Explanation/Reference:
QUESTION 121
With MPLS, what is the function of the protocol ID (PID) in a Layer 2 header?
A. It specifies that the bottom-of-stack bit immediately follows.
B. It specifies that the payload starts with a label and is followed by an IP header.
C. It specifies that the receiving router use the top label only.
D. It specifies how many labels immediately follow.
Answer: B
Section: (none)
Explanation/Reference:
QUESTION 122
Which statement identifies a limitation in the way Cisco IOS Firewall tracks UDP connections versus TCP
connections?
Answer: E
Section: (none)
Explanation/Reference:
QUESTION 123
What are three methods of network reconnaissance? (Choose three.)
A. IP spoofing
B. One-time password
C. Dictionary attack
D. Packet sniffer
E. Ping sweep
F. Port scan
Answer: DEF
Section: (none)
Explanation/Reference:
QUESTION 124
PPPoE, Point-to-Point Protocol over Ethernet, is a network protocol for encapsulating Point-to-Point
Protocol (PPP) frames inside Ethernet frames. What is the possible cause for the failure of the
establishment of the PPPoE client session?
A. The PPP LCP phase has failed because the correct DSL operating mode (DSL modulation) is not
configured on the PG-CPE router.
B. The PPP authentication phase has failed at the PG-CPE.
C. The PPP LCP phase has failed because of excessive link noise.
D. The PPP NCP phase has failed because the local router cannot successfully initialize the DSLAM.
Answer: B
Section: (none)
Explanation/Reference:
QUESTION 125
According to the following graphic, can you tell me which VPN IPv4 label is for the network 172.16.13.0/24?
A. 11
B. 17
C. 12308
D. 17, 12308
Answer: C
Section: (none)
Explanation/Reference:
QUESTION 126
What are two ways to mitigate IP spoofing attacks? (Choose two.)
Answer: BC
Section: (none)
Explanation/Reference:
QUESTION 127
What technology must be enabled as a prerequisite to running MPLS on a Cisco router?
A. Process switching
B. Routing-table driven switching
C. Cache driven switching
D. CEF switching
E. Fast switching
Answer: D
Section: (none)
Explanation/Reference:
QUESTION 128
Which two of following belong to reconnaissance attacks? (Choose two.)
A. Port scans
B. Ping sweeps
C. Denial of service attacks
D. Man-in-the-middle attacks
Answer: AB
Section: (none)
Explanation/Reference:
QUESTION 129
Refer to the exhibit. Which of these statements about the configured IPsec transform set is correct?
A. Only the data field of the packet will be hashed using SHA.
B. Only the address fields of the packet will be hashed using SHA.
C. Only the data field of the packet will be encrypted by the AES algorithm using a 256-bit key.
D. Only the address fields of the packet will be encrypted by the AES algorithm using a 256-bit key.
E. The data field of the packet will be encrypted by the AES algorithm using a 256-bit key, while the
address fields of the packet will be hashed using SHA.
F. The address fields of the packet will be encrypted by the AES algorithm using a 256-bit key, while the
data field of the packet will be hashed using SHA.
Answer: E
Section: (none)
Explanation/Reference:
QUESTION 130
Which two statements about the AutoSecure feature are true? (Choose two.)
Answer: AB
Section: (none)
Explanation/Reference:
QUESTION 131
Refer to the exhibit. Host 1 cannot ping Server 1. In the course of troubleshooting, you have eliminated all
network issues. Based upon the partial configuration shown, what is the issue?
Select the best response.
Answer: D
Section: (none)
Explanation/Reference:
QUESTION 132
When configuring backup IPsec VPNs with Cisco IOS Release 12.2(8)T or later, what are the default
parameters?
A. Cisco IOS keepalives are sent every 10 seconds if there is no traffic to send.
B. Dead peer detection (DPD) hello messages are sent every 10 seconds if there is no traffic to send.
C. Cisco IOS keepalives are sent every 10 seconds if the router has traffic to send.
D. DPD hello messages are sent every 10 seconds if the router has traffic to send.
Answer: D
Section: (none)
Explanation/Reference:
QUESTION 133
Observe the following exhibit carefully, the output is produced by which Cisco security feature?
A. CBAC
B. IPS
C. SSH
D. AutoSecure
Answer: D
Section: (none)
Explanation/Reference:
QUESTION 134
CBAC provides advanced traffic filtering functionality and can be used as an integral part of your network
firewall. Which two descriptions are correct about the Cisco Classic (CBAC) IOS Firewall set? (Choose two.)
Answer: BD
Section: (none)
Explanation/Reference:
QUESTION 135
Look at the following exhibit carefully, LDP neighbor sessions have been built between PG-RTB and PG-
RTC. In the process of troubleshooting, it is found that labels are being distributed between the two routers,
however LFIB has no label swapping information. Why?
Answer: B
Section: (none)
Explanation/Reference:
QUESTION 136
What is the reason for the ping between the PG-HQ router and the 192.168.1.193 interface on the PG-
Branch2 router failing?
A. The default route is missing from the PG-Branch2 router.
B. When running EIGRP over GRE tunnels, you must manually configure the neighbor address using the
eigrp neighbor ipaddress command.
C. The tunnel numbers for the tunnel between the PG-HQ router and the PG-Branch2 router do not match.
D. The tunnel source is incorrect on the PG-Branch2 router. It should be serial 2/0.
E. The AS number for the EIGRP process on PG-Branch2 should be 1 and not 11.
Answer: E
Section: (none)
Explanation/Reference:
QUESTION 137
What are two steps that must be taken when mitigating a worm attack? (Choose two.)
Answer: AD
Section: (none)
Explanation/Reference:
QUESTION 138
To implement Easy VPN Remote capabilities, which requirement must be met?
A. The destination peer must be a Cisco Easy VPN Server or VPN Concentrator supporting Cisco Easy
VPN Server.
B. The source peer must be a Cisco Easy VPN Server or VPN Concentrator supporting Cisco Easy VPN
Server.
C. The destination peer must be a Cisco Easy VPN Remote device.
D. The destination peer must support all available encryption and authentication types.
Answer: A
Section: (none)
Explanation/Reference:
QUESTION 139
At what size should the MTU on LAN interfaces be set in the implementation of MPLS VPNs with traffic
engineering?
A. 1512 bytes
B. 1516 bytes
C. 1520 bytes
D. 1524 bytes
E. 1528 bytes
F. 1532 bytes
Answer: A
Section: (none)
Explanation/Reference:
QUESTION 140
Which two devices serve as the main endpoint components in a DSL data service network? (Choose two.)
A. SOHO workstation
B. ATU-R
C. ATU-C
D. POTS splitter
E. CO switch
Answer: B
Section: (none)
Explanation/Reference:
I don't know the other choice.
QUESTION 141
Which three protocols are available for local redundancy in a backup VPN scenario? (Choose three.)
A. VRRP
B. A routing protocol
C. RSVP
D. HSRP
E. Proxy ARP
F. GLBP
Answer: ADF
Section: (none)
Explanation/Reference:
QUESTION 142
Which PPPoE configuration statement is true?
A. A PVC must be created before the pppoe enable command on the Ethernet interface is entered.
B. The dsl operating-mode auto command is required.
C. The encapsulation ppp command must be applied on the Ethernet interface.
D. The ip mtu 1492 command must be applied on the dialer interface.
E. The ip mtu 1496 command must be applied on the Ethernet interface.
F. When the pppoe enable command is applied on the Ethernet interface, a PVC will be created.
Answer: D
Section: (none)
Explanation/Reference:
QUESTION 143
The Cisco SOHO 77 ADSL router provides an affordable, secure, multiuser digital subscriber line (DSL)
access solution to small office/home office customers while reducing deployment and operational costs for
service providers. Refer to the exhibit, which shows a PPPoA diagram and partial SOHO77 configuration.
Which command needs to be applied to the SOHO77 to complete the configuration?
A. Encapsulation aal5mux ppp dialer applied to the PVC
B. Encapsulation aal5ciscoppp applied to the PVC
C. Encapsulation aal5mux ppp dialer applied to the ATM0 interface
D. Encapsulation aal5ciscoppp applied to the ATM0 interface
Answer: A
Section: (none)
Explanation/Reference:
QUESTION 144
Which three methods are of network reconnaissance? (Choose three.)
A. Packet sniffer
B. Ping Sweep
C. Dictionary attack
D. Port scan
Answer: ABD
Section: (none)
Explanation/Reference:
QUESTION 145
In terms of the exhibit below. Router PassGuide-R is unable to establish an ADSL connection with its
provider. What action should be taken to correct this problem?
Answer: F
Section: (none)
Explanation/Reference:
QUESTION 146
You work as a network technician at PassGuide.com, study the exhibit carefully. What type of security
solution will be provided for the inside network?
A. The router will intercept the traceroute messages. It will validate the connection requests before
forwarding the packets to the inside network.
B. The router will reply to the TCP connection requests. If the three-way handshake completes
successfully, the router will establish a TCP connection between itself and the server.
C. The TCP traffic that matches the ACL will be allowed to pass through the router and create a TCP
connection with the server.
D. The TCP connection that matches the defined ACL will be reset by the router if the connection does not
complete the three-way handshake within the defined time period.
Answer: B
Section: (none)
Explanation/Reference:
QUESTION 147
Which three descriptions are correct about frame-mode MPLS? (Choose three.)
A. MPLS has three distinct components consisting of the data plane, the forwarding plane, and the control
plane.
B. The MPLS data plane takes care of forwarding based on either destination addresses or labels.
C. To exchange labels, the control plane requires protocols such as Tag Distribution Protocol (TDP) or
MPLS Label Distribution Protocol (LDP).
D. Whenever a router receives a packet that should be CEF-switched, but the destination is not in the FIB,
the packet is dropped.
Answer: BCD
Section: (none)
Explanation/Reference:
QUESTION 148
Authentication is the process of determining whether someone or something is, in fact, who or what it is
declared to be. On the basis of the exhibit. Which two statements correctly describe the authentication
method used to authenticate users who want privileged access into PG-R1? (Choose two.)
A. All users will be authenticated using the RADIUS server. If the RADIUS server is unavailable, the
authentication process stops and no other authentication method is attempted.
B. All users will be authenticated using the RADIUS server. If the RADIUS server is unavailable, the router
will attempt to authenticate the user using its local database.
C. All users will be authenticated using the RADIUS server. If the user authentication fails, the router will
attempt to authenticate the user using its local database.
D. All users will be authenticated using the RADIUS server. If the user authentication fails, the
authentication process stops and no other authentication method is attempted.
Answer: BD
Section: (none)
Explanation/Reference:
QUESTION 149
You work as a network technician, refer to the exhibit. Which description is correct about the partial MPLS
configuration that is shown?
A. The route-target both 100:2 command sets import and export route-targets for vrf2.
B. The route-target both 100:2 command changes a VPNv4 route to a IPv4 route.
C. The route-target import 100:1 command sets import route-targets routes specified by the route map.
D. The route-target import 100:1 command sets import route-targets for vrf2 that override the other route-
target configuration.
Answer: A
Section: (none)
Explanation/Reference:
QUESTION 150
Refer to the exhibit. Based on the presented information, which description is correct?
A. The IOS firewall has allowed an HTTP session between two devices.
B. A TCP session that started between 192.168.1.116 and 192.168.101.115 caused dynamic ACL entries
to be created.
C. A UDP session that started between 192.168.1.116 and 192.168.101.115 caused dynamic ACL entries
to be created.
D. Telnet is the only protocol allowed through this IOS firewall configuration.
Answer: B
Section: (none)
Explanation/Reference:
QUESTION 151
A.
Answer: A
Section: (none)
Explanation/Reference:
QUESTION 152
Drag and drop the Cisco IOS commands that would be used to configure the physical interface portion of a
PPPoE client configuration. Drag and Drop question, drag each item to its proper location.
A.
Answer: A
Section: (none)
Explanation/Reference:
QUESTION 153
Drag the correct statements about MPLS-based VPN on the left to the boxes on the right.(Not all statements
will be used)
A.
Answer: A
Section: (none)
Explanation/Reference:
QUESTION 154
Drag the IPsec protocol description from the above to the correct protocol type on the below.(Not all
descriptions will be used) Drag and Drop question, drag each item to its proper location.
A.
Answer: A
Section: (none)
Explanation/Reference:
QUESTION 155
Drag and drop each management protocol on the above to the correct category on the below.
A.
Answer: A
Section: (none)
Explanation/Reference:
QUESTION 156
Drag and drop each function on the above to the hybrid fiber-coaxial architecture component that it
describes on the below.
A.
Answer: A
Section: (none)
Explanation/Reference:
QUESTION 157
Drag the DSL technologies on the left to their maximum(down/up) data rate values on the below. Answer &
Explanation Correct Answer Explanations No more information available
A.
Answer: A
Section: (none)
Explanation/Reference:
QUESTION 158
Drag the DSL local loop topic on the left to the correct descriptions on the right. Answer & Explanation
Correct Answer Explanations No more information available
A.
Answer: A
Section: (none)
Explanation/Reference:
QUESTION 159
Drag the IOS commands from the left that would be used to implement a GRE tunnel using the 10.1.1.0.30
network on interface serial 0/0 to the correct target area on the right. Answer & Explanation Correct Answer
Explanations No more information available
A.
Answer: A
Section: (none)
Explanation/Reference:
QUESTION 160
Identify the recommended steps for worm attack mitigation by dragging and dropping them into the target
area in the correct order.
A.
Answer: A
Section: (none)
Explanation/Reference:
QUESTION 161
Drag and drop the xDSL type on the above to the appropriate xDSL description on the below.
A.
Answer: A
Section: (none)
Explanation/Reference:
QUESTION 162
Match the xDSL type on the above to the most appropriate implementation on the below. Answer &
Explanation Correct Answer Explanations No more information available
A.
Answer: A
Section: (none)
Explanation/Reference:
QUESTION 163
Drag each element of the Cisco IOS Firewall Feature Set from the above and drop onto its description on
the below.
Answer & Explanation Correct Answer Explanations No more information available
A.
Answer: A
Section: (none)
Explanation/Reference:
QUESTION 164
Drag the protocols that are used to distribute MPLS labels from the above to the target area on the below.
(Not all options will be used)
Answer & Explanation Correct Answer Explanations No more information available
A.
Answer: A
Section: (none)
Explanation/Reference:
QUESTION 165
Drag and drop question. The upper gives the MPLS functions, the bottom describes the planes. Drag the
above items to the proper location at the below. Answer & Explanation Correct Answer Explanations No
more information available
A.
Answer: A
Section: (none)
Explanation/Reference:
QUESTION 166
Drag and drop question. The left gives some blank boxes for Ipsec VPN, the right gives some IPsec VPN
descriptions, drag the correct descriptions on the right to the left boxes. Answer & Explanation Correct
Answer Explanations No more information available
A.
Answer: A
Section: (none)
Explanation/Reference:
QUESTION 167
Drag and drop question. The left gives some blank boxes for ADSL POTS splitter, the right gives some
ADSL POTS splitter descriptions, drag the correct descriptions on the right to the left boxes. Answer &
Explanation Correct Answer Explanations No more information available
A.
Answer: A
Section: (none)
Explanation/Reference:
QUESTION 168
Drag and drop question. Drag the ordered steps below to the correct DSL ATM interface configuration
sequence above Answer & Explanation Correct Answer Explanations No more information available
A.
Answer: A
Section: (none)
Explanation/Reference:
QUESTION 169
Drag and drop question. Drag the above Cisco IOS commands to the proper location to implement a two
interface IOS firewall at the below. Answer & Explanation Correct Answer Explanations No more information
available
A.
Answer: A
Section: (none)
Explanation/Reference:
QUESTION 170
Drag each description to the correct IPsec security feature.
A.
Answer: A
Section: (none)
Explanation/Reference:
QUESTION 171
Drag each type of attack on the left to the description on the left.
A.
Answer: A
Section: (none)
Explanation/Reference:
QUESTION 172
Drag the worm attack mitigation step on the left to the description on the right. Answer & Explanation
Correct Answer Explanations No more information available
A.
Answer: A
Section: (none)
Explanation/Reference:
QUESTION 173
Drag and drop the Cisco IOS commands that would be used to configure the dialer Interface portion of a
PPPoE client implementation where the client is facing the internet and private IP addressing is used on the
internal network. Answer & Explanation Correct Answer Explanations No more information available
A.
Answer: A
Section: (none)
Explanation/Reference:
QUESTION 174
Drop
A.
Answer: A
Section: (none)
Explanation/Reference:
QUESTION 175
PassGuide is a small export company.
This firm has an existing enterprise network that is made up exclusively of routers that are using EIGRP as
the IGP.
Its network is up and operating normally. As part of its network expansion, PassGuides has decided to
connect to the internet by a broadband cable ISP. Your task is to enable this connection by use of the
information below.
A. PassGuide-R>ena
PassGuide-R#conf t
PassGuide-R(config)#int e0/0
PassGuide-R(config-if)#pppoe enable
PassGuide-R(config-if)#pppoe-client dial-pool-number 1
PassGuide-R(config-if)#no shut
PassGuide-R(config-if)#exit
PassGuide-R(config)#vpdn enable
PassGuide-R(config)#vpdn-group 1
PassGuide-R(config-vpdn)#request-dialin
PassGuide-R(config-vpdn-req-in)#protocol pppoe
PassGuide-R(config-vpdn-req-in)#exit
PassGuide-R(config-vpdn)#exit
PassGuide-R(config)#dialer-list 1 protocol ip permit
PassGuide-R(config)#ip route 0.0.0.0 0.0.0.0 dialer1
PassGuide-R(config)#int dialer 1
PassGuide-R(config-if)#encapsulation ppp
PassGuide-R(config-if)#ip address negotiated
PassGuide-R(config-if)#dialer pool 1
PassGuide-R(config-if)#dialer-group 1
PassGuide-R(config-if)#ip mtu 1492
PassGuide-R(config-if)#no shut
PassGuide-R(config-if)#exit
PassGuide-R#ping 172.16.1.1
If ping is successful, you finished! If not, check the configuration.
Answer: A
Section: (none)
Explanation/Reference:
QUESTION 176
Click here to input the answer.
A. PassGuide-R1> enable
PassGuide-R1# conf t
PassGuide-R1(config)#aaa new-model
PassGuide-R1(config)#username BDnet1 password Wer#1
PassGuide-R1(config)#tacacs-server host 10.6.6.254 key training
PassGuide-R1(config)#aaa authentication login default local
PassGuide-R1(config)#aaa authentication login vty group tacacs+
PassGuide-R1(config)#aaa authorization exec vty group tacacs+
PassGuide-R1(config)#line vty 0 4
PassGuide-R1(config)#authorization exec vty
PassGuide-R1(config)# login authentication vty
PassGuide-R1(config)#end
PassGuide-R1#copy run start
#Test:
PassGuide-R2#ssh 10.2.1.1 -l cisco <Enter> password: Cisco123
Answer: A
Section: (none)
Explanation/Reference:
QUESTION 177
A.
Answer: A
Section: (none)
Explanation/Reference:
QUESTION 178
A company in installed new router R1 in their network. As a administrator you need to configure TACACS
for the router with following configuration given below.
1. Enable the TACACS server in R1
2. Configure console and Aux for default authentication
3. Cinfigure VTY for TACACS server authentication
4. Configure the Tacacs server ip 10.2.2.2 and share key 123
5. Login to R2 using provided username and password (username R2, password COL)
6. From R2 login to R1 using SSH and check the R1 TACACS (username R1, Passwork TAC)
A. R1(Config)# aaa new-model
R1(Config)# tacacs-server host 10.2.2.2 key 123 ( IP and Key may change)
R1(Config)# aaa authentication login default local
R1(Config)# aaa authentication login CUSTOM_LIST group tacacs+ ( Only required to allow TACACS )
R1(Config)# line console 0
R1(Config)# login authentication default
R1(Config)# line aux 0
R1(Config)# login authentication default
R1(Config)# line vty 0 4
R1(Config)# login authentication CUSTOM_LIST
R1(Config)# line vty 5 15
R1(Config)# login authentication CUSTOM_LIST
R1(Config)# exit
R1# copy run start
Login to R2 with provided credentials.
R2>username R2 password COL
R2#ssh <ip from R1> -l R1 password TAC
Answer: A
Section: (none)
Explanation/Reference:
QUESTION 179
.
1. Which defined peer IP address and local subnet belong to Crete?(Choose two.)
Answer: AD
Section: (none)
Explanation/Reference:
2. Which IPSec rule is used for the Olympia branch and what does it define? (Choose two.)
A. 102
B. 116
C. 127
D. IP traffic sourced from 10.10.10.0/24 destined to 10.5.15.0/24 will use the VPN. E. IP traffic sourced from
10.10.10.0/24 destined to 10.8.28.0/24 will use the VPN. F. IP traffic sourced from 10.10.10.0/24 destined to
10.5.33.0/24 will use the VPN.
Answer: B,E
3. Which algorithm as defined by the transform set is used for providing data confidentiality when connected
to Type?
A. ESP-3DES-SHA
B. ESP-3DES-SHA1
C. ESP-3DES-SHA2
D. ESP-3DES
E. ESP-SHA-HMAC
Answer: D
4. Which peer authentication method and which IPSec mode is used to connect to the branch locations?
(Choose two.)
A. Digital Certificate
B. Pre-Shared Key
C. Transport Mode
D. Tunnel Mode
D. GRE/IPSEC Transport Mode
E. GRE/IPSEC Tunnel Mode
Answer: B,D
QUESTION 180
1. What is preventing the HQ router and the Branch1 router from establishing an EIGRP neighbor
relationship?
A: The tunnel source is incorrect on the Branch1 router. It should be serial 2/0.
B: When running EIGRP over GRE tunnels, you must manually configure the neighbor address using the
eigrp neighbor ipaddress command.
C: The default route is missing from the Branch1 router.
D: The tunnel interface numbers for the tunnel between the HQ router and Branch1 router do not match.
E: The tunnel destination address is incorrect on the HQ router. It should be 10.2.1.1 to match the interface
address of the Branch1 router.
A.
B.
C.
D.
Answer: B
Section: (none)
Explanation/Reference:
2. Why is the ping between the HQ router and the 192.168.1.193 interface on the Branch2 router failing?
A: The AS number for the EIGRP process on Branch2 should be 1 and not 11.
B: The tunnel numbers for the tunnel between the HQ router and the Branch2 router do not match.
C: The default route is missing from the Branch2 router.
D: The tunnel source is incorrect on the Branch2 router. It should be serial 2/0.
E: When running EIGRP over GRE tunnels, you must manually configure the neighbor address using the
eigrp neighbor ipaddress command.
Answer: E
3. What is preventing a successful ping between the HQ router and the 192.168.1.10 interface on the
Branch3 router?
A: The tunnel interface numbers for the tunnel between the HQ router and the Branch3 router do not match.
B: The IP address on the tunnel interface for the Branch3 router has wrong IP mask. It should be
255.255.255.252.
C: The network statement under router EIGRP on the Branch3 router is incorrect. It should be network
192.168.2.0.0.0.0.255.
D: The default route is missing from the Branch3 router.
E: The tunnel source is incorrect on the Branch3 router. It should be serial 2/0.
Answer: C
QUESTION 181
Which two statements about the Cisco Autosecure feature are true? (Choose two.)
A. All passwords entered during the Autosecure configuration must be a minimum of 8 characters in length.
B. Cisco 123 would be a valid password for both the enable password and the enable secret commands.
C. The auto secure command can be used to secure the router login as well as the NTP and SSH
protocols.
D. For an interactive full session of AutoSecure, the auto secure login command should be used.
E. If the SSH server was configured, the 1024 bit RSA keys are generated after the auto secure command
is enabled.
Answer: CE
Section: (none)
Explanation/Reference:
QUESTION 182
Which three statements are correct about MPLS-based VPNs? (Choose three.)
A. Route Targets (RTs) are attributes attached to a VPNv4 BGP route to indicate its VPN membership.
B. Scalability becomes challenging for a very large, fully meshed deployment.
C. Authentication is done using a digital certificate or pre-shared key.
D. A VPN client is required for client-iniated deployments.
E. A VPN client is not required for users to interact with the network.
F- An MPLS-based VPN is highly scalable because no site-to-site peering is required.
Answer: AE
Section: (none)
Explanation/Reference:
QUESTION 183
Which IPsec mode will encrypt a GRE tunnel to provide multiprotocol support and reduced overhead?
A. 3DES
B. multipoint GRE
C. tunnel
D. transport
Answer: D
Section: (none)
Explanation/Reference:
QUESTION 184
Which two statements are true about broadband cable (HFC) systems? (Choose two.)
A. Cable modems only operate at Layer 1 of the OSI model.
B. Cable modems operate at Layers 1 and 2 of the OSI model.
C. Cable modems operate at Layers 1, 2, and 3 of the OSI model.
D. A function of the cable modem termination system (CMTS) is to convert the modulated signal from the
cable modem into a digital signal.
E. A function of the cable modem termination system is to convert the digital data stream from the end user
host into a modulated RF signal for transmission onto the cable system.
Answer: BD
Section: (none)
Explanation/Reference:
QUESTION 185
Which two statements are correct about mitigating attacks by the use of access control lists (ACLs)?
(Choose two.)
A. Extended ACLs on routers should always be placed as close to the destination as possible.
B. Each ACL that is created ends with an implicit permit all statement.
C. Ensure that earlier statements in the ACL do not negate any statements that are found later in the list.
D. Denied packets should be logged by an ACL that traps informational (level 6) messages.
E. IP packets that contain the source address of any internal hosts or networks inbound to a private
network should be permitted.
F. More specific ACL statements should be placed earlier in the ACL.
Answer: DF
Section: (none)
Explanation/Reference:
QUESTION 186
Refer to the exhibit.
What is needed to complete the PPPoA configuration?
Answer: C
Section: (none)
Explanation/Reference:
QUESTION 187
Which three configuration steps must be taken to connect a DSL ATM interface to a service provider?
(Choose three.)
A. Enable VPDN.
B. Configure PPP0E on the VPDN group.
C. Configure the ATM PVC.
D. Assign a VPDN group name.
E. Configure a dialer interface.
F. Configure the correct PPP encapsulation on the ATM virtual circuit.
Answer: CEF
Section: (none)
Explanation/Reference:
QUESTION 188
When configuring the Cisco software VPN client on a PC, which values need to be entered to complete the
setup when pre-shared key authentication is used?
Answer: A
Section: (none)
Explanation/Reference:
QUESTION 189
What is one benefit of AutoSecure?
Answer: C
Section: (none)
Explanation/Reference:
QUESTION 190
What is meant by the attack classification of "false positive" on a Cisco IPS device?
Answer: A
Section: (none)
Explanation/Reference:
QUESTION 191
When packets in a session match a signature, what are three actions that the Cisco lOS Firewall IPS can
take? (Choose three.)
Answer: DEF
Section: (none)
Explanation/Reference:
QUESTION 192
Refer to the exhibit.
SDM has added the commands in the exhibit to the router's configuration. What are the three objectives that
these commands accomplish? (Choose three.)
Answer: CEF
Section: (none)
Explanation/Reference:
QUESTION 193
Which three MPLS statements are true? (Choose three.)
A. Cisco Express Forwarding (CEF) must be enabled as a prerequisite to running MPLS on a Cisco router.
B. Frame-mode MPLS inserts a 32-bit label between the Layer 3 and Layer 4 headers.
C. MPLS is designed for use with frame-based Layer 2 encapsulation protocols such as Frame Relay, but
is not supported by ATM because of ATM fixed-length cells.
D. OSPF, EIGRP, IS-IS, RIP, and SGP can be used in the control plane.
E. The control plane is responsible for forwarding packets.
F. The two major components of MPLS include the control plane and the data plane.
Answer: ADF
Section: (none)
Explanation/Reference:
QUESTION 194
Refer to the exhibit.
The configuration in the exhibit is found on an Internet service provider (ISP) Multiprotocol Label Switching
(MPLS) network. What is its purpose?
Answer: D
Section: (none)
Explanation/Reference:
QUESTION 195
What are the four main steps in configuring an IPsec site-to-site VPN tunnel on Cisco routers? (Choose
four.)
A. Define the ISAKMP policy.
B. Define the IPsec transform set.
C. Define the pre-shared key used in the DH (Diffie-Hellman) exchange.
D. Create a crypto access list to define which traffic should be sent through the tunnel.
E. Create a crypto map and apply it to the outgoing interface of the VPN device.
F. Configure dynamic routing over the IPsec tunnel interface.
Answer: ABDE
Section: (none)
Explanation/Reference:
QUESTION 196
Which statement is true about an IPsec/GRE tunnel?
A. The GRE tunnel source and destination addresses are specified within the IPsec transform set.
B. An IPsec/GRE tunnel must use IPsec tunnel mode.
C. GRE encapsulation occurs before the IPsec encryption process.
D. Crypto map ACL is not needed to match which traffic will be protected.
Answer: C
Section: (none)
Explanation/Reference:
QUESTION 197
Which feature is an accurate description of the Diffie-Hellman (DH) exchange between two IPsec peers?
A. Allows the two peers to communicate the pre-shared secret key to each other during IKE phase 1
B. Allows the two peers to communicate its digital certificate to each other during IKE phase 1
C. Allows the two peers to jointly establish a shared secret key over an insecure communications channel
D. Allows the two peers to negotiate its IPsec transforms during IKE phase 2
E. Allows the two peers to authenticate each other over an insecure communications channel
Answer: C
Section: (none)
Explanation/Reference:
QUESTION 198
Which three modulation signaling standards are used in broadband cable technology? (Choose three.)
A. S-Video
B. PAL
C. NTSC
D. SECAM
E. FDM
F. FEC
Answer: BCD
Section: (none)
Explanation/Reference:
QUESTION 199
Which can be used to mitigate Trojan horse attacks?
Answer: A
Section: (none)
Explanation/Reference:
QUESTION 200
Which two statements are true about the configuration of the Cisco IOS Firewall using the SDM? (Choose
two.)
A. Cisco IOS Firewall features may be configured by choosing the Additional Tasks wizard.
B. Firewall policies can be viewed from the Home screen of the SDM.
C. To simplify the Firewall configuration task, the SDM provides Basic Firewall, Intermediate Firewall, and
Advanced Firewall wizards.
D. The Basic Firewall Configuration wizard applies default access rules to the inside (trusted), outside
(untrusted) and DMZ interfaces
E. The Advanced Firewall Configuration wizard applies access rules to the inside (trusted), outside
(untrusted) and DMZ interfaces.
Answer: BE
Section: (none)
Explanation/Reference:
QUESTION 201
Refer to the exhibit.
A site-to-site VPN connection has been configured using SDM. What option can aid in the configuration of
the VPN on the peer router?
Answer: A
Section: (none)
Explanation/Reference:
QUESTION 202
What should a security administrator who uses SDM consider when configuring the firewall on an interface
that is used in a VPN connection?
A. The firewall must permit traffic going out of the local interface only.
B. The firewall must permit traffic to a VPN concentrator only.
C. The firewall must permit encrypted traffic between the local and remote VPN peers.
D. The firewall cannot be configured in conjunction with a VPN.
Answer: C
Section: (none)
Explanation/Reference:
QUESTION 203
Which three benefits does IPsec VPNs provide? (Choose three.)
A. Origin authentication
B. Adaptive threat defense
C. Confidentiality
D. Qos
E. Data integrity
F. A fully-meshed topology with low overhead
Answer: ACE
Section: (none)
Explanation/Reference:
QUESTION 204
Study the exhibit carefully.
Which description is true about the results of clicking the OK button in the Security Device Manager (SDM)
Add a Signature Location window?
A. SDM will respond with a message asking for the URL that points to the 256MB.sdf file.
B. Cisco IOS IPS will choose to load the 256MB.sdf only if the Built-in Signatures (as backup) check box is
unchecked.
C. If Cisco IOS IPS fails to load the 256MB.sdf, it will load the built-in signatures provided the Built-in
Signatures (as backup) check box is checked.
D. Cisco IOS IPS will choose to load the 256MB.sdf and then also add the Cisco IOS built-in signatures.
Answer: C
Section: (none)
Explanation/Reference:
QUESTION 205
Which two statements about worms, viruses, or Trojan horses are true? (Choose two.)
A. A Trojan horse has three components: an enabling vulnerability, a propagation mechanism, and a
payload.
B. A Trojan horse virus propagates itself by infecting other programs on the same computer.
C. A virus cannot spread to a new computer without human assistance.
D. A virus has three components: an enabling vulnerability, a propagation mechanism, and a payload.
E. A worm can spread itself automatically from one computer to the next over an unprotected network.
F. A worm is a program that appears desirable but actually contains something harmful.
Answer: CE
Section: (none)
Explanation/Reference:
QUESTION 206
Which two Network Time Protocol (NTP) statements are true? (Choose two.) Select 2 response(s).
Answer: BC
Section: (none)
Explanation/Reference:
QUESTION 207
Which two statements about packet sniffers or packet sniffing are true? (Choose two.) Select 2 response(s).
A. To reduce the risk of packet sniffing, traffic rate limiting and RFC 2827 filtering should be used.
B. Packet sniffers can only work in a switched Ethernet environment.
C. To reduce the risk of packet sniffing, cryptographic protocols such as Secure Shell Protocol (SSH) and
Secure Sockets Layer (SSL) should be used.
D. To reduce the risk of packet sniffing, strong authentication, such as one time passwords, should be
used.
Answer: CD
Section: (none)
Explanation/Reference:
QUESTION 208
Which statement is true about Cisco Easy VPN?
Select the best response.
Answer: D
Section: (none)
Explanation/Reference:
QUESTION 209
Refer to the exhibit. On the basis of the information presented, which configuration change would correct
the Secure Shell (SSH) problem?
Select the best response.
A. Configure router RTA with the ip domain name domain-name global configuration command.
B. Configure router RTA with the crypto key generate rsa general-keys modulus modulus-number global
configuration command.
C. Configure router RTA with the crypto key generate rsa usage-keys modulus modulus-number global
configuration command.
D. Configure router RTA with the transport input ssh vty line configuration command.
E. Configure router RTA with the no transport input telnet vty line configuration command.
Answer: D
Section: (none)
Explanation/Reference:
QUESTION 210
Refer to the exhibit. Routers RTB and RTC have established LDP neighbor sessions. Troubleshooting
discovered that labels are being distributed between the two routers but no label swapping information is in
the LFIB. What is the most likely cause of this problem?
Answer: B
Section: (none)
Explanation/Reference:
QUESTION 211
Refer to the exhibit. All routers participate in the MPLS domain. An IGP propagates the routing information
for network 10.10.10.0/24 from R5 to R1. However, router R3 summarizes the routing information to
10.10.0.0/16. How will the routes be propagated through the MPLS domain?
A. R3, using LDP, will advertise labels for both networks, and the information will be propagated throughout
the MPLS domain.
B. R3 will label the summary route using a pop label. The route will then be propagated through the rest of
the MPLS domain. R3 will label the 10.10.10.0/24 network and forward to R2 where the network will be
dropped.
C. R3 will label the 10.10.10.0/24 network using a pop label which will be propagated through the rest of the
MPLS domain. R3 will label the summary route and forward to R2 where the network will be dropped.
D. None of the networks will be labeled and propagated through the MPLS domain because aggregation
breaks the MPLS domain.
Answer: B
Section: (none)
Explanation/Reference:
QUESTION 212
What are the four fields in an MPLS label? (Choose four.) Select 4 response(s).
A. version
B. experimental
C. label
D. protocol
E. TTL
F. bottom-of-stack indicator
Answer: BCEF
Section: (none)
Explanation/Reference:
QUESTION 213
Which action can be taken by Cisco IOS IPS when a packet matches a signature pattern? Select the best
response.
Answer: A
Section: (none)
Explanation/Reference:
QUESTION 214
What is required when configuring IOS Firewall using the CLI? Select the best response.
Answer: E
Section: (none)
Explanation/Reference:
QUESTION 215
Refer to the exhibit. What information can be derived from the output of the show ip cef command?
Answer: D
Section: (none)
Explanation/Reference:
QUESTION 216
Which approach for identifying malicious traffic looks for a fixed sequence of bytes in a single packet or a
predefined content?
Select the best response.
A. signature based
B. anomaly based
C. honeypot based
D. policy based
E. regular-expression based
Answer: A
Section: (none)
Explanation/Reference:
QUESTION 217
Which statement about DSL is true?
Select the best response.
Answer: B
Section: (none)
Explanation/Reference:
QUESTION 218
Refer to the exhibit. Which two statements are true about the authentication method used to authenticate
users who want privileged access into Router1? (Choose two.) Select 2 response(s).
A. All users will be authenticated using the RADIUS server. If the RADIUS server is unavailable, the router
will attempt to authenticate the user using its local database.
B. All users will be authenticated using the RADIUS server. If the RADIUS server is unavailable, the
authentication process stops and no other authentication method is attempted.
C. All users will be authenticated using the RADIUS server. If the user authentication fails, the router will
attempt to authenticate the user using its local database.
D. All users will be authenticated using the RADIUS server. If the user authentication fails, the
authentication process stops and no other authentication method is attempted.
E. The default login authentication method is applied automatically to all lines including console, auxiliary,
TTY, and VTY lines.
Answer: AD
Section: (none)
Explanation/Reference:
QUESTION 219
Refer to the exhibit. How will DDoS attacks be prevented? Select the best response.
A. The ACL will block the ICMP responses to the UDP traceroute packets that are used to discover subnets
and hosts on the remote access LAN.
B. The ACL will block the ICMP Time Exceeded Message (TEM) that is used to provide a trace of the path
the packet took to reach the destination.
C. The ACL will block the ICMP requests that are used by the ICMP ping packets that in turn are used to
determine the IP addresses of destination hosts.
D. The ACL will block the ICMP packets that are destined to both the network and the broadcast addresses
of the remote access LAN.
Answer: C
Section: (none)
Explanation/Reference:
QUESTION 220
Refer to the exhibit. Which statement is true?
Answer: A
Section: (none)
Explanation/Reference:
QUESTION 221
Refer to the exhibit. The configuration has been applied to router RTA to mitigate the threat of certain types
of ICMP-based attacks. However, the configuration is incorrect. On the basis of the information in the
exhibit, which configuration option would correctly configure router RTA? Select the best response.
A. ACL 112 should have been applied to interface Fa0/0 in an inbound direction.
B. ACL 112 should have been applied to interface Fa0/1 in an outbound direction.
C. The first three statements of ACL 112 should have permitted the ICMP traffic and the last statement
should deny the identified traffic.
D. The last statement of ACL 112 should have been access-list 112 deny icmp any 10.1.1.0 0.0.0.255.
E. The last statement of ACL 112 should have been access-list 112 deny icmp any 10.2.1.0 0.0.0.255.
F. The last statement of ACL 112 should have been access-list 112 permit icmp any 10.2.1.0 0.0.0.255.
Answer: F
Section: (none)
Explanation/Reference:
QUESTION 222
Refer to the exhibit. On the basis of the partial output that is displayed in the exhibit, which two statements
are true? (Choose two.)
Select 2 response(s).
Answer: CE
Section: (none)
Explanation/Reference:
QUESTION 223
An administrator is troubleshooting an ADSL connection. For which OSI layer is the ping atm interface
command useful for probing problems?
Select the best response.
A. Layer 1
B. Layer 2
C. Layer 3
D. Layer 4
Answer: B
Section: (none)
Explanation/Reference:
QUESTION 224
Refer to the exhibit. Based on this partial configuration, which two statements are true? (Choose two.)
Select 2 response(s).
A. You can log into the console using either the "cisco" or "sanfran" password.
B. The local parameter is missing at the end of each aaa authentication LOCAL-AUTH command.
C. The aaa authentication default command should be issued for each line instead of the login
authentication LOCAL_AUTH command.
D. This is an example of a self-contained AAA configuration using the local database.
E. To make the configuration more secure, the none parameter should be added to the end of the aaa
authentication login LOCAL_AUTH local command.
F. To successfully establish a Telnet session with RTA, a user can enter the username Bob and password
cisco.
Answer: DF
Section: (none)
Explanation/Reference:
QUESTION 225
Refer to the exhibit. The DSL router with this partial configuration is connected to a service provider using a
PPPoE session over an ATM interface. FTP traffic, generated from inside the network 10.92.1.0/24, fails to
reach the PPPoE server. What should be configured on the DSL Router to fix the problem?
Select the best response.
A. The ip mtu command with a bytes argument set greater than 1492 needs to be configured for the
Dialer1 interface.
B. The ip mtu command with a bytes argument set lower than 1492 needs to be configured for the Dialer1
interface.
C. The ip mtu command with a bytes argument set greater than 1492 needs to be configured for the ATM0
interface.
D. The ip mtu command with a bytes argument set lower than 1492 needs to be configured for the ATM0
interface.
Answer: B
Section: (none)
Explanation/Reference:
QUESTION 226
Refer to the exhibit. Which of these statements is true? Select the best response.
Answer: A
Section: (none)
Explanation/Reference:
QUESTION 227
Refer to the exhibit. Host 1 cannot ping Server 1. In the course of troubleshooting, you have eliminated all
network issues. Based upon the partial configuration shown, what is the issue?
Select the best response.
Answer: E
Section: (none)
Explanation/Reference:
QUESTION 228
Refer to the exhibit. What type of high-availability option is being implemented? Select the best response.
A. IPsec stateful failover
B. IPsec dead peer detection
C. Hot Standby Router Protocol
D. GRE's Keepalive Mechanism
E. backing up a WAN connection with an IPsec VPN
Answer: A
Section: (none)
Explanation/Reference:
QUESTION 229
If you want to authenticate the NTP associations with other systems for security purposes, which key type
algorithm or algorithms are supported? Select the best response.
A. MD5 only
B. MD7 only
C. plain text only
D. MD5 and MD7
E. plain text and MD5
F. plain text and MD7
Answer: A
Section: (none)
Explanation/Reference:
QUESTION 230
Which two qualities of PKI key exchange overcome asymmetric cryptography scalability issues? (Choose
two.) Select 2 response(s).
A. The trusted introducer uses the signed certificates of the endpoints that need to communicate.
B. PKI uses only a single trusted introducer.
C. The trusted introducer uses the private key of each enrolling user and the public key of the introducer as
the signed certificate.
D. Only the public key of the introducer has to be initially known and verified by all other entities.
E. The introducer digitally signs the public key of the user with the public key of the introducer to generate a
signed certificate.
Answer: BD
Section: (none)
Explanation/Reference:
QUESTION 231
What are three objectives that the no ip inspect command achieves? (Choose three.) Select 3 response(s).
Answer: AEF
Section: (none)
Explanation/Reference:
QUESTION 232
Which three of these are required before you can configure your routers for SSH server operations?
(Choose three.)
Select 3 response(s).
Answer: ACE
Section: (none)
Explanation/Reference:
QUESTION 233
A.
Answer: A
Section: (none)
Explanation/Reference:
QUESTION 234
Which action can be taken by Cisco IOS IPS when a packet matches a signature pattern? Select the best
response.
Answer: A
Section: (none)
Explanation/Reference: