CertifyMe. CertifyMe

Transcription

1 CertifyMe Number: Passing Score: 800 Time Limit: 120 min File Version: CertifyMe Sections 1. Firewall 2. VPN 3. Other 4. AAA 5. IPS 6. Layer-2 Security

2 Exam A QUESTION 1 Which two technologies can secure the control plane of the Cisco router? (Choose two.) A. BPDU protection B. role-based access control C. routing protocol authentication D. CPPr Correct Answer: CD Section: Other /Reference: QUESTION 2 Cisco Secure Access Control Server (ACS) is a highly scalable, high-performance access control server that provides a comprehensive identity networking solution. Which of these statements is correct regarding user setup on ACS 4.0? A. Users are assigned to the default group. B. A user can belong to more than one group. C. The username can contain characters such as "#" and "?". D. The settings at the group level override the settings configured at the user level Correct Answer: A Section: AAA /Reference: QUESTION 3 Please study the exhibit carefully, and then answer the following question:.

3

4

5

6

7

8

9 Refer to the appropriate SDM screen(s), which two statements correctly describe the Cisco IOS Zone-Based Firewall configuration? (Choose two) A. The "reset" action is applied to any HTTP request sourced from the "in" zone and destined to the "out" zone, which also has a request Uniform Resource Identifier (URI) that is greater than 500 bytes is length.

10 B. The "inspect" action is applied to Internet Control Message Protocol (ICMP) traffic sourced from the "in"zone and destined to the "out" zone. C. The "http-policy" inspection policy map is applied to all HTTP and HTTPS traffic sourced from the "in" zone and destined to the "out" zone. D. The "testpm" inspection policy map is applied to the inout zone-pair. Correct Answer: AD Section: Firewall /Reference: QUESTION 4 Refer to the appropriate SDM screen(s), what is the User Datagram Protocol (UDP) idle time set for any HTTP traffic that is sourced from the "in" zone and destined to the "out" zone?

11

12

13

14

15

16

17 A. 10 seconds B. 15 seconds C. 30 seconds D. 35 seconds

18 Correct Answer: D Section: Firewall /Reference: QUESTION 5 Refer to the appropriate SDM screen(s), what is the reason that outside hosts can't initiate Telnet (port 23) traffic to the inside host?

19

20

21

22

23

24 A. The implicit deny access control list (ACL) entry on the inbound ACL is applied to the outside interface. B. Static NAT is not correctly enabled to translate the inside host address. C. There is no zone-based firewall policy applied to the traffic sourced from the "out" zone and destined to the "in" zone.

25 D. The implicit deny acces control list (ACL) entry on the inbound ACL is applied to the outside interface. Correct Answer: C Section: Firewall /Reference: QUESTION 6 Which two category types are associated with 5.x signature use in Cisco IOS IPS? (Choose two.) A. basic B. advanced C. attack-drop D. built-in Correct Answer: AB Section: IPS /Reference: QUESTION 7 Select two issues that you should consider when implementing IOS Firewall IDS. (Choose two) A. The memory usage B. The number of DMZs C. The signature coverage D. The number of router interfaces Correct Answer: AC Section: IPS /Reference: QUESTION 8 You are the Cisco Configuration Assistant in your company. Which command is used to support 802.1X guest VLAN functionality based on the following configuration?

26 A. aaa authorization network default group radius B. aaa authentication dotlx default group radius C. aaa accounting dotlx default start-stop group radius D. aaa accounting system default start-stop group radius Correct Answer: A Section: AAA /Reference: QUESTION 9 You are in change of Securing Networks Cisco Routers and Switches in your company. Why is the Cisco IOS Firewall authentication proxy not working based on the following configuration? aaa new model aaa authentication login default group tacacs aaa authentication auth-proxy default group tacacs+ aaa accounting auth-proxy default start-stop group tacacs+ enable password TeSt_123 ip auto-proxy name pxy http ip auto-proxy auth-proxy-banner interface Ethernet0/1 ip address ip auto-proxy pxy no ip http server tacacs-server host tacacs-server key Cisco [Output omitted] A. The aaa authentication auth-proxy default group tacacs+ command is missing B. The router local username and password database is not configured. C. You forgot to enable HTTP server and AAA authentication D. Cisco IOS authentication proxy not support TACACS+, Correct Answer: C Section: AAA /Reference: QUESTION 10 Which advantage can be obtained by implementing the Cisco IOS Firewall feature? A. provides data leakage protection capabilities

27 B. integrates multiprotocol routing with security policy enforcement C. is easily deployed and managed by the Cisco Adaptive Security Device Manager D. acts primarily as a dedicated firewall device Correct Answer: B Section: Firewall /Reference: QUESTION 11 You are in change of Securing Networks Cisco Routers and Switches in your company when troubleshooting site-to-site IPsec VPN, you see this console message: %CRYPT0-6-IKMP_SA_N0T_0FFERED: Remote peer %15i responded with attribute [chars] not offered or changed. Which configuration should you verify? A. the crypto ACL B. the crypto map C. the IPsec transform set D. the ISAKMP policies Correct Answer: D Section: VPN /Reference: QUESTION 12 Which three descriptions are true about the GET VPN policy management? (Choose three,) A. The key server and group member policy must match. B. A local policy is defined on each group member. C. A global policy is defined on the key server, and it is distributed to the group members. D. The group member appends the global policy to its local policy. Correct Answer: BCD Section: VPN /Reference: QUESTION 13 When you enter the CK-S(config)#aaa authentication dotlx default group radius command on a Cisco Catalyst switch, the Cisco IOS parser returns with the "invalid input detected" error message. What can be the cause of this error? A. You must use the dotlx system - a uth- control command first to globally enable 802. lx. B. You must define the RADIUS server IP address first, using the CK-S(config)# radius-server host ip-address command. C. You must enter the aaa new-model command first.

28 D. The local option is missing in the command, Correct Answer: C Section: AAA /Reference: QUESTION 14 Please study the exhibit carefully, and then answer the following question:. What is the Fidenlity Rating of the DDoSTrinoo IPS signature (signature ID 4608, subsignature-id 3)?

29

30

31 A. 0 B. 50 C. 100 D. 150

32 Correct Answer: C Section: IPS /Reference: QUESTION 15 What is the value of the user defined variable used to indicate the criticality of the host? This value is used in the Risk Rating calculations.

33

34

35 A. Low B. Medium C. High D. Mission Critical

36 Correct Answer: D Section: IPS /Reference: QUESTION 16 Which Signature Engine supports Cisco IPS Signature ID 9423?

37

38

39 A. atomic-ip B. string-tcp C. service-http D. string-udp

40 Correct Answer: B Section: IPS /Reference: QUESTION 17 When you implement Cisco IOS WebVPN on a Cisco router using a self-signed certificate, you notice that the router is not generating a self-signed certificate, What should you check to troubleshootthis issue? A. Verify the ip http server configuration. B. Verify the WebVPN group policy configuration. C. Verify the AAA authentication configuration. D. Verify that the WebVPN gateway is inservice. Correct Answer: D Section: VPN /Reference: QUESTION 18 Cisco IOS Intrusion Prevention System (IPS) is an inline, deep-packet inspection feature that effectively mitigates a wide range of network attacks. When verifying Cisco IOS IPS operations, when should you expect Cisco IOS IPS to start loading the signatures? A. After you configure the ip ips sdf location flash:filename command B. After you configure the ip ips sdf builtin command C. After you configure a Cisco IOS IPS rule in the global configuration D. when the first Cisco IOS IPS rule is enabled Correct Answer: D Section: IPS /Reference: QUESTION 19 Which router plane can be protected by the CPU and Memory Threshold Notifications of the Network Foundation Protection feature? A. data plane B. management plane C. network plane D. control plane Correct Answer: B Section: Other /Reference:

41 QUESTION 20 A new Company switch has been installed and you wish to secure it. Which Cisco Catalyst IOS command can be used to mitigate a CAM table overflow attack? A. CK-S(config-if)# port-security maximum 1 B. CK-S(config)# switchport port-security C. CK-S(config-if)# port-security D. CK-S(config-if)# switchport port-security maximum 1 Correct Answer: D Section: Layer-2 Security /Reference: QUESTION 21 Cisco IOS Flexible Packet Matching (FPM) uses flexible and granular Layer 2-7 pattern matching deep within the packet header or payload to provide a rapid first line of defense against network threats and notable worms and viruses, when configuring FPM, what should be the next step after the PHDFs have been loaded? A. Configure a class map of type "access-control" for classifying packets. B. Configure a traffic policy. C. Configure a service policy, D. Configure a stack of protocol headers, Correct Answer: D Section: Firewall /Reference: QUESTION 22 You want to increase the security of a newly installed switch. Which Cisco Catalyst IOS command is used to mitigate a MAC spoofing attack? A. CK-S(config-if)# port-security mac-address 0000.ffff.aaaa B. CK-S(config)# switchport port-security mac-address 0000.ffff.aaaa C. CK-S(config-if)# switchport port-security mac-address 0000.ffff.aaaa D. CK-S(config)# port-security mac-address 0000.ffff.aaaa Correct Answer: C Section: Layer-2 Security /Reference: QUESTION 23 The NHRP process allows which requirement to be satisfied in DMVPN? A. dynamic physical interface IP address at the spoke routers B. dynamic spoke-to-spoke on-demand tunnels r C. dynamic routing over the DMVPN

42 D. dual DMVPN hub designs Correct Answer: A Section: VPN /Reference: QUESTION 24 Based on the following configuration, which two statements are correct? (Choose two,) Ip ips name MYIPS! Interface GigabitEthernet 0/1 ip address ip ips MYIPS IN! A. SDEE alert messages will be enabled B. The basic signatures will be used C. The built-in signatures will be used. D. Cisco IOS IPS will fail-open. Correct Answer: CD Section: IPS /Reference: QUESTION 25 Which statement accurately describes the Management Plane Protection feature? A. Only SSH and SNMP management will be allowed on nondesignated management interfaces. B. Management Plane Protection is enabled on all interfaces by default. C. Management Plane Protection offers a default management interface, D. All incoming packets through the management interface are dropped except for those from the allowed management protocols. Correct Answer: D Section: Other /Reference: QUESTION 26 The security administrator for Company Inc. is working on defending the network against SYN flooding attacks. Which of the following are tools to protect the network from TCP SYN attacks? A. Route authentication B. Encryption C. ACLs D. TCP intercept

43 Correct Answer: D Section: Firewall /Reference: QUESTION 27 While using the SDM Certificate Enrollment wizard, which two are the enrollment options? (Choose two.) A. SCEP B. ocsp C. LDAP D. Cut-and-Paste/Import from PC Correct Answer: AD Section: Other /Reference: QUESTION 28 Which of the following IOS commands will you advise the Company trainee technician to use when setting the timeout for router terminal line? A. exec-timeout minute [seconds] B. line-timeout minute [seconds] C. timeout console minute [seconds] D. exec-time minutes [seconds] Correct Answer: A Section: Other /Reference: QUESTION 29 You are the Cisco Configuration Assistant in Your company. Which two configuration commands are used to apply an inspect policy map for traffic traversing from the E0 or E1 interface to the S3 interface based on the following configuration? (Choose tow) A. zone-pair security test source Z1 destination Z2 B. interface E0

44 C. policy-map myfwpolicy class class-default inspect D. service-policy type inspect myfwpolicy Correct Answer: AD Section: Firewall /Reference: QUESTION 30 The Company network is implementing IBNS. In a Cisco Identity-Based Networking Service (IBNS) implementation, the endpoint that is seeking network access is known as what? A. Host B. Authentication C. PC D. Supplicant Correct Answer: D Section: AAA /Reference: QUESTION 31 Which three features are supported by Cisco IOS Firewall? (Choose three.) A. alerts B. audit trails C. active/active stateful fail over D. DoS attacks protection Correct Answer: ABD Section: Firewall /Reference: QUESTION 32 A new IBNS system is being installed in the Company network. The Cisco Identity-Based Networking Services (IBNS) solution is based on which two standard implementations? (Choose two.) A. TACACS+ B. RADIUS C D X Correct Answer: BD Section: AAA /Reference:

45 QUESTION 33 Which option is correct according to partial configuration displayed in the following exhibit? A. The policy is configured to use Triple DES IPsec encryption, B. The policy is configured to use an authentication key of 'rsa-sig'. C. The policy is configured to use Diffie-Hellman group sha-1. D. The policy is configured to use digital certificates. Correct Answer: D Section: VPN /Reference: QUESTION 34 In IKE phase 1, IKE creates an authenticated, secure channel between the two IKE peers, called the IKE security association. The Diffie-Hellman key agreement is always performed in this phase. What are the three authentication methods that you can use during IKE Phase 1? (Choose three,) A. AAA Authentication B. pre-shared key C. RSA signature D. RSA encrypted nonce Correct Answer: BCD Section: VPN /Reference: QUESTION 35 While using 5.x signatures to enable Cisco IOS IPS, which required option, could be downloaded from Cisco.com? A. Built-in signatures B. public key C. SDF files (128MB.sdf, 256MB.sdf, attack.drop.sdf) D. Signature Micro-Engines and IME Correct Answer: B Section: IPS

46 /Reference: QUESTION 36 You wish to configure 802.1X port control on your switch. Which three keywords are used with the dotlx port-control command? (Choose three.) A. enable B. force-authorized C. force-unauthorized D. auto Correct Answer: BCD Section: AAA /Reference: QUESTION 37 What information can be displayed by issuing the command show zone-pair security? A. physical interface members of the zone pair B. zone descriptions and assigned interfaces C. source and destination zones, and attached policy D. all service policy maps Correct Answer: C Section: Firewall /Reference: QUESTION 38 The PHDF defines the structure of a particular packet and adds the protocol inspection capabilities to Cisco IOS Software. The PHDF stored in the router flash memory is required for which of these applications to function? A. NBAR B. CAC C. PAM D. FPM Correct Answer: D Section: Other /Reference: QUESTION 39 Which two features are included in Cisco IOS SSL VPN thin-client mode? (Choose two.) A. uses a Java applet

47 B. provides full tunnel access like the IPsec VPN software client C. requires the use of browser plug-ins D. provides TCP port forwarding capabilities Correct Answer: AD Section: VPN /Reference: QUESTION 40 The Company network has rolled out an 802.1X based system. In an 802.1X implementation, the authenticator acts as a gateway to which device? A. Host B. Authenticator C. PC D. Authentication server Correct Answer: D Section: AAA /Reference: QUESTION 41 You are the network consultant from your company. What will result from this zone-based firewall configuration based on the following configuration? A. Traffic from the private zone to the public zone will be dropped. B. Traffic from the private zone to the public zone will be permitted but not inspected.

48 C. Traffic from the private zone to the public zone will be permitted and inspected, D. Traffic from the public zone to the private zone will be permitted but not inspected. Correct Answer: A Section: Firewall /Reference: QUESTION 42 The Company network is using an 802.1X implementation. In an 802.1X implementation the supplicant directly connects to, and obtains network access permission through which device? A. Host B. Authenticator C. PC D. Authentication server Correct Answer: B Section: AAA /Reference: QUESTION 43 The Easy VPN Server feature allows Cisco IOS routers, Cisco Adaptive Security Appliances (ASA), and Cisco PIX Security Appliances to act as head-end devices in site-to-site or remote- access VPNs The feature pushes security policies defined at the central site to the remote device during which of these phases? A. IKE Phase 1 first message exchange B. IKE Phase 2 first message exchange C. IKE Phase 2 last message exchange D. IKE mode configuration Correct Answer: D Section: VPN /Reference: QUESTION 44 You are in change of Securing Networks Cisco Routers and Switches in your company please point out two benefits of using an IPsec GRE tunnel. (Choose two,) A. It requires a more restrictive crypto ACL to provide finer security control B. It has less overhead than running IPsec in tunnel mode. C. It allows IP multicast traffic. D. It allows dynamic routing protocol to run over the tunnel interface. Correct Answer: CD Section: VPN

49 /Reference: QUESTION 45 Which two capabilities are of the Cisco IOS Firewall Feature Set? (Choose two,) A. protects against worms, malicious users, and denial of service B. provides for secure connectivity between branch offices C. provides intrusion protection capabilities D. interoperates with Network Address Translation to conserve and simplify network address use Correct Answer: AD Section: Firewall /Reference: QUESTION 46 Which two are typical Layer 2 attacks? (Choose two.) A. MAC spoofing B. CAM table overflow C. Route poisoning D. DHCP Starvation Correct Answer: AB Section: Layer-2 Security /Reference: QUESTION 47 You are the Cisco Configuration Assistant in your company.which two commands would you use to only allow SSH traffic to the router Eth0 interface and deny other management traffic (BEEP, FTP, HTTP, HTTPS, SNMP, Telnet, TFTP) to the router interfaces? (Choose two.) A. control-plane host B. interface Eth0 C. policy-map type port-filter policy-name D. management-interface Eth0 allow ssh Correct Answer: AD Section: Other /Reference: QUESTION 48 You want to increase the security levels at layer 2 within the Company switched LAN. Which three are typical Layer 2 attack mitigation techniques? (Select three) A X authentication

50 B. Port security C. ARP snooping D. DHCP snooping Correct Answer: ABD Section: Layer-2 Security /Reference: QUESTION 49 Which alerting protocol is used by Cisco IOS IPS with a pull mechanism for getting IPS alerts to the network management application? A. SNMP B. syslog C. SDEE D. POP3 Correct Answer: C Section: IPS /Reference: QUESTION 50 You are the Cisco Configuration Assistant in your company.when you enter the switch(config)#aaa authentication dotlx default group radius command on a Cisco Catalyst switch, You get the error message "invalid input detected", What is the most likely reason? A. Enable 802.1X first. B. Define the RADIUS server IP address first, using the switch(config)# radius-server host ipaddress command. C. Method-list name is missing. D. Enter the aaa new-model command first. Correct Answer: D Section: AAA /Reference: QUESTION 51 When configuring FPM, which is the next step after loading the PHDFs? A. Define a stack of protocol headers. B. Define a class map of type "access-control" for classifying packets, C. Reload the router. D. Save the PHDFs to startup-config,

51 Correct Answer: A Section: Other /Reference: QUESTION 52 The Company security administrator is in change of creating a security policy for the company. Which two statements about the creation of a security policy are true? (Choose two) A. It helps Chief Information Officers determine the return on investment of network security at Company Inc. B. It defines how to track down and prosecute policy offenders at Company Inc. C. It provides a process to audit existing network security at Company Inc. D. It defines which behavior is and is not allowed at Company Inc. Correct Answer: CD Section: Firewall /Reference: QUESTION 53 Which secure group keying mechanism is used by GET VPN? A. public and private keys B. Diffle-Hellman C. Group Domain of Interpretation D. group key agreement Correct Answer: C Section: VPN /Reference: QUESTION 54 You are the network consultant from your company. Cisco IOS Zone-Based Firewall uses which of the following to identify a service or application from traffic flowing through the firewall? A. Network Based Application Recognition B. extended access list C. deep packet inspection D. PAM table Correct Answer: D Section: Firewall /Reference: QUESTION 55

52 Which best practice is recommended while configuring the Auto Update feature for Cisco IOS IPS? A. Synchronize the router's clock to the PC before configuring Auto Update, B. Download the realm-cisco.pub.key file and update the public key stored on the router. C. Clear the router's flash of unused signature files. D. Enable anonymous TFTP downloads from Cisco.com and specify the download frequency. Correct Answer: A Section: IPS /Reference: QUESTION 56 Router CK1 is configured with the IOS firewall feature set to prevent TCP based attacks. How many incomplete connections must this router have by default before TCP Intercept will start dropping incomplete connections? A. 500 B C. 700 D. 900 Correct Answer: B Section: Firewall /Reference: QUESTION 57 Which statement is correct about the GRE tunnel endpoints while configuring GRE over IPsec? A. For high availability, the GRE tunnel interface should be configured with a primary and a backup tunnel destination IP address. B. A mirror image of the IPsec crypto ACL needs to be configured to permit the interesting end- user traffic between the GRE endpoints. C. The tunnel interface of both endpoints needs to be in the same IP subnet, D. The tunnel interface of both endpoints should be configured to use the outside IP address of the router as the unnumbered IP address. Correct Answer: C Section: VPN /Reference: QUESTION 58 Which of the following represents the behavior of the CBAC aggressive mode in a Cisco IOS firewall? A. Delete all half-open session B. Re-initiate half open session C. Complete all half open sessions make the full open session D. Delete half-open session as needed to accommodate new connection requests

53 Correct Answer: D Section: Firewall /Reference: QUESTION 59 You are in change of Securing Networks Cisco Routers and Switches in your company. Given that the fa0/1 interface is the trusted interface, what could be a reason for users on the trusted inside networks not to be able to successfully establish outbound HTTP connections based on the following configuration? A. The outgoing ACL on the fa0/1 interface is not set. B. The FWRULE inspection policy is not inspecting HTTP traffic. C. ACL 104 is denying the outbound HTTP traffic. D. The outgoing inspection rule on the fa0/1 interface is not set. E. ACL 104 is denying the return HTTP traffic. F. The FWRULE inspection policy is not configured correctly. Correct Answer: C Section: Firewall /Reference: QUESTION 60 The Dynamic Multipoint VPN (DMVPN) feature allows users to better scale large and small IP Security (IPsec) Virtual Private Networks (VPNs) by combining generic routing encapsulation (GRE) tunnels, IPsec encryption, and Next Hop Resolution Protocol (NHRP).Referring to a DMVPN hub router tunnel interface configuration, what will fail if the ip nhrp map multicast dynamic command is missing on the tunnel interface?

54 A. The NHRP request and response. B. The GRE tunnel C. The IPsec peering D. The dynamic routing protocol. Correct Answer: D Section: VPN /Reference: QUESTION 61 What is the objective of the Cisco SDM IPS migration tool? A. to migrate from promiscuous mode IPS to inline IPS B. to migrate from Cisco IOS IPS version 4.0 to Cisco IOS IPS version 5.0 C. to migrate from Cisco IOS IPS to the Cisco AIM-IPS D. to migrate from the Cisco NM-CIDS to the Cisco AIM-IPS Correct Answer: B Section: IPS /Reference: QUESTION 62 What OSI layers can CBAC filter on? Select all that apply. A. Layer 4 B. Layer 3 C. Layer 2 D. Layer 7 Correct Answer: ABD Section: Firewall /Reference: QUESTION 63 Which description is true about the Cisco IOS IPS configuration output shown in the following exhibit?

55 A. The SDF will be loaded from the IPS directory in flash. B. The built-in signatures will be used. C. The router is using the advanced IPS signature set. D. The SMEs are stored in the IPS directory in flash. Correct Answer: C Section: IPS /Reference: QUESTION 64 Router CK1 has been upgraded with the Cisco firewall IOS. Which of the following cannot be configured on a router unless the IOS Firewall feature set is installed? (Select all that apply) A. PAM B. Authentication Proxy

56 C. IDS D. CBAC Correct Answer: ABCD Section: Firewall /Reference: QUESTION 65 For the following Cisco IOS Firewall features, which one allows the firewall to function as a Layer 2 bridge on the network? A. firewall ACL bypass B. zone-based firewall C. CBAC D. transparent firewall Correct Answer: D Section: Firewall /Reference: QUESTION 66 While logged into a Company router, which of the following commands specifies that the IOS Firewall IDS engine drops packets and resets TCP connections for information signatures? A. ip audit name auditi info attack drop reset B. ip audit name auditi info action drop reset C. ip audit name auditi info sig action drop reset D. ip audit name auditi sig info drop reset Correct Answer: D Section: Firewall /Reference: QUESTION 67 Which statement best describes Cisco IOS Firewall URL-filtering services on Cisco IOS Release 12.4(15)T and later? A. Enabling "allow mode" is required when using an external URL-filtering server. B. Multiple URL lists and URL filter server lists can be configured on the router.

57 C. URL filtering with zone-based firewalls is configured using the type "inspect" parameter-map. D. The services support Secure Computing server or Websense server and the local URL list. Correct Answer: D Section: Firewall /Reference: QUESTION 68 You are the Cisco Configuration Assistant in your company. Which command will would you use to trigger the router to request certificates from the CA for the router RSA key pair? A. crypto pki enroll CA-Name B. enrollment url C. crypto pki trustpoint CA-Name D. crypto pki authenticate CA-Name Correct Answer: A Section: VPN /Reference: QUESTION 69 Which two statements are correct according to the CLI configuration displayed in the exhibit? (Choose tow.) A. Serial0/0/0 is the outside NAT interface. B. access-list 1 defines the list of inside global IP addresses. C. The overload option enables static PAT, D. All HTTP connections to the Serial0/0/0 interface IP address will be translated to the IP address port 8080, Correct Answer: AD Section: Firewall /Reference: QUESTION 70 The Company network is concerned about SPAM and wants to use IDS tools to prevent SPAM attacks. By default, how many message recipients must an have for the IOS Firewall to consider it a spam attack?

58 A. 250 B. 500 C. 100 D. 25 Correct Answer: A Section: IPS /Reference: QUESTION 71 Cisco Easy VPN greatly simplifies virtual private network (VPN) deployment for remote offices and teleworkers. While using Cisco Easy VPN, which three options are for entering the XAUTH username and password for establishing the VPN connection from the Cisco Easy VPN remote router? (Choose three.) A. using an external AAA server B. saving the XAUTH credentials to this router C. entering the information from the router console or SDM D. entering the information from the PC browser when browsing Correct Answer: BCD Section: VPN /Reference: QUESTION 72 You are the Cisco Configuration Assistant in your company. You are configuring ACS 4.0 Network Access Profiles, which three things can be used to determine how an access request is classified and mapped to a profile? (Choose three) A. Network Access Filters B. RADIUS Authorization Components C. the protocol types D. advance filtering Correct Answer: ACD Section: AAA /Reference: QUESTION 73 For the following Cisco IOS IPS risk rating components, which one uses a law value of 75, a medium value of 100, a high value of 150, and a mission-critical value of 200? A. Attack Relevancy Rating B. Promiscuous Delta C. Target Value Rating D. Watch List Rating

59 Correct Answer: C Section: IPS /Reference: QUESTION 74 The security administrator at Company is seeing a large number of half opened TCP sessions, what are half open TCP sessions? A. Sessions that were denied, B. Sessions that have not reached the established state. C. Sessions where the three-way handshake has been completed. D. Sessions where the firewall detected return traffic. Correct Answer: B Section: Other /Reference: QUESTION 75 Which item is true about the zone-based firewall policy while configuring the zone-based firewall feature on a Cisco router? A. The policy is applied unidirectionally between two security zones. B. Traffic between an interface belonging to a zone and the "self zone is denied by default unless it is explicitly allowed by a used-defined policy. C. Interfaces in the same zone require that a bidirectional traffic policy be applied to permit traffic flow, D. Traffic between an interface belonging to a zone and an interface that is not a zone member is allowed to pass without the policy being applied to the traffic, Correct Answer: A Section: Firewall /Reference: QUESTION 76 You are the Cisco Configuration Assistant in your company, what additional configuration is required for the Cisco IOS Firewall to reset the TCP connection if any peer-to-peer, tunneling, or instant messaging traffic is detected over HTTP based on the following configuration? appfw policy-name my policy application http strict-http action reset alarm content-length maximum 1 action reset alarm content-type-verification match-req-rsp action reset alarm max-header-length request 1 response 1 action reset alarm max-url-length 1 action reset alarm request-method rfc put action reset alarm transfer-encoding type default reset alarm! ip inspect name firewall appfw mypolicy ip inspect name firewall http! Interface FastEthernet0/0 ip inspect firewall in!

60 A. class-map configuration B. the PAM configuration C. the ip inspect name firewall im, ip inspect name firewall p2p, and ip inspect name firewall tunnel commands D. the port-misuse default action reset alarm command in the HTTP application firewall policy configuration Correct Answer: D Section: Firewall /Reference: QUESTION 77 While adding NADs as AAA clients in the ACS, which three parameters are configured for each AAA client? (Choose three,) A. the NAD IP address B. the EAPtype C. the shared secret key D. the AAA protocol to use for communication with the NADs Correct Answer: ACD Section: AAA /Reference: QUESTION 78 What command configures the amount of time CBAC will wait for a TCP session to become established before dropping the connection in the state table? A. ip inspect global syn-establish (seconds) B. ip inspect tcp global syn-time (seconds) C. ip inspect global tcp syn (seconds) D. ip inspect tcp synwait-time (seconds) Correct Answer: D Section: Firewall /Reference: QUESTION 79 Which one of the following Cisco IOS VPN features simplifies IPsec VPN configuration and design by use of on-demand virtual access interfaces cloned from a virtual template configuration? A. DMVPN B. dynamic VTI C. GRE tunnels

61 D. GRE over IPsec tunnels Correct Answer: B Section: VPN /Reference: QUESTION 80 You are the Cisco Configuration Assistant in your company. What can you determine based on the following configuration? Crypto ipsec transform-set MINE esp-des! Crypto map MYMAP 10 ipsec-isakmp Set peer Set transform-set MINE Match address 101 A. The authentication method used between the IPsec peers is pre-shared key. B. ESP tunnel mode will not be used. C. This is a dynamic crypto map. D. ESP tunnel mode will be used. Correct Answer: D Section: VPN /Reference: QUESTION 81 Which option is correct about the output of the Cisco IOS IPS configuration displayed in the following exhibit?

62 A. Inline IPS is applied in the outbound direction on the interfaces. B. The router will drop all packets if the IPS engine is unable to scan data, C. The basic signatures set has been disabled, D. The signature delta file is stored in the IPS directory in flash. Correct Answer: D Section: IPS /Reference: QUESTION 82 You have been tasked with setting up a new router with CBAC. How do you configure the CBAC global UDP idle session timeout? A. ip inspect udp-session-timeout (seconds) B. ip inspect udp-idle (seconds) C. ip inspect udp-timeout (seconds) D. ip inspect udp idle-time (seconds) Correct Answer: D Section: Firewall /Reference:

63 QUESTION 83 While deploying 802.1X authentication on Cisco Catalyst switches, which traffic can be passed between the client PC and the Cisco Catalyst switch over the uncontrolled port? A. DHCP B. TACACS+ C. HTTP D. EAPoLAN Correct Answer: D Section: AAA /Reference: QUESTION 84 You have been tasked with setting up a new Company router with CBAC. How do you set the threshold of halfopen sessions CBAC will allow per minute before deleting them? A. ip inspect one-minute incomplete (number) B. ip inspect one-minute (number) C. ip inspect one-minute high (number) D. ip inspect one-minute high incomplete (number) Correct Answer: C Section: Firewall /Reference: QUESTION 85 According to the partial configuration displayed in the following exhibit, which additional configuration parameter is required under the GET VPN group member GDOI configuration? A. key server IP address B. mapping of the IPsec transform set to the GDOI group C. mapping of the IPsec profile to the IPsec SA D. local priority Correct Answer: A

64 Section: VPN /Reference: QUESTION 86 You are the Cisco Configuration Assistant in your company. Which TCP port would you use to access the Cisco ACS web interface? A. 22 B. 80 C. 127 D Correct Answer: D Section: AAA /Reference: QUESTION 87 Which action can be enabled by the interface configuration command "switchport protected"? A. allows traffic on protected ports to be forwarded at Layer 2 B. configures the interface for the PVLAN edge C. groups ports into an isolated community when configured on multiple ports D. provides isolation between two protected ports located on different switches Correct Answer: B Section: Layer-2 Security /Reference: QUESTION 88 You have been tasked with setting up a new router with CBAC. How do you configure the CBAC global UDP idle session timeout? A. ip inspect udp-session-timeout (seconds) B. ip inspect udp-idle (seconds) C. ip inspect udp-timeout (seconds) D. ip inspect udp idle-time (seconds) Correct Answer: D Section: Firewall /Reference: QUESTION 89 Before configuring private VLANs, which configuration task should be performed?

65 A. configure PVLAN trunking B. enables port security on the interface C. set the VTP mode to transparent D. associate all isolated ports to the primary VLAN Correct Answer: C Section: Layer-2 Security /Reference: QUESTION 90 You are setting up a new Company router with CBAC, If CBAC is configured to inspect telnet traffic on an interface, how should outbound telnet traffic be configured in any ACL's? A. Outbound telnet should be permitted in any ACL's B. Outbound telnet should be denied in any ACL's C. Telnet should not be referenced at all in the ACL D. Outbound telnet should be denied only if inbound telnet is allowed Correct Answer: A Section: Firewall /Reference: QUESTION 91 Which two options are possible for authenticating the clients that do not have an 802.1X supplicant while deploying 802.1X authentication on Cisco Catalyst switches? (Choose two.) A. MAC Authentication Bypass B. Protected EAP C. Active Directory Single Sign-On D. web authentication Correct Answer: AD Section: AAA /Reference: QUESTION 92 CBAC has been configured on router CK1 to increase the security of the Company network. CBAC intelligently filters TCP and UDP packets based on which protocol-session information? A. Network layer B. Transport layer C. Data-link D. Application layer Correct Answer: D Section: Firewall

66 /Reference: QUESTION 93 While deploying EIGRP dynamic routing over DMVPN, which three configuration tasks are needed at the hub router tunnel interface? (Choose three.) A. disabling EIGRP ip next-hop-self B. disabling EIGRP ip split-horizon C. disabling EIGRP stub D. enabling multipoint GRE Correct Answer: ABD Section: VPN /Reference: QUESTION 94 You are the Cisco Configuration Assistant in your company. After you enable all the authentication protocols under the Global Authentication Setup in Cisco ACS, how can you select a specific EAP type to use for 802.1X authentication? A. Specify the particular EAP type to use when you configure the RAC. B. Specify the particular EAP type to use when you configure the NAF C. Specify the particular EAP type to use when you configure the NAP authentication policy D. Specify the particular EAP type to use when you configure the NAP authorization policy Correct Answer: C Section: AAA /Reference: QUESTION 95 What is the problem with the GRE over IPsec configuration displayed in the exhibit?

67 A. The network commands is missing under router eigrp 1, B. The crypto ACL is not correctly configured. C. ESP transport mode should be configured instead of using the default tunnel mode. D. The crypto map is not correctly configured. Correct Answer: B Section: VPN /Reference: QUESTION 96 John and Kathy are working on configuring the IOS firewall together. They are figuring out what CBAC uses for inspection rules to configure on a per-application protocol basis. Which one of these is the correct one? A. ODBC filtering B. Tunnel, transport models, or both C. Alerts and audit trails D. Stateful failover Correct Answer: C Section: Firewall

68 /Reference: QUESTION 97 Which is the correct sequence of the Cisco Easy VPN remote connection process steps? 1) VPN client establishes an ISAKMP SA 2) Cisco Easy VPN server initiates a username and password challenge 3) The MODE configuration process is initiated 4) IPsec quick mode completes the connection process 5) VPN client initiates IKE Phase 1 6) The RRJ process is initiated 7) Cisco Easy VPN server accepts the SA proposal a. Step 1 b. Step 2 c. Step 3 d. Step 4 e. Step 5 f. Step 6 g. Step 7 A. a-5, b-1, c-7, d-2, e-3, f-6, g-4 B. a-5, b-1, c-7, d-3, e-2, f-6, g-4 C. a-5, b-1, c-7, d-2, e-3, f-4, g-6 D. a-5, b-1, c-7, d-3, e-2, f-4, g-6 Correct Answer: A Section: VPN /Reference: QUESTION 98 You are the security administrator for Company and you need to know what CBAC does on the Cisco IOS Firewall Which one of these is the best answer? A. Creates specific security policies for each user at Company Inc. B. Provides additional visibility at intranet, extranet, and Internet perimeters at Company Inc. C. Protects the network from internal attacks and threats at Company Inc. D. Provides secure, per-application access control across network perimeters at Company Inc. Correct Answer: D Section: Firewall /Reference: QUESTION 99 While configuring Cisco IOS WebVPN, which function can be enabled by using the port-forward command? A. CIFS

69 B. OWA C. Cisco Secure Desktop D. thin client Correct Answer: D Section: VPN /Reference: QUESTION 100 By default, how many half-open sessions need to be in the state table before CBAC will begin to delete the halfopen sessions? A. 500 B. 250 C D Correct Answer: A Section: Firewall /Reference: QUESTION 101 Which three statements accurately describe DMVPN configuration? (Choose three) A. The GRE tunnel mode must be set to point-to-point mode: tunnel mode gre point-to-point B. If running EIGRP over DMVPN the hub router tunnel interface must have split horizon disabled: no ip split-horizon eigrp AS-Number C. At the spoke routers, static NHRP mapping to the hub router is required: ip nhrp map hub- tunnelip-address hub-physical-ip-address D. The GRE tunnel must be associated with an IPsec profile: tunnel protection ipsec profile profile-name Correct Answer: BCD Section: VPN /Reference: QUESTION 102 The authentication proxy feature has been configured on one of the Company routers. What does authentication proxy on the Cisco IOS Firewall do? A. Creates specific authorization policies for each user with Cisco Secure ACS, dynamic, per-user security and authorization B. Provides additional visibility at intranet, extranet, and Internet perimeters C. Creates specific security policies for each user with Cisco Secure ACS, dynamic, per-user authentication and authorization D. Provides secure, per-application access control across network perimeters I

70 Correct Answer: C Section: Firewall /Reference: QUESTION 103 What is wrong with the partial IPsec VPN high-availability configuration displayed in the following exhibit? A. The crypto map interface configuration statement should reference the dynamic crypto map DM. B. A static crypto map should be used instead of a dynamic crypto map. C. The crypto map CM interface configuration statement is missing the stateful option. D. IPsec is not synchronized with HSRP. Correct Answer: D Section: VPN /Reference: QUESTION 104 You are the Cisco Configuration Assistant in your company. Which configuration is not required to enable the Cisco IOS Firewall to inspect a user-defined application which uses TCP ports 8000 and 8001? (Choose three.) A. access-list 101 permit tcp any any eq 8000 access-list 101 permit tcp any any eq 8001 class- map user-10 match access-group 101 B. ip port-map user-10 port tcp description "TEST PROTOCOL" C. ip inspect name test user-10 D. int {type number} ip inpsect name test in Correct Answer: BCD Section: Firewall /Reference:

71 QUESTION 105 You are configuring the authentication feature on a new Company router. Which of the following correctly sets the IOS Firewall authentication-proxy idle timer to 20 minutes? A. ip auth-proxy auth-cache 20 B. ip auth-proxy auth-time 20 C. ip auth-proxy auth-cache-time 20 D. ip auth-proxy idle 20 Correct Answer: C Section: Firewall /Reference: QUESTION 106 You are a network administrator for the CK Company. You are asked to configure a Cisco router to enroll with a certificate authority. Before configuring enrollment parameters, what is a recommended best practice to perform? A. If using SCEP, ensure that TCP port 22 traffic is permitted to the router. B. Contact the registration authority to obtain the enrollment URL. C. Manually verify the PKC5 #10 certificate prior to enrollment. D. Configure Network Time Protocol. Correct Answer: D Section: VPN /Reference: QUESTION 107 You are the Cisco Configuration Assistant in your company, When you configure a site-to-site IPsec VPN tunnel, which configuration must be the exact reverse of the other IPsec peer? A. IPsec policy B. ISAKMP policy C. pre-shared key D. crypto ACL Correct Answer: D Section: VPN /Reference: QUESTION 108 Which type of tunnel mode can be used by DMVPN configuration on the tunnel interface? A. DVMRP B. IPsec IPv4 C. NHRP

72 D. GRE multipoint Correct Answer: D Section: VPN /Reference: QUESTION 109 You are configuring the authentication feature on a new Company router. Which of the following configures an authentication proxy rule for the IOS Firewall? A. ip inspect-proxy name proxyname http B. ip auth-proxy name proxyname http C. ip auth-rule proxyname http D. ip proxy-name proxyname http Correct Answer: B Section: Firewall /Reference: QUESTION 110 Which option is correct about the IKE security association according to the exhibit below? A. The IPsec connection is in an idle state. B. The IKE association is in the process of being set up. C. The IKE status is authenticated. D. The ISAKMP state is waiting for quick mode status to authenticate before IPsec parameters are passed between peers, Correct Answer: C Section: VPN /Reference: QUESTION 111 You are the Cisco Configuration Assistant in your company. When you implement 802.1X authentication, which other ACS component will refer the RACs configured under the Shared Profile Components in the ACS? A. user setup B. group setup C. NAP authentication policy

73 D. NAP authorization policy Correct Answer: D Section: AAA /Reference: QUESTION 112 The authentication proxy feature has been configured on one of the Company routers. Where are access profiles stored with the authentication proxy features of the Cisco IOS Firewall? A. PIX Firewall B. Cisco router C. Cisco VPN Concentrator D. Cisco Secure ACS authentication server Correct Answer: D Section: Firewall /Reference: QUESTION 113 While configuring a Cisco Easy VPN server, before entering VPN configuration parameters, what should be configured? A. AAA B. SSH C. crypto ACL D. NTP Correct Answer: A Section: VPN /Reference: QUESTION 114 You are the network administrator for your company When you implement IBNS, what is defined using the Tunnel-Private-Group-ID RADIUS attribute? A. the EAPtype B. pre-shared key C. the ACL type D. The VLAN name Correct Answer: D Section: Other /Reference:

74 QUESTION 115 Under the router (config-isakmp) # configuration mode, which parameter is configured? A. use of digital certificates for authentication B. the reference to the crypto ACL C. the IPsec peer IP address D. the pre-shared key value Correct Answer: A Section: VPN /Reference: QUESTION 116 Refer to the output of a "sh ip auth-proxy cache" command issued on a Company router below. Which port is being used by the client? R2 # sh ip auth-proxy cache Authentication Proxy Cache Client Name aaauser, Client IP , Port 2636, timeout 5, Time Remaining 3, state ESTAB Based on this information, which port is being used by the client? A B C D Correct Answer: D Section: Firewall /Reference: QUESTION 117 Which two statements best describe Network Address Translation and IPsec interoperability? (Choose two.) A. NAT-T uses TCP port B. AH does not work with NAT. C. ESP does not work with PAT. D. NAT-T sends NAT discovery packets after IKE Phase 2 establishment, Correct Answer: BC Section: VPN /Reference:

75 QUESTION 118 How does a user on the Company LAN trigger the authentication proxy after the idle timer has expired? A. The proxy authenticates the user B. The user initiates another HTTP session C. The user enters a new username and password D. The user enters a valid username and password Correct Answer: B Section: Firewall /Reference: QUESTION 119 When the show crypto isakmp sa output shows a state of "QM_IDLE" with the "Active" status, what does that most likely indicate? A. Peer authentication has failed during IKE Phase 1. B. IKE Phase 1 quick mode negotiation has failed. C. An ISAKMP SA exists. D. IKE Phase 1 is in the negotiation state. Correct Answer: C Section: VPN /Reference: QUESTION 120 A new Company router is being configured for IDS services. Choose the two types of signature implementations that the IOS Firewall IDS can detect. (Choose two.) A. Atomic B. Dynamic C. Regenerative D. Compound Correct Answer: AD Section: IPS /Reference: QUESTION 121 Which two descriptions are true according to the DMVPN topology diagram in the exhibit? (Choose two.)

76 A. The hub router needs to have EIGRP split horizon disabled. B. At the Spoke B router, the next hop to reach the /24 network is C. Before a spoke-to-spoke tunnel can be built, the spoke router needs to send an NHRP query to the hub to resolve the remote spoke router physical interface IP address, D. At the Spoke A router, the next hop to reach the /24 network is Correct Answer: AC Section: VPN /Reference: QUESTION 122 During which phase does Cisco Easy VPN Server push parameters such as the client internal IP address, DHCP server IP address, and WINS server IP address to the Cisco Easy VPN Remote client? A. IKE XAUTH B. IKE Phase 1 first-message exchange C. IKE mode configuration D. IKE quick mode Correct Answer: C Section: VPN /Reference: QUESTION 123 Select and Place:

77 Correct Answer: Section: IPS /Reference: QUESTION 124 Select and Place:

78 Correct Answer: Section: IPS /Reference: QUESTION 125 Select and Place:

79 Correct Answer: Section: Other /Reference: QUESTION 126 Select and Place:

80 Correct Answer: Section: VPN /Reference: QUESTION 127 Select and Place:

81 Correct Answer:

82 Section: VPN /Reference: QUESTION 128 You are setting up a new Company router with CBAC. Which of the following commands will alter the CBAC DNS timeout timer to 10 seconds? A. ip inspect dns-server-timeout 10 B. ip inspect dns-server-timer 10 C. ip inspect dns-timeout 10 D. ip inspect dns-timer 10 Correct Answer: C Section: Firewall /Reference: QUESTION 129 Which is the correct sequence of the Cisco Easy VPN remote connection process steps?

83 Select and Place: Correct Answer:

84 Section: VPN /Reference: QUESTION 130 Which two category types are associated with 5.x signature use in Cisco IOS IPS? (Choose two.) A. basic B. advanced C. attack-drop D. built-in Correct Answer: AB

85 Section: IPS /Reference: QUESTION 131 The Company network is implementing IBNS. In a Cisco Identity-Based Networking Service (IBNS) implementation, the endpoint that is seeking network access is known as what? A. Host B. Authentication C. PC D. Supplicant Correct Answer: D Section: AAA /Reference: QUESTION 132 You are the Cisco Configuration Assistant in your company. After you enable all the authentication protocols under the Global Authentication Setup in Cisco ACS, how can you select a specific EAP type to use for 802.1X authentication? A. Specify the particular EAP type to use when you configure the RAC. B. Specify the particular EAP type to use when you configure the NAF C. Specify the particular EAP type to use when you configure the NAP authentication policy D. Specify the particular EAP type to use when you configure the NAP authorization policy Correct Answer: C Section: AAA /Reference: QUESTION 133 Refer to the appropriate SDM screen(s), what is the User Datagram Protocol (UDP) idle time set for any HTTP traffic that is sourced from the "in" zone and destined to the "out" zone?

86

87

88

89

90

91

92 A. 10 seconds B. 15 seconds C. 30 seconds D. 35 seconds

93 Correct Answer: D Section: Firewall /Reference: QUESTION 134 Which Signature Engine supports Cisco IPS Signature ID 9423?

94

95

96 A. atomic-ip B. string-tcp C. service-http D. string-udp

97 Correct Answer: B Section: IPS /Reference: QUESTION 135 The security administrator for Company Inc. is working on defending the network against SYN flooding attacks. Which of the following are tools to protect the network from TCP SYN attacks? A. Route authentication B. Encryption C. ACLs D. TCP intercept Correct Answer: D Section: Firewall /Reference: QUESTION 136 Which statement best describes Cisco IOS Firewall URL-filtering services on Cisco IOS Release 12.4(15)T and later? A. Enabling "allow mode" is required when using an external URL-filtering server. B. Multiple URL lists and URL filter server lists can be configured on the router. C. URL filtering with zone-based firewalls is configured using the type "inspect" parameter-map. D. The services support Secure Computing server or Websense server and the local URL list. Correct Answer: D Section: Firewall /Reference: QUESTION 137 Which two category types are associated with 5.x signature use in Cisco IOS IPS? (Choose two.) A. basic B. advanced C. attack-drop D. built-in Correct Answer: AB Section: IPS /Reference: QUESTION 138 Which two technologies can secure the control plane of the Cisco router? (Choose two.)

98 A. BPDU protection B. role-based access control C. routing protocol authentication D. CPPr Correct Answer: CD Section: Other /Reference: QUESTION 139 You are in change of Securing Networks Cisco Routers and Switches in your company. Why is the Cisco IOS Firewall authentication proxy not working based on the following configuration? aaa new model aaa authentication login default group tacacs aaa authentication auth-proxy default group tacacs+ aaa accounting auth-proxy default start-stop group tacacs+ enable password TeSt_123 ip auto-proxy name pxy http ip auto-proxy auth-proxy-banner interface Ethernet0/1 ip address ip auto-proxy pxy no ip http server tacacs-server host tacacs-server key Cisco [Output omitted] A. The aaa authentication auth-proxy default group tacacs+ command is missing B. The router local username and password database is not configured. C. You forgot to enable HTTP server and AAA authentication D. Cisco IOS authentication proxy not support TACACS+, Correct Answer: C Section: AAA /Reference: QUESTION 140 Which router plane can be protected by the CPU and Memory Threshold Notifications of the Network Foundation Protection feature? A. data plane B. management plane C. network plane D. control plane Correct Answer: B Section: Other

99 /Reference: QUESTION 141 You are the Cisco Configuration Assistant in your company, what additional configuration is required for the Cisco IOS Firewall to reset the TCP connection if any peer-to-peer, tunneling, or instant messaging traffic is detected over HTTP based on the following configuration? appfw policy-name my policy application http strict-http action reset alarm content-length maximum 1 action reset alarm content-type-verification match-req-rsp action reset alarm max-header-length request 1 response 1 action reset alarm max-url-length 1 action reset alarm request-method rfc put action reset alarm transfer-encoding type default reset alarm! ip inspect name firewall appfw mypolicy ip inspect name firewall http! Interface FastEthernet0/0 ip inspect firewall in! A. class-map configuration B. the PAM configuration C. the ip inspect name firewall im, ip inspect name firewall p2p, and ip inspect name firewall tunnel commands D. the port-misuse default action reset alarm command in the HTTP application firewall policy configuration Correct Answer: D Section: Firewall /Reference: QUESTION 142 Which two options are possible for authenticating the clients that do not have an 802.1X supplicant while deploying 802.1X authentication on Cisco Catalyst switches? (Choose two.) A. MAC Authentication Bypass B. Protected EAP C. Active Directory Single Sign-On D. web authentication Correct Answer: AD Section: AAA /Reference: QUESTION 143 While configuring a Cisco Easy VPN server, before entering VPN configuration parameters, what should be configured?

100 A. AAA B. SSH C. crypto ACL D. NTP Correct Answer: A Section: VPN /Reference: QUESTION 144 A new Company router is being configured for IDS services. Choose the two types of signature implementations that the IOS Firewall IDS can detect. (Choose two.) A. Atomic B. Dynamic C. Regenerative D. Compound Correct Answer: AD Section: IPS /Reference: QUESTION 145 Which is the correct sequence of the Cisco Easy VPN remote connection process steps? Select and Place:

101 Correct Answer:

102 Section: VPN /Reference: QUESTION 146 Which router plane can be protected by the CPU and Memory Threshold Notifications of the Network Foundation Protection feature? A. data plane B. management plane C. network plane D. control plane

103 Correct Answer: B Section: Other /Reference: QUESTION 147 Select and Place: Correct Answer: Section: IPS /Reference: QUESTION 148 Which two category types are associated with 5.x signature use in Cisco IOS IPS? (Choose two.) A. basic B. advanced C. attack-drop

104 D. built-in Correct Answer: AB Section: IPS /Reference: QUESTION 149 Which two category types are associated with 5.x signature use in Cisco IOS IPS? (Choose two.) A. basic B. advanced C. attack-drop D. built-in Correct Answer: AB Section: IPS /Reference: QUESTION 150 You are the Cisco Configuration Assistant in your company, what additional configuration is required for the Cisco IOS Firewall to reset the TCP connection if any peer-to-peer, tunneling, or instant messaging traffic is detected over HTTP based on the following configuration? appfw policy-name my policy application http strict-http action reset alarm content-length maximum 1 action reset alarm content-type-verification match-req-rsp action reset alarm max-header-length request 1 response 1 action reset alarm max-url-length 1 action reset alarm request-method rfc put action reset alarm transfer-encoding type default reset alarm! ip inspect name firewall appfw mypolicy ip inspect name firewall http! Interface FastEthernet0/0 ip inspect firewall in! A. class-map configuration B. the PAM configuration C. the ip inspect name firewall im, ip inspect name firewall p2p, and ip inspect name firewall tunnel commands D. the port-misuse default action reset alarm command in the HTTP application firewall policy configuration Correct Answer: D Section: Firewall /Reference:

105 QUESTION 151 Which is the correct sequence of the Cisco Easy VPN remote connection process steps? Select and Place: Correct Answer:

106 Section: VPN /Reference: