Professional Documents
Culture Documents
642 825 PDF
642 825 PDF
Ver : 05.19.09
642-825
QUESTION 1
When configuring the Cisco VPN Client with transparent tunneling, what is true about the IPSec
over TCP option?
Answer: C
QUESTION 2
Refer to the exhibit.
MPLS must be enabled on all routers in the MPLS domain that consists of Cisco routers and
equipment of other vendors. What MPLS distribution protocol(s) should be used on router R2
Fast Ethernet interface Fa0/0 so that the Label Information Base (LIB) table is populated across
the MPLS domain?
Answer: C
QUESTION 3
Which two statements about common network attacks are true? (Choose two.)
A. Access attacks can consist of password attacks, trust exploitation, port redirection, and man-in-the- middle
attacks.
B. Access attacks can consist of password attacks, ping sweeps, port scans, and man-in-the- middle attacks.
C. Access attacks can consist of packet sniffers, ping sweeps, port scans, and man-in-the- middle attacks.
D. Reconnaissance attacks can consist of password attacks, trust exploitation, port redirection
and Internet information queries.
E. Reconnaissance attacks can consist of packet sniffers, port scans, ping sweeps, and Internet
information queries.
F. Reconnaissance attacks can consist of ping sweeps, port scans, man-in-middle attacks and
Internet information queries.
Answer: A, E
QUESTION 4
Which two statements about worms, viruses, or Trojan horses are true? (Choose two.)
Answer: C, E
QUESTION 5
Which two statements about management protocols are true? (Choose two.)
A. Syslog version 2 or above should be used because it provides encryption of the syslog
messages.
B. NTP version 3 or above should be used because these versions support a cryptographic
authentication mechanism between peers.
C. SNMP version 3 is recommended since it provides authentication and encryption services for
management packets.
D. SSH, SSL and Telnet are recommended protocols to remotely manage infrastructure devices.
E. TFTP authentication (username and password) is sent in an encrypted format, and no
additional encryption is required.
Answer: B, C
QUESTION 6
Which two statements about the Cisco Autosecure feature are true? (Choose two.)
Answer: C, E
QUESTION 7
Which three statements are correct about MPLS-based VPNs? (Choose three.)
A. Route Targets (RTs) are attributes attached to a VPNv4 BGP route to indicate its VPN
membership.
B. Scalability becomes challenging for a very large, fully meshed deployment.
C. Authentication is done using a digital certificate or pre-shared key.
D. A VPN client is required for client-iniated deployments.
E. A VPN client is not required for users to interact with the network.
F- An MPLS-based VPN is highly scalable because no site-to-site peering is required.
Answer: A, E, F
QUESTION 8
Which IPsec mode will encrypt a GRE tunnel to provide multiprotocol support and reduced
overhead?
A. 3DES
B. multipoint GRE
C. tunnel
D. transport
Answer: D
QUESTION 9
Which two statements are true about broadband cable (HFC) systems? (Choose two.)
Answer: B, D
QUESTION 10
Refer to the exhibit.
Which two statements about the AAA configuration are true? (Choose two.)
A. A good security practice is to have the none parameter configured as the final method used to
ensure that no other authentication method will be used.
B. If a TACACS+ server is not available, then a user connecting via the console port would not
be able to gain access since no other authentication method has been defined.
C. If a TACACS+ server is not available. then the user Bob could be able to enter privileged
mode as long as the proper enable password is entered.
D. The aaa new-model command forces the router to override every other authentication method
previously configured for the router lines.
E. To increase security, group radius should be used instead of group tacacs+.
F. Two authentication options are prescribed by the displayed aaa authentication command.
Answer: D, F
QUESTION 11
Which two statements are correct about mitigating attacks by the use of access control lists
(ACLs)? (Choose two.)
A. Extended ACLs on routers should always be placed as close to the destination as possible.
B. Each ACL that is created ends with an implicit permit all statement.
C. Ensure that earlier statements in the ACL do not negate any statements that are found later in
the list.
D. Denied packets should be logged by an ACL that traps informational (level 6) messages.
E. IP packets that contain the source address of any internal hosts or networks inbound to a
private network should be permitted.
F. More specific ACL statements should be placed earlier in the ACL.
Answer: D, F
QUESTION 12
Refer to the exhibit.
Answer: C
QUESTION 13
Which three configuration steps must be taken to connect a DSL ATM interface to a service
provider? (Choose three.)
A. Enable VPDN.
B. Configure PPP0E on the VPDN group.
C. Configure the ATM PVC.
D. Assign a VPDN group name.
E. Configure a dialer interface.
F. Configure the correct PPP encapsulation on the ATM virtual circuit.
Answer: C, E, F
QUESTION 14
When configuring the Cisco software VPN client on a PC, which values need to be entered to
complete the setup when pre-shared key authentication is used?
Answer: A
QUESTION 15
What is one benefit of AutoSecure?
Answer: C
QUESTION 16
Which two steps must be taken for SSH to be implemented on a router? (Choose two.)
A. Ensure that the Cisco lOS Firewall feature set is installed on the devices.
B. Ensure that the target routers are configured for MA either locally or through a database
C. Ensure that each router is using the correct domain name for the network
D. Ensure that an ACL is configured on the VTY lines to block Telnet access
Answer: B, C
QUESTION 17
What is meant by the attack classification of "false positive" on a Cisco IPS device?
Answer: A
QUESTION 18
Which statement is true about signature-based intrusion detection?
Answer: B
QUESTION 19
What are three objectives that the no ip inspect command achieves? (Choose three.)
Answer: A, E, F
QUESTION 20
When packets in a session match a signature, what are three actions that the Cisco lOS Firewall
IPS can take? (Choose three.)
Answer: D, E, F
QUESTION 21
Refer to the exhibit.
SDM has added the commands in the exhibit to the router's configuration. What are the three
objectives that these commands accomplish? (Choose three.)
Answer: C, E, F
QUESTION 22
Which three MPLS statements are true? (Choose three.)
Answer: A, D, F
QUESTION 23
Refer to the exhibit.
The configuration in the exhibit is found on an Internet service provider (ISP) Multiprotocol Label
Switching (MPLS) network. What is its purpose?
Answer: D
QUESTION 24
Which three features are benefits of using GRE tunnels in conjunction with lPsec for building siteto-
site VPNs? (Choose three.)
Answer: A, B, D
QUESTION 25
What are the four main steps in configuring an IPsec site-to-site VPN tunnel on Cisco routers?
(Choose four.)
Answer: A, B, D, E
QUESTION 26
Which statement is true about an IPsec/GRE tunnel?
A. The GRE tunnel source and destination addresses are specified within the IPsec transform
set.
B. An IPsec/GRE tunnel must use IPsec tunnel mode.
C. GRE encapsulation occurs before the IPsec encryption process.
D. Crypto map ACL is not needed to match which traffic will be protected.
Answer: C
QUESTION 27
Which feature is an accurate description of the Diffie-Hellman (DH) exchange between two IPsec
peers?
A. allows the two peers to communicate the pre-shared secret key to each other during IKE
phase 1
B. allows the two peers to communicate its digital certificate to each other during IKE phase 1
C. allows the two peers to jointly establish a shared secret key over an insecure
communications channel
D. allows the two peers to negotiate its IPsec transforms during IKE phase 2
E. allows the two peers to authenticate each other over an insecure communications channel
Answer: C
QUESTION 28
Which three modulation signaling standards are used in broadband cable technology? (Choose
three.)
A. S-Video
B. PAL
C. NTSC
D. SECAM
E. FDM
F. FEC
Answer: B, C, D
QUESTION 29
Which statement is true about the default operation of frame-mode MPLS?
A. LSRs must wait to get the next-hop label from their downstream neighbors before propagating
information
B. LSRs will only propagate label mappings to their neighbors by request.
C. Labels are sequentially generated for neighbors.
Answer: D
QUESTION 30
What technique can help to counter a reconnaissance attack?
Answer: A
QUESTION 31
Which can be used to mitigate Trojan horse attacks?
Answer: A
QUESTION 32
How can application layer attacks be mitigated?
Answer: A
QUESTION 33
What does the dsl operating-mode auto command configure on a Cisco router?
A. It configures a Cisco router to automatically detect the proper modulation method to use when
connecting an ATM interface
B. It configures a Cisco router to automatically detect the proper encapsulation method to use
when connecting an ATM interface
C. It configures a Cisco router to automatically detect the proper DSL type (ADSL, IDSL, HDSL,
VDSL) to use when connecting an ATM interface
D. It configures a Cisco router to automatically detect the proper authentication method to use
Answer: A
QUESTION 34
Refer to the exhibit.
Which three statements describe the steps that are required to configure an IPsec site-to-site
VPN using a GRE tunnel? (Choose three.)
A. The command access-list 110 permit gre must be configured to specify which traffic will be
encrypted.
B. The command access-list 110 permit ip must be configured to specify which hosts can use the
tunnel.
C. The tunnel destination 172.17.63.18 command must be configured on the Tunnel0 interface.
D. The tunnel mode gre command must be configured on the Tunnel0 interface.
E. The tunnel source Ethernet1 command must be configured on the Tunnel0 interface
F. The tunnel source Tunnel0 command must be configured on the Tunnel0 interface.
Answer: A, C, E
QUESTION 35
Which three IPsec VPN statements are true? (Choose three.)
Answer: A, B, F
QUESTION 36
Which three statements are true about Cisco lOS Firewall? (Choose three.)
Answer: A, B, E
QUESTION 37
Which two statements are true about the configuration of the Cisco IOS Firewall using the SDM?
(Choose two.)
A. Cisco IOS Firewall features may be configured by choosing the Additional Tasks wizard.
B. Firewall policies can be viewed from the Home screen of the SDM.
C. To simplify the Firewall configuration task, the SDM provides Basic Firewall, Intermediate
Firewall, and Advanced Firewall wizards.
D. The Basic Firewall Configuration wizard applies default access rules to the inside (trusted),
outside (untrusted) and DMZ interfaces
E. The Advanced Firewall Configuration wizard applies access rules to the inside (trusted),
outside (untrusted) and DMZ interfaces.
Answer: B, E
QUESTION 38
Refer to the exhibit.
A site-to-site VPN connection has been configured using SDM. What option can aid in the
configuration of the VPN on the peer router?
Answer: A
QUESTION 39
What should a security administrator who uses SDM consider when configuring the firewall on an
interface that is used in a VPN connection?
A. The firewall must permit traffic going out of the local interface only.
B. The firewall must permit traffic to a VPN concentrator only.
C. The firewall must permit encrypted traffic between the local and remote VPN peers.
D. The firewall cannot be configured in conjunction with a VPN.
Answer: C
QUESTION 40
Refer to the exhibit.
A GRE tunnel has been configured between the R1 headquarters router and the R2 branch site
router. Why are users at the branch site unable to access the corporate intranet?
A. The source IP address of the GRE tunnel must be different from the IP address of interface
S0/0 on router R1.
B. The destination IP address of the GRE tunnel must be different from the IP address of the
interface S0/1 on router R2.
C. The IP address of the interface tunnel1 must be the same as the IP address of the interface
SO/0 on router R1.
D. The interface 50/0 on router R1 must be enabled with the no shutdown command.
The GRE tunnel must be configured with the encapsulation ppp command.
Answer: D
QUESTION 41
Refer to the exhibit.
What is missing in the configuration of both IPSec peers concerning the IPSec/GRE
configuration?
Answer: C
QUESTION 42
Which three statements are correct about a GRE over IPsec VPN tunnel configuration on Cisco
lOS routers? (Choose three.)
Answer: A, C, D
QUESTION 43
Which two statements about Cisco Easy VPN are true? (Choose two.)
A. An lOS router, a PIX firewall or a VPN client can operate as an Easy VPN terminal point.
B. A VPN client can also be configured to operate as an Easy VPN server.
C. Easy VPN does not support split tunnels.
D. Easy VPN tunnel endpoint addresses can be the virtual IP address of an HSRP configuration.
E. Easy VPN is only appropriate for smaller deployments.
Answer: A, D
QUESTION 44
Refer to the exhibit.
Which two statements are true about the information that is shown from the Cisco VPN screens?
(Choose two.)
A. The 10.10.32.32 network entry in the Route Details screen represents the lP address of the
server end of the encrypted tunnel.
B. The 10.10.32.32 network entry in the Route Details screen represents an IP address that will
be accessed without traversing the VPN.
C. Selecting Enable Transparent Tunneling on the connection entry on the right allows Local
LAN Routes to be available on the Route Details on the left screen.
D. Selecting IPSec over TCP on the connection entry on the right allows Local LAN Routes to be
available on the Route Details on the left screen.
E. Selecting Allow Local LAN Access on the connection entry on the right allows Local LAN
Routes to be available on the Route Details on the left screen.
Answer: B, E
QUESTION 45
Refer to the exhibit.
Which statement is true about the configuration of split tunnels using SDM?
A. Any protected subnets that are entered represent subnets at the end user's site that will be
accessed without going through the encrypted tunnel.
B. Any protected subnets that are entered represent subnets at the end user's site that will be
accessed through the encrypted tunnel.
C. Any protected subnets that are entered represent subnets at the VPN server site that will be
accessed without going through the encrypted tunnel.
D. Any protected subnets that are entered represent subnets at the VPN server site that will be
accessed through the encrypted tunnel.
Answer: D
QUESTION 46
What is the function of the MPLS data plane?
A. The data plane exchanges Layer 3 routing information using OSPF, EIGRP, IS-IS, and BGP
protocols.
B. The data plane exchanges labels using the label exchange protocols TDP, LDP, BGP. and
RSVP.
C. The data plane uses the Forwarding Information Base (FIB) to forward packets based on the
routing information.
D. The data plane uses Label Forwarding Information Base (LFIB) to forwards packets based on
the labels.
Answer: D
QUESTION 47
Which two statements about packet sniffers or packet sniffing are true? (Choose two.)
A. A packet sniffer requires the use of a network adapter card in no promiscuous mode to
capture all network packets that are sent across a LAN.
B. Packet sniffers can only work in a switched Ethernet environment.
C. To reduce the risk of packet sniffing, cryptographic protocols such as Secure Shell Protocol
(SSH) and Secure Sockets Layer (SSL) should be used.
D. To reduce the risk of packet sniffing, strong authentication, such as one time passwords,
should be used.
E. To reduce the risk of packet sniffing, traffic rate limiting and RFC 2827 filtering should be
used.
Answer: C, D
QUESTION 48
Which two network attack statements are true? (Choose two.)
A. Access attacks can consist of password attacks, trust exploitation, port redirection, and man- in-the-middle
attacks.
B. Access attacks can consist of UDP and TCP SYN flooding, ICMP echo-request floods, and
ICMP directed broadcasts.
C. DoS attacks can be reduced through the use of access control configuration, encryption, and
RFC 2827 filtering.
D. DoS attacks can consist of IP spoofing and DDoS attacks.
E. IP spoofing can be reduced through the use of policy-based routing.
F. IP spoofing exploits known vulnerabilities in authentication services, FTP services, and web
services to gain entry to web accounts, confidential databases, and other sensitive
information.
Answer: A, D
QUESTION 49
Which three statements are true about Cisco Intrusion Detection System (IDS) and Cisco
Intrusion Prevention System (IPS) functions? (Choose three.)
A. Only IDS systems provide real-time monitoring that includes packet capture and analysis of
network packets.
B. Both IDS and IPS systems provide real-time monitoring that involves packet capture and
analysis of network packets.
C. The signatures on the IDS devices are configured manually whereas the signature on the IPS
devices are configured automatically.
D. IDS can detect misuse, abuse, and unauthorized access to networked resources but can only
respond after an attack is detected.
E. IPS can detect misuse, abuse, and unauthorized access to networked resources and respond
before network security can be compromised.
F. IDS can deny malicious traffic from the inside network whereas IPS can deny malicious traffic
from outside the network.
Answer: B, D, E
QUESTION 50
What are the four steps, in their correct order, to mitigate a worm attack?
Answer: A
QUESTION 51
Which three benefits does IPsec VPNs provide? (Choose three.)
A. Origin authentication
B. Adaptive threat defense
C. Confidentiality
D. Qos
E. Data integrity
F. A fully-meshed topology with low overhead
Answer: A, C, E
QUESTION 52
Refer to the exhibit.
When you are using the Quick Setup option of the Site-to-Site VPN wizard on the SDM to
configure an IPsec VPN, which three settings can you configure? (Choose three.)
A. Peer identity
B. Crypto map
C. Pre-shared key
D. Transform set priority
E. Source interface and destination IP address
F. Encapsulation security payload
Answer: A, C, E
QUESTION 53
Which IPsec VPN term describes a policy contract that specifies how two peers will use IPsec
security services to protect network traffic?
B. Transform set
C. Authentication header
D. Security association
Answer: D
QUESTION 54
Refer to the exhibit.
Answer: C
QUESTION 55
If an edge Label Switch Router (LSR) is properly configured, which three combinations are
possible? (Choose three.)
A. A received lP packet is forwarded based on the lP destination address and the packet is sent
as an lP packet.
B. An lP destination exists in the IP forwarding table. A received labeled packet is dropped
because the label is not found in the LFIB table.
C. There is an MPLS label-switched path toward the destination. A received IP packet is dropped
because the destination is not found in the IP forwarding table.
D. A received IP packet is forwarded based on the IP destination address and the packet is sent
as a labeled packet.
E. A received labeled IP packet is forwarded based upon both the label and the IP address.
F. A received labeled packet is forwarded based on the label. Alter the label is swapped, the
newly labeled packet is sent.
Answer: A, D, F
QUESTION 56
Which three techniques should be used to secure management protocols? (Choose three.)
Answer: A, B, C
QUESTION 57
Which two management protocols provide security enhancements such as cryptographic
authentication and packet encryption of management traffic? (Choose two.)
A. NTP version 3
B. SNMP version 3
C. Syslog version3
D. Telnet version 3
E. TFTP version 3
Answer: A, B
QUESTION 58
Refer to the exhibit.
SDM has been used to configure IPS on the router. While reviewing the Secure Device Event
Exchange (SDEE) error messages, you noticed that SDM failed to load a signature definition file
(SDF) from the specified URL locations. Which other location, if enabled, could the SDF be
loaded from?
Answer: B
QUESTION 59
Refer to the exhibit.
What is one of the objectives accomplished by the default startup configuration file created by the
SDM?
Answer: D
QUESTION 60
Refer to the exhibit.
A. Authentication Proxy
B. lOS firewall
C. Distributed time-based ACLs
D. Infrastructure protection ACLs
E. Turbo ACLs
F. Reflexive ACLs
Answer: B
QUESTION 61
Refer to the exhibit.
A. The configuration permits ICMP outbound traffic, denies ICMP inbound traffic, and permits
traffic that has been initiated from inside a router that has been synched with an NTP server.
B. The configuration permits ICMP inbound traffic, denies ICMP outbound traffic, and permits
traffic that has been initiated from inside a router that has been synched with an NTP server.
C. For the specified protocols, the configuration results in a timeout value of 3600 seconds for
authentication of encrypted traffic.
Actualtests.com - The Power of Knowing
642-825
Answer: E
QUESTION 62
Refer to the exhibit
A. TurboACLs
B. Reflexive ACLs
C. Authentication Proxy
D. lOS Firewall
E. Distributed Time-Based ACLs
F. Infrastructure Protection ACLs
Answer: D
QUESTION 63
Which firewall feature allows per-user policy to be downloaded dynamically to the router from a
TACACS+ or RADIUS server using AAA services?
Answer: C
QUESTION 64
Which statement describes Reverse Route Injection (RRI)?
A. A static route that points towards the Cisco Easy VPN server is created on the remote client.
B. A static route is created on the Cisco Easy VPN server for the internal IP address of each
VPN client.
C. A default route is injected into the route table of the remote client.
D. A default route is injected into the route table of the Cisco Easy VPN server.
Answer: B
QUESTION 65
Which two commands will start services that should be enabled for SDM operations? (Choose
two.)
A. ip http secure-server
B. ip http authentication local
C. service password-encryption
D. ip dhcp-client network-discovery
E. service tcp-small-servers
Answer: A, B
QUESTION 66
Which privilege level is required when configuring the SDM?
A. 0
B. 1
C. 8
D. 10
E. 12
F. 15
Answer: F
QUESTION 67
Which two actions will take place when One-Step Lockdown is implemented? (Choose two.)
Answer: B, C
QUESTION 68
Refer to the exhibit
What does the "Allow Local LAN Access" option enable a Cisco software VPN client to do?
Answer: D
QUESTION 69
Which two statements are true about Cisco lOS Firewall? (Choose two.)
Answer: B, D
QUESTION 70
Refer to the exhibit
Of the numbered items in the exhibit, which combination is required to implement only SSH?
A. 1, 3, 5, 6, 7, and 9
B. 5, 6, and 7
C. 5, 6, 7, and 9
D. 1, 4, 5, and 9
E. 2, 3, 5, and 9
Answer: D
QUESTION 71
Which statement is true about the super view of Role-Based CLI?
Answer: C
QUESTION 72
Which HFC cable network statement is true about the downstream data channel to the customer
and the upstream data channel to the service provider?
A. The downstream data path is assigned a 30 MHz channel and the upstream data path is
assigned a 1 MHz channel.
B. The downstream data path is assigned a fixed bandwidth channel and the upstream data path
uses a variable bandwidth channel.
C. Both upstream and downstream data paths are assigned in 6 MHz channels.
D. The upstream data path is assigned a channel in a higher frequency range than the
downstream path has.
Answer: C
QUESTION 73
Which statement about xDSL implementations is true?
A. All xDSL standards operate in higher frequencies than the POTS system and therefore can
coexist on the same media.
B. All xDSL standards operate in lower frequencies than the POTS system and can therefore
coexist on the same media.
C. The ADSL standard operates in higher frequencies than the POTS system and can therefore
coexist on the same media.
D. The HDSL standard operates in higher frequencies than the POTS system and can therefore
coexist on the same media.
E. Other than providing higher data rates, HDSL is identical to ADSL.
Answer: C
QUESTION 74
Which two statements about the Autosecure feature are true? (Choose two.)
Answer: A, B
QUESTION 75
Which statement is true about the global configuration command ntp server 198.133.219.25?
A. Entering the command ntp server 198.133.219.26 would replace the original command ntp
server 196.133.219.25.
B. The command configures the router to be the NTP time source for a peer located at IP
address 198.133.219.25.
C. The command configures the router to provide the date and clock setting for a host located at
IP address 198.133.219.25.
D. The command configures the router to synchronize with an NTP time source located at IP
address 198.133.219.25.
Answer: D
QUESTION 76
Which statement is true about a router configured with the ntp trusted-key 10 command?
A. This router only synchronizes to a system that uses this key in its NTP packets.
B. The lOS will not permit '10' as an argument to the ntp trusted-key command.
C. This command enables DES encryption of NTP packets.
D. This router will join an NTP multicast group where all routers share the same trusted key.
Answer: A
QUESTION 77
Which statement about the aaa authentication enable default group radius enable command is
true?"
A. lf the radius server returns an error the enable password will be used.
B. It the radius server returns a 'failed' message, the enable password will be used.
C. The command login authentication group will associate the AAA authentication to a specified
interface.
D. If the group database is unavailable, the radius server will be used.
Answer: A
QUESTION 78
Which command sequence is an example of a correctly configured AAA configuration that uses
the local database?
Answer: A
QUESTION 79
Refer to the exhibit
Based on the partial configuration, which two statements are true? (Choose two.)
A. If configured, the enable password could also be used to log into the console port.
B. The local parameter is missing at the end of each aaa authentication LOCAL-AUTH
command.
C. The command aaa authentication default should be issued for each line instead of the login
authentication LOCAL_AUTH command.
B. This is an example of a self-contained AAA configuration using the local database.
E. To make the configuration more secure, the none parameter should be added to the end of
the aaa authentication login LOCAL_AUTH local command.
F. To successfully establish a Telnet session with RTA, a user can enter the username Bob and
password cisco.
Answer: D, F
QUESTION 80
Refer to the exhibit.
A network administrator wishes to mitigate network threats. Given that purpose, which two
statements about the lOS firewall configuration that is revealed by the output are true?
A. The command ip inspect FIREWALL_ACL out must be applied on interface FastEthernet 0/0.
B. The command ip inspect FIREWALL_ACL out must be applied on interface FastEthernet 0/1.
C. The command ip access-group FIREWALL_ACL in must be applied on interface FastEthernet
0/0.
D. The command ip access-group FIREWALL_ACL in must be applied on interface FastEthernet
0/1.
E. The configuration excerpt is an example of a CBAC list.
F. The configuration excerpt is an example of a reflexive ACL.
Answer: B, E
QUESTION 81
In an MPLS VPN implementation, how are overlapping customer prefixes propagated?
Answer: D
QUESTION 82
Refer to the exhibit
On the basis of the information presented, which configuration change would correct the Secure
Shell (SSH) problem?
A. Configure router RTA with the ip domain name domain-name global configuration command.
B. Configure router RTA with the crypto key generate rsa general-keys modulus modulus- number
global configuration command.
C. Configure router RTA with the crypto key generate rsa usage-keys modulus modulus-number
global configuration command.
D. Configure router RTA with the transport input ssh vty line configuration command.
E. Configure router RTA with the no transport input telnet vty line configuration command.
Answer: D
QUESTION 83
When configuring a site-to-site IPsec VPN tunnel, which configuration must be the exact reverse
of the other IPsec peer?
Answer: B
QUESTION 84
Refer to the exhibit.
A user is unable to initiate an SSH session with RTA. To help troubleshoot the problem, RTA has
been configured as indicated in the exhibit. However, a second attempt to initiate an SSH
connection to RTA fails to generate debug information on the Syslog server. What configuration
change would display the debug information on the Syslog server?
A. Router RTA should be configured with the debug ip packet EXEC command.
B. Router RTA must be configured with the correct Syslog IP address.
C. Router RTA must be configured with the logging buffered informational global configuration
command.
D. Router RTA must be configured with the logging monitor debugging global configuration
command.
E. Router RTA must be configured with the logging trap debugging global configuration
command.
Answer: E
QUESTION 85
When you are using the SDM to configure a GRE tunnel over IPsec, which two parameters are
required when defining the tunnel interface information? (Choose two.)
Answer: B, D
QUESTION 86
Refer to the exhibit.
Routers RTB and RTC have established LDP neighbor sessions. Troubleshooting discovered that
labels are being distributed between the two routers but no label swapping information is in the
LEIB. What is the most likely cause of this problem?
Answer: B
QUESTION 87
Refer to the exhibit.
All routers participate in the MPLS domain. An ISP propagates the routing information for network
10.10.10.0/24 from R3 to R1. However, router R3 summarizes the routing information to
10.10.0.0/16. How will the routes be propagated through the MPLS domain?
A. R3, using LDP, will advertise labels for both networks, and the information will be propagated
throughout the MPLS domain.
B. R3 will label the summary route using a pop label. The route will then be propagated through
the rest of the MPLS domain. R3 will label the 10.10.10.0/24 network and forward to R2
where the network will be dropped.
C. R3 will label the 10.10.10.0/24 network using a pop label which will be propagated through
the rest of the MPLS domain. R3 will label the summary route and forward to R2 where the
network will be dropped.
D. None of the networks will be labeled and propagated through the MPLS domain because
aggregation breaks the MPLS domain.
Answer: B
QUESTION 88
Refer to the exhibit.
MPLS and LDP are enabled on routers RTB and RTC and all interfaces are enabled. However,
the routers will not establish an LDP neighbor session. Troubleshooting has revealed that there is
forwarding information in the FIB table, but there is no forwarding information in the LFIB table.
Which issue would cause this problem?
Answer: D
QUESTION 89
What can be configured to provide resiliency when using SDM to configure a site-to-site GRE
over IPsec VPN tunnel?
A. HSRP
B. Stateful IPsec failover
C. A backup GRE over IPsec tunnel
D. Load balancing using two GRE over IPsec tunnels
E. Redundant dynamic crypto maps
Answer: C
QUESTION 90
Refer to the exhibit and the partial configuration on a DSL router.
The DSL Router is connected to a service provider using a PPPoE session over a DSL line. The
FTP traffic. generated from inside the network 10.92.1.0/24. fails to reach the PPP0E Server.
What should be configured on the DSL Router to fix the problem?
A. The ip mtu command with a bytes argument set greater than 1500 needs to be configured for
the Dialer 1 interface.
B. The ip mtu command with a bytes argument set lower than 1500 needs to be configured for
the Dialer 1 interface.
C. The ip mtu command with a bytes argument set greater than 1500 needs to be configured
for the ATM0 interface
D. The ip mtu command with a bytes argument set lower than 1500 needs to be configured for
the ATM0 interface.
Answer: B
QUESTION 91
Refer to the exhibit.
Answer: B
QUESTION 92
Which three routing protocols can be configured when configuring a site-to-site GRE over IPsec
tunnel using SDM? (Choose three.)
A. BGP
B. RIP
C. IGRP
D. EIGRP
E. OSPF
F. IS-IS
Answer: B, D, E
QUESTION 93
When configuring an IPsec VPN to backup a WAN connection, what can be configured to
influence the EIGRP routing process to select the primary WAN link over the backup lPsec
tunnel?
Answer: D
QUESTION 94
Which high availability option uses the concept of a virtual IP address to ensure that the default IP
gateway for an IPsec site-to-site tunnel is always reachable?
Answer: C
QUESTION 95
What are three features in the SDM that role-based access provides? (Choose three.)
A. provides configuration wizards for all routing protocols (like RIP, OSPF, EIGRP, SGP, IS-IS)
B. provides to end customers Multiservice switching platforms (MSSPs) with a graphical, read-
only view of the customer premises equipment (CPE) services
C. provides advanced troubleshooting using debug output analysis
D. provides secure access to the SDM user interface and Telnet interface specific to the profile
of each administrator
E. provides logical separation of the router between different router administrators and users
F. provides dynamic update of new R3 signatures for administrator, firewall administrator, easy
VPN client, and read-only users
Answer: B, D, E
QUESTION 96
Refer to the exhibit
What two types of attacks does the lOS firewall configuration prevent? (Choose two.)
A. Java applets
B. SYN flood
C. Trojan horse
D. DDOS
E. packet sniffers
Answer: B, D
QUESTION 97
Refer to the exhibit
A. EZ VPN
B. lOS Firewall
C. AutoSecure
D. IOS IPS
E. AAA
F. TACACS+
Answer: C
QUESTION 98
Which two statements are true about the Easy VPN Server configuration that is shown? (Choose
two).
Answer: B, C
QUESTION 99
What are the tour fields in an MPLS label? (Choose tour.)
A. version
B. experimental
C. label
D. protocol
E. TTL
F. bottom-of-stack indicator
Answer: B, C, E, F
QUESTION 100
Which global configuration mode command will configure a Cisco router as an authoritative NTP
server?
A. ntp broadcast
B. ntp peer
C. ntp server
D. ntp master
Answer: D
QUESTION 101
Refer to the exhibit
SDM has been used to configure the locations from which the signature definition file (SDF) will
be loaded. What will happen if the SDF files in flash are not available at startup?
D. All traffic will be inspected by the pre-built signatures bundled in the attack-drop.sdf file.
Answer: A
QUESTION 102
Which statement is true about convergence in an MPLS network?
A. MPLS convergence will take place at the same time as the routing protocol convergence.
B. MPLS convergence will take place after the routing protocol convergence.
C. MPLS convergence will take place before the routing protocol convergence.
D. MPLS must be reconfigured after the routing protocol convergence.
Answer: B
QUESTION 103
Refer to the exhibit
Which statement is true about the output of the show crypto engine connections active
command?
A. The device that is shown has not established a VPN connection with a peer.
B. No sub interfaces are involved in VPN connections.
C. All three interfaces are active and are encrypting and decrypting traffic.
D. The state of "set" indicates that the connection is configured but not connected to a peer.
Answer: C
QUESTION 104
Which two protocols can be used to prevent a reconnaissance attack? (Choose two.)
A. SSH
B. Telnet
C. IPsec
D. NTP
E. SNMP
Answer: A, C
QUESTION 105
What is a possible way to prevent a worm attack on a host PC?
A. Enable SSH.
B. Enable encryption.
C. Implement TACACS+.
D. Keep the operating system current with the latest patches.
Answer: D
QUESTION 106
Which procedure is recommended to protect SNMP from application layer attacks?
Answer: A
QUESTION 107
Refer to the exhibit
A. Inbound packets to request a TCP session with the 10.10.10.0/24 network are allowed.
B. TCP responses from the outside network for TCP connections that originated on the inside
network are allowed.
C. TCP responses from the inside network for TCP connections that originated on the outside
network are denied.
D. Any inbound packet with the SYN flag set to be routed is permitted.
Answer: B
QUESTION 108
Which two statements are true about the Cisco lOS Firewall set? (Choose two.)
Answer: A, D
QUESTION 109
Which statement is true about the SDM Basic Firewall wizard?
A. The wizard applies predefined rules to protect the private and DMZ networks.
B. The wizard can configure multiple DMZ interfaces for outside users.
C. The wizard permits the creation of a custom application security policy.
D. The wizard configures one outside interface and one or more inside interfaces.
Answer: D
QUESTION 110
Which three statements about frame-mode MPLS are true? (Choose three.)
A. MPLS has three distinct components consisting of the data plane, the forwarding plane, and
the control plane.
B. The control plane is a simple label-based forwarding engine that is independent of the type of
routing protocol or label exchange protocol.
C. The CEF FIB table contains information about outgoing interfaces and their corresponding
Layer 2 header.
D. The MPLS data plane takes care of forwarding based on either destination addresses or
labels.
E. To exchange labels, the control plane requires protocols such as Tag Distribution Protocol
(TDP) or MPLS Label Distribution Protocol (LDP).
F. Whenever a router receives a packet that should be CEF-switched, but the destination is not
in the FIB, the packet is dropped.
Answer: D, E, F
QUESTION 111
Which three statements about the Cisco Easy VPN feature are true? (Choose three.)
A. It the VPN server is configured for Xauth, the VPN client waits for a username / password
challenge.
B. The Cisco Easy VPN feature only supports transform sets that provide authentication and
encryption.
C. The VPN client initiates aggressive mode (AAA) if a pre-shared key is used for authentication
during the IKE phase 1 process.
D. The VPN client verifies a server username/password challenge by using a AAA authentication
server that supports TACACS+ or RADIUS.
E. The VPN server can only be enabled on Cisco PIX Firewalls and Cisco VPN 3000 series
concentrators.
F. When connecting with a VPN client, the VPN server must be configured for ISAKMP group 1.
2 or 5.
Answer: A, B, C
QUESTION 112
Which two statements are true about the use of SDM to configure the Cisco Easy VPN feature on
a router? (Choose two.)
A. An Easy VPN connection is a connection that is configured between two Easy VPN clients.
B. The Easy VPN server address must be configured when configuring the SDM Easy VPN
Server wizard.
C. The SDM Easy VPN Sewer wizard displays a summary of the configuration before applying
the VPN configuration.
D. The SDM Easy VPN Sewer wizard can be used to configure a GRE over IPSec site-to-site
VPN or a dynamic multipoint VPN (DMVPN).
E. The SDM Easy VPN Sewer wizard can be used to configure user XAuth authentication locally
on the router or externally with a RADIUS sewer.
F. The SDM Easy VPN Server wizard recommends using the Quick setup feature when
configuring a dynamic multipoint VPN.
Answer: C, E
QUESTION 113
Which three statements are true when configuring Cisco 103 Firewall features using the SDM?
(Choose three.)
A. A custom application security policy can be configured in the Advanced Firewall Security
Configuration dialog box.
B. An optional DMZ interface can be specified in the Advanced Firewall Interface Configuration
dialog box.
C. Custom application policies for e-mail, instant messaging, HTTP, and peer-to-peer services
can be created using the Intermediate Firewall wizard.
D. Only the outside (untrusted) interface is specified in the Basic Firewall Interface Configuration
dialog box.
E. The outside interface that SDM can be launched from is configured in the Configuring Firewall
for Remote Access dialog box.
F- The SDM provides a basic, intermediate, and advanced firewall wizard.
Answer: A, B, E
QUESTION 114
Which device is responsible for attaching a VPN label to a packet traversing an MPLS network?
Answer: B
QUESTION 115
Refer to the exhibit.
Given the partial tunnel configuration that is shown, which tunneling encapsulation is set?
A. GRE
B. GRE multipoint
C. cayman
D. DVMRP
Answer: A
QUESTION 116
Which three statements about lOS Firewall configurations are true? (Choose three.)
A. The IP inspection rule can be applied in the inbound direction on the secured interface.
B. The IP inspection rule can be applied in the outbound direction on the unsecured interface.
C. The ACL applied in the outbound direction on the unsecured interface should be an extended
ACL.
D. The ACL applied in the inbound direction on the unsecured interface should be an extended
ACL.
E. For temporary openings to be created dynamically by Cisco lOS Firewall, the access-list for
the returning traffic must be a standard ACL.
F. For temporary openings to be created dynamically by Cisco lOS Firewall, the IP inspection
rule must be applied to the secured interface.
Answer: A, B, D
QUESTION 117
Which statement describes the Authentication Proxy feature?
A. All traffic is permitted from the inbound to the outbound interface upon successful
authentication of the user.
B. A specific access profile is retrieved from a TACACS+ or RADIUS server and applied to an
lOS Firewall based on user provided credentials.
C. Prior to responding to a proxy APP, the router will prompt the user for a login and password
which are authenticated based on the configured AAA policy.
D. The proxy server capabilities of the lOS Firewall are enabled upon successful authentication
of the user.
Answer: B
QUESTION 118
Which two statements about an IDS are true? (Choose two.)
Answer: B, D
QUESTION 119
Which statement is true about the SDM IPS Policies wizard?
A. In order to configure the lPS, the wizard requires that customized signature files be created.
B. The lPS Policies wizard only allows the use of default signatures which cannot be modified.
C. The lPS Policies wizard can be used to modify, delete, or disable signatures that have been
deployed on the router.
D. When initially enabling the IPS Policies wizard, SDM automatically checks and downloads
updates of default signatures available from CCO (cisco.com).
E. The wizard verifies whether the command is correct but does not verify available router
resources before the signatures are deployed to the router.
Answer: C
QUESTION 120
Which statement is correct about Security Device Event Exchange (SDEE) messages?
D. SDEE specifies the IPS/IDS message exchange format between an IPS/IDS device and IPS
the management/monitoring station.
E. For SDEE messages to be viewed, the show ip ips all or show logging commands must be
given first.
Answer: D
QUESTION 121
Refer to the exhibit
What are the ramifications of Fail Closed being enabled under Engine Options?
A. The router will drop all packets that arrive on the affected interface.
B. If the IPS engine is unable to scan data, the router will drop all packets.
C. If the IPS detects any malicious traffic, it will cause the affected interlace to close any open
TCP connections.
D. The IPS engine is enabled to scan data and drop packets depending upon the signature of
the flow.
Answer: B
QUESTION 122
A router interface is configured with an inbound access control list and an inspection rule. How
will an inbound packet on this interface be processed?
A. The packet is processed by the inbound ACL. If the packet is dropped by the ACL, it is
processed by the inspection rule.
B. The packet is processed by the inbound ACL. If the packet is not dropped by the ACL, it is
processed by the inspection rule.
C. The packet is processed by the inspection rule. If the packet matches the inspection rule, the
inbound ACL is invoked.
D. The packet is processed by the inspection rule. If the packet does not match the inspection
rule, the inbound ACL is invoked.
Answer: B
QUESTION 123
Refer to the exhibit.
Assume that a signature can identity an IP address as the source of an attack. Which action
would automatically create an ACL that denies all traffic from an attacking IP address?
A. alarm
B. drop
C. reset
D. deny Flow ln line
E. denyAttackerlnline
F. deny-connection-inline
Answer: E
QUESTION 124
A site requires support for skinny and H.323 voice protocols. How is this configured on an lOS
firewall using the SDM?
A. The Basic Firewall wizard is executed and the High Security Application policy is selected.
B. The Advanced Firewall wizard is executed and a custom Application Security policy is
selected in place of the default Application Security policies.
C. The Application Security tab is used to create a policy with voice support before the Firewall
wizard is run.
D. The Application Security tab is used to modify the SDM_High policy to add voice support prior
to the Firewall wizard being run.
Answer: B
QUESTION 125
Refer to the exhibit.
The Basic Firewall wizard has been used to configure a router. What is the purpose of the
highlighted access list statement?
A. to prevent spoofing by blocking traffic entering interface Fa0/0 with a source address in the
same subnet as interface VLAN10
B. to prevent spoofing by blocking traffic entering Fa0/0 with a source address in the RFC 1916
private address space
C. to establish a DMZ by preventing traffic from interface VLAN10 being sent out interface
Fa0/0
D. to establish a DMZ by preventing traffic from interface Fa0/0 being sent out interface VLAN1
0
Answer: A
QUESTION 126
When establishing a VPN connection from the Cisco software VPN client to an Easy VPN server
router using pre-shared key authentication, what is entered in the configuration GUI of the Cisco
software VPN client to identify the group profile that is associated with this VPN client?
A. group name
B. client name
C. distinguished name
D. organizational unit
Answer: A
QUESTION 127
Refer to the exhibit.
An lOS firewall has been configured to support skinny and H.323. Voice traffic is not passing
through the firewall as expected. What needs to be corrected in this configuration?
Answer: C
QUESTION 128
During the Easy VPN Remote connection process, which phase involves pushing the IP address,
Domain Name System (DNS), and split tunnel attributes to the client?
A. mode configuration
B. the VPN client establishment of an ISAKMP SA
C. IPsec quick mode completion of the connection
D. VPN client initiation of the IKE phase 1 process
Answer: A
QUESTION 129
When entering the Group Authentication information while configuring the Cisco VPN Client on a
PC, what information is entered in the "Name" field?
Answer: C
QUESTION 130
Drag each Cisco Easy VPN connection process on the left to its step on the right.
Answer:
QUESTION 131
When configuring the Cisco VPN Client, what action is required prior to installing Mutual Group
Authentication?
Answer: B
QUESTION 132
This item contains several questions that you must answer. You can view these questions by
clicking on the Questions button to the left. Changing questions can be accomplished by clicking
the numbers to the left of each question. In order to complete the questions, you will need to refer
to the SDM and the topology, neither of which is currently visible. To gain access to either the
topology or the SDM, click on the button to left side of the screen that corresponds to the section
you wish to access. When you have finished viewing the topology or the SDM, you can return to
your questions by clicking on the Questions button to the left. Off Shore Industries is a large
worldwide sailing charter. The company has recently upgraded its Internet connectivity. As a
recent addition to the network engineering team, you have been tasked with documenting the
active Firewall configurations on the Annapolis router using the Cisco Router and Security Device
Manager (SDM) utility. Using the SDM output from Firewall and ACL Tasks under the Configure
tab, answer the following questions:
Which statement is true? (We can't offer correct answers for this question, hope you can help us,
and send your suggestions to supportCompany.com, it is greatly appreciated.)
Answer: C
QUESTION 133
This item contains several questions that you must answer. You can view these questions by
clicking on the Questions button to the left. Changing questions can be accomplished by clicking
the numbers to the left of each question. In order to complete the questions, you will need to refer
to the SDM and the topology, neither of which is currently visible.
To gain access to either the topology or the SDM, click on the button to left side of the screen that
corresponds to the section you wish to access. When you have finished viewing the topology or
the SDM, you can return to your questions by clicking on the Questions button to the left.
Off Shore Industries is a large worldwide sailing charter. The company has recently upgraded its
Internet connectivity. As a recent addition to the network engineering team, you have been tasked
with documenting the active Firewall configurations on the Annapolis router using the Cisco
Router and Security Device Manager (SDM) utility. Using the 3SM output from Firewall and ACL
Tasks under the Configure tab, answer the following questions:
Which two statements would be true for a permissible incoming TCP packet on an untrusted
Interface in the this configuration? (Choose two.)
(We can't offer correct answers for this question, hope you can help us, and send your
suggestions to supportCompany.com, it is greatly appreciated.)
Answer: C, E
QUESTION 134
This item contains several questions that you must answer. You can view these questions by
clicking on the Questions button to the left. Changing questions can be accomplished by clicking
the numbers to the left of each question. In order to complete the questions, you will need to refer
to the SDM and the topology, neither of which is currently visible.
To gain access to either the topology or the SDM, click on the button to left side of the screen that
corresponds to the section you wish to access. When you have finished viewing the topology or
the SDM, you can return to your questions by clicking on the Questions button to the left.
Off Shore Industries is a large worldwide sailing charter. The company has recently upgraded its
Internet connectivity. As a recent addition to the network engineering team, you have been tasked
with documenting the active Firewall configurations on the Annapolis router using the Cisco
Router and Security Device Manager (SDM) utility. Using the SDM output from Firewall and ACL
Tasks under the Configure tab, answer the following questions:
Which two statements would specify a permissible incoming TCP packet on a trusted interface in
this configuration? (Choose two.)
(We can't offer correct answers for this question, hope you can help us, and send your
suggestions to supportCompany.com, it is greatly appreciated.)
Answer: A, C
QUESTION 135
This item contains several questions that you must answer. You can view these questions by
clicking on the Questions button to the left. Changing questions can be accomplished by clicking
the numbers to the left of each question. In order to complete the questions, you will need to refer
to the SDM and the topology, neither of which is currently visible.
To gain access to either the topology or the SDM, click on the button to left side of the screen that
corresponds to the section you wish to access. When you have finished viewing the topology the
SDM, you can return to your questions by clicking on the Questions button to the left.
Which defined peer IP address and local subnet belong to Crete? (Choose two.)
(We can't offer correct answers for this question, hope you can help us, and send your
suggestions to supportCompany.com, it is greatly appreciated.)
Answer:
QUESTION 136
This item contains several questions that you must answer. You can view these questions by
clicking on the Questions button to the left. Changing questions can be accomplished by clicking
the numbers to the left of each question. In order to complete the questions, you will need to refer
to the SDM and the topology, neither of which is currently visible.
To gain access to either the topology or the SDM, click on the button to left side of the screen that
corresponds to the section you wish to access. When you have finished viewing the topology the
SDM, you can return to your questions by clicking on the Questions button to the left.
Which IPSec rule is used for the Onlympia branch and what does it define? (Choose two.)
(We can't offer correct answers for this question, hope you can help us, and send your
suggestions to supportCompany .com, it is greatly appreciated.)
A. 102
B. 116
C. 127
D. IP traffic sourced from 10.10.10.0/24 destined to 10.5.15.0/24 will use the VPN.
E. IP traffic sourced from 10.10.10.0/24 destined to 10.8.28.0/24 will use the VPN.
F. IP traffic sourced from 10.10.10.0/24 destined to 10.5.33.0/24 will use the VPN.
Answer:
QUESTION 137
This item contains several questions that you must answer. You can view these questions by
clicking on the Questions button to the left. Changing questions can be accomplished by clicking
the numbers to the left of each question. In order to complete the questions, you will need to refer
Which algorithm as defined by the transform set is used for providing data confidentiality when
connected to Tyre?
(We can't offer correct answers for this question, hope you can help us, and send your
suggestions to supportCompany .com, it is greatly appreciated.)
A. ESP-3DES-SHA
B. ESP-3DES-SHA1
C. ESP-3DES-SHA2
D. ESP-3DES
E. ESP-SHA-HMAC
Answer:
QUESTION 138
This item contains several questions that you must answer. You can view these questions by
clicking on the Questions button to the left. Changing questions can be accomplished by clicking
the numbers to the left of each question. In order to complete the questions, you will need to refer
Which peer authentication method and which IPSEC mode is used to connect to the branch
locations? (Choose two.)
(We can't offer correct answers for this question, hope you can help us, and send your
suggestions to supportCompanycom, it is greatly appreciated)
A. Digital Certificate
B. Pre-Shared Key
C. Transport Mode
D. Tunnel Mode
E. GRE/IPSEC Transport Mode
F. GRE/IPSEC Tunnel Mode
Answer: Pending.
QUESTION 139
What are two steps that must be taken when mitigating a worm attack? (Choose two.)
Answer: A, D
QUESTION 140
What is a reason for implementing MPLS in a network?
Answer: B
QUESTION 141
What are three features of the Cisco IOS Firewall feature set? (Choose three.)
Answer: B, C, F
QUESTION 142
Which two mechanisms can be used to detect IPsec GRE tunnel failures? (Choose two).
Answer: A, E
QUESTION 143
Which two statements are true about broadband cable (HFC) systems? (Choose two.)
Answer: B, D
QUESTION 144
What are three configurable parameters when editing signatures in Security Device Manager
(SDM)? (Choose three.)
A. AlarmSeverity
B. AlarmKeepalive
C. AlarmTraits
D. EventMedia
E. EventAlarm
F. EventAction
Answer: A, C, F
QUESTION 145
Which two statements about common network attacks are true? (Choose two.)
A. Access attacks can consist of password attacks, trust exploitation, port redirection, and manin-
the-middle attacks.
B. Access attacks can consist of password attacks, ping sweeps, port scans, and man-in-themiddle
attacks.
C. Access attacks can consist of packet sniffers, ping sweeps, port scans, and man-in-themiddle
attacks.
D. Reconnaissance attacks can consist of password attacks, trust exploitation, port redirection
and Internet information queries.
E. Reconnaissance attacks can consist of packet sniffers, port scans, ping sweeps, and Internet
information queries.
F. Reconnaissance attacks can consist of ping sweeps, port scans, man-in-middle attacks and
Internet information queries.
Answer: A, E
QUESTION 146
Which form of DSL technology is typically used as a replacement for T1 lines?
A. VDSL
B. HDSL
C. ADSL
D. SDSL
E. G.SHDSL
F. IDSL
Answer: B
QUESTION 147
Which three statements are true when configuring Cisco IOS Firewall features using the SDM?
(Choose three.)
A. A custom application security policy can be configured in the Advanced Firewall Security
Configuration dialog box.
B. An optional DMZ interface can be specified in the Advanced Firewall Interface Configuration
dialog box.
C. Custom application policies for e-mail, instant messaging, HTTP, and peer-to-peer services
can be created using the Intermediate Firewall wizard.
D. Only the outside (untrusted) interface is specified in the Basic Firewall Interface Configuration
dialog box.
E. The outside interface that SDM can be launched from is configured in the Configuring
Firewall for Remote Access dialog box.
F. The SDM provides a basic, intermediate, and advanced firewall wizard.
Answer: A, B, E
QUESTION 148
Which three statements about frame-mode MPLS are true? (Choose three.)
A. MPLS has three distinct components consisting of the data plane, the forwarding plane, and
the control plane.
B. The control plane is a simple label-based forwarding engine that is independent of the type of
routing protocol or label exchange protocol.
C. The CEF FIB table contains information about outgoing interfaces and their corresponding
Layer 2 header.
D. The MPLS data plane takes care of forwarding based on either destination addresses or
labels.
E. To exchange labels, the control plane requires protocols such as Tag Distribution Protocol
(TDP) or MPLS Label Distribution Protocol (LDP).
F. Whenever a router receives a packet that should be CEF-switched, but the destination is not in
the FIB, the packet is dropped.
Answer: D, E, F
QUESTION 149
What are the four fields in an MPLS label? (Choose four.)
A. Version
B. Experimental
C. Label
D. Protocol
E. TTL
F. Bottom-of-stack indicator
Answer: B, C, E, F
QUESTION 150
Which statement is true when ICMP echo and echo-reply are disabled on edge devices?
Answer: D
QUESTION 151
Which statement is true about a worm attack?
Answer: B
QUESTION 152
Which two network attack statements are true? (Choose two.)
A. Access attacks can consist of password attacks, trust exploitation, port redirection, and manin-
the-middle attacks.
B. Access attacks can consist of UDP and TCP SYN flooding, ICMP echo-request floods, and
ICMP directed broadcasts.
C. DoS attacks can be reduced through the use of access control configuration, encryption, and
RFC 2827 filtering.
D. DoS attacks can consist of IP spoofing and DDoS attacks.
E. IP spoofing can be reduced through the use of policy-based routing.
F. IP spoofing exploits known vulnerabilities in authentication services, FTP services, and web
services to gain entry to web accounts, confidential databases, and other sensitive
information.
Answer: A,D
QUESTION 153
Which two statements are correct about mitigating attacks by the use of access control lists
(ACLs)? (Choose two.)
A. Extended ACLs on routers should always be placed as close to the destination as possible.
B. Each ACL that is created ends with an implicit permit all statement.
C. Ensure that earlier statements in the ACL do not negate any statements that are found later
in the list.
D. Denied packets should be logged by an ACL that traps informational (level 6) messages.
E. IP packets that contain the source address of any internal hosts or networks inbound to a
private network should be permitted.
F. More specific ACL statements should be placed earlier in the ACL.
Answer: D, F
QUESTION 154
Which two Network Time Protocol (NTP) statements are true? (Choose two.)
Answer: B, C
QUESTION 155
Which statement is true about the SDM Basic Firewall wizard?
A. The wizard applies predefined rules to protect the private and DMZ networks.
B. The wizard can configure multiple DMZ interfaces for outside users.
C. The wizard permits the creation of a custom application security policy.
D. The wizard configures one outside interface and one or more inside interfaces.
Answer: D
QUESTION 156
Which two statements are true about the configuration of the Cisco IOS Firewall using the SDM?
(Choose two.)
A. Cisco IOS Firewall features may be configured by choosing the Additional Tasks wizard.
B. Firewall policies can be viewed from the Home screen of the SDM.
C. To simplify the Firewall configuration task, the SDM provides Basic Firewall, Intermediate
Firewall, and Advanced Firewall wizards.
D. The Basic Firewall Configuration wizard applies default access rules to the inside (trusted),
outside (untrusted) and DMZ interfaces.
E. The Advanced Firewall Configuration wizard applies access rules to the inside (trusted),
outside (untrusted) and DMZ interfaces.
Answer: B, E
QUESTION 157
How can virus and Trojan horse attacks be mitigated?
Answer: D
QUESTION 158
What are three objectives that the no ip inspect command achieves? (Choose three.)
Answer: A, E, F
QUESTION 159
What is required when configuring IOS Firewall using the CLI?
Answer: E
QUESTION 160
Which two statements about packet sniffers or packet sniffing are true? (Choose two.)
A. A packet sniffer requires the use of a network adapter card in nonpromiscuous mode to
capture all network packets that are sent across a LAN.
B. Packet sniffers can only work in a switched Ethernet environment.
C. To reduce the risk of packet sniffing, cryptographic protocols such as Secure Shell
Protocol(SSH) and Secure Sockets Layer (SSL) should be used.
D. To reduce the risk of packet sniffing, strong authentication, such as one time passwords,
should be used.
E. To reduce the risk of packet sniffing, traffic rate limiting and RFC 2827 filtering should be
used.
Answer: C, D
QUESTION 161
Which statement is true about the management protocols?
Answer: C
QUESTION 162
Which statement about an IPS is true?
Answer: A
QUESTION 163
When configuring the Cisco VPN Client, what action is required prior to installing Mutual Group
Authentication?
Answer: B
QUESTION 164
For what purpose does SDM use Security Device Event Exchange (SDEE)?
Answer: B
QUESTION 165
Which three statements are true about Cisco Intrusion Detection System (IDS) and Cisco
Intrusion Prevention System (IPS) functions? (Choose three.)
A. Only IDS systems provide real-time monitoring that includes packet capture and analysis of
network packets.
B. Both IDS and IPS systems provide real-time monitoring that involves packet capture and
analysis of network packets.
C. The signatures on the IDS devices are configured manually whereas the signature on the IPS
devices are configured automatically.
D. IDS can detect misuse, abuse, and unauthorized access to networked resources but can only
respond after an attack is detected.
E. IPS can detect misuse, abuse, and unauthorized access to networked resources and
respond before network security can be compromised.
F. IDS can deny malicious traffic from the inside network whereas IPS can deny malicious traffic
from outside the network.
Answer: B, D, E
QUESTION 166
What phrase best describes a Handler in a distributed denial of service (DDoS) attack?
Answer: C
QUESTION 167
Which PPPoA configuration statement is true?
A. The dsl operating-mode auto command is required if the default mode has been changed.
B. The encapsulation ppp command is required.
C. The ip mtu 1492 command must be applied on the dialer interface.
Answer: A
QUESTION 168
What is a recommended practice for secure configuration management?
Answer: B
QUESTION 169
Which three statements about hybrid fiber-coaxial (HFC) networks are true? (Choose three.)
Answer: D, E, F
QUESTION 170
Which two active response capabilities can be configured on an intrusion detection system (IDS)
in response to malicious traffic detection? (Choose two.)
A. The initiation of dynamic access lists on the IDS to prevent further malicious traffic
B. The configuration of network devices to prevent malicious traffic from passing through
C. The shutdown of ports on intermediary devices
D. The transmission of a TCP reset to the offending end host
E. The invoking of SNMP-sourced controls
Answer: B, D
QUESTION 171
Which IPsec VPN backup technology statement is true?
A. Each Hot Standby Routing Protocol (HSRP) standby group has two well-known MAC
addresses and a virtual IP address.
B. Reverse Route Injection (RRI) is configured on at the remote site to inject the central site
networks.
C. The crypto isakmp keepalive command is used to configure the Stateful Switchover (SSO)
protocol.
D. The crypto isakmp keepalive command is used to configure stateless failover.
E. The reverse-route command should be applied directly to the outside interface.
Answer: D
QUESTION 172
Which two statements describe the functions and operations of IDS and IPS systems? (Choose
two.)
Answer: B, F
QUESTION 173
Which three DSL technologies support an analog POTS channel and utilize the entire bandwidth
of the copper to carry data? (Choose three.)
A. ADSL
B. IDSL
C. SDSL
D. RADSL
E. VDSL
Answer: A, D, E
QUESTION 174
What actions can be performed by the Cisco IOS IPS when suspicious a tivity is detected?
(Choose four.)
F. Deny traffic from the source IP address associated with the connection
Answer: A, C, D, F
QUESTION 175
What are the four steps that occur with an IPsec VPN setup?
Answer: C
QUESTION 176
What is a recommended practice for secure configuration management?
Answer: B
QUESTION 177
Which statement is true about a worm attack?
A. server application.
Answer: B
QUESTION 178
Which two statements are true about the troubleshooting of VPN connectivity on a Cisco router?
(Choose two.)
A. SDM can be used to provide statistical output that is related to IPsec SAs.
B. The debug crypto isakmp command output displays detailed IKE phase 1 and phase 2
negotiation processes.
C. SDM can be used to perform advance troubleshooting.
D. Knowledge of Cisco IOS CLI commands is required.
E. The Monitor Tunnel Operation page in SDM is the primary tool for troubleshooting VPN
connectivity.
Answer: B, D
QUESTION 179
Which action can be taken by Cisco IOS IPS when a packet matches a signature pattern?
Answer: A
QUESTION 180
Which statement about the aaa authentication enable default group radius enable command is
true?
A. If the radius server returns an error, the enable password will be used.
B. If the radius server returns a 'failed' message, the enable password will be used.
C. The command login authentication group will associate the AAA authentication to a specified
interface.
D. If the group database is unavailable, the radius server will be used.
Answer: A
QUESTION 181
Which three DSL technologies support an analog POTS channel and utilize the entire bandwidth
A. ADSL
B. IDSL
C. SDSL
D. RADSL
E. VDSL
Answer: A, D, E
QUESTION 182
Which two statements are correct about mitigating attacks by the use of access control lists
(ACLs)? (Choose two.)
A. Extended ACLs on routers should always be placed as close to the destination as possible.
B. Each ACL that is created ends with an implicit permit all statement.
C. Ensure that earlier statements in the ACL do not negate any statements that are found later
in the list.
D. Denied packets should be logged by an ACL that traps informational (level 6) messages.
E. IP packets that contain the source address of any internal hosts or networks inbound to a
private network should be permitted.
F. More specific ACL statements should be placed earlier in the ACL.
Answer: D, F
QUESTION 183
If an edge Label Switch Router (LSR) is properly configured, which three combinations are
possible? (Choose three.)
A. A received IP packet is forwarded based on the IP destination address and the packet is sent
as an IP packet.
B. An IP destination exists in the IP forwarding table. A received labeled packet is dropped
because the label is not found in the LFIB table.
C. There is an MPLS label-switched path toward the destination. A received IP packet is
dropped because the destination is not found in the IP forwarding table.
D. A received IP packet is forwarded based on the IP destination address and the packet is sent
as a labeled packet.
E. A received labeled IP packet is forwarded based upon both the label and the IP address.
F. A received labeled packet is forwarded based on the label. After the label is swapped, the
newly labeled packet is sent.
Answer: A, D, F
QUESTION 184
What three features does Cisco Security Device Manager (SDM) offer? (Choose three.)
A. Smart wizards and advanced configuration support for NAC policy features
B. Single-step mitigation of Distributed Denial of Service (DDoS) attacks
C. One-step router lockdown
D. Security auditing capability based upon CERT recommendations
E. Multi-layered defense against social engineering
F. Single-step deployment of basic and advanced policy settings
Answer: A, C, F
QUESTION 185
What are the four steps that occur with an IPsec VPN setup?
Answer: C
QUESTION 186
Which form of DSL technology is typically used as a replacement for T1 lines?
A. VDSL
B. HDSL
C. ADSL
D. SDSL
E. G.SHDSL
F. IDSL
Answer: B
QUESTION 187
Which three categories of signatures can a Cisco IPS microengine identify? (Choose three.)
A. DDoS signatures
B. Strong signatures
C. Exploit signatures
D. Numeric signatures
E. Spoofing signatures
F. Connection signatures
Answer: A, C, F
QUESTION 188
What are two principles to follow when configuring ACLs with IOS Firewall? (Choose two.)
A. Prevent traffic that will be inspected by IOS Firewall from leaving the network through the
firewall.
B. Configure extended ACLs to prevent IOS Firewall return traffic from entering the network
through the firewall.
C. Configure an ACL to deny traffic from the protected networks to the unprotected networks.
D. Permit broadcast messages with a source address of 255.255.255.255.
E. Allow traffic that will be inspected by IOS Firewall to leave the network through the firewall.
Answer: B, E
QUESTION 189
With MPLS, what is the function of the protocol ID (PID) in a Layer 2 header?
Answer: B
QUESTION 190
Which statement identifies a limitation in the way Cisco IOS Firewall tracks UDP connections
versus TCP connections?
Answer: E
QUESTION 191
What are three methods of network reconnaissance? (Choose three.)
A. IP spoofing
B. One-time password
C. Dictionary attack
D. Packet sniffer
E. Ping sweep
F. Port scan
Answer: D, E, F
QUESTION 192
What are three options for viewing Security Device Event Exchange (SDEE) messages in
Security Device Manager (SDM)? (Choose three.)
Answer: A, C, E
QUESTION 193
Which IOS command would display IPS default values that may not be displayed using the show
running-config command?
Answer: A
QUESTION 194
Which statement describes the Authentication Proxy feature?
A. All traffic is permitted from the inbound to the outbound interface upon successful
authentication of the user.
B. A specific access profile is retrieved from a TACACS+ or RADIUS server and applied to an
IOS Firewall based on user provided credentials.
C. Prior to responding to a proxy ARP, the router will prompt the user for a login and password
which are authenticated based on the configured AAA policy.
D. The proxy server capabilities of the IOS Firewall are enabled upon successful authentication
of the user.
Answer: B
QUESTION 195
Which two actions will take place when One-Step Lockdown is implemented? (Choose two.)
Answer: B, C
QUESTION 196
What are the two main features of Cisco IOS Firewall? (Choose two.)
A. TACACS+
B. AAA
C. Cisco Secure Access Control Server
D. Intrusion Prevention System
E. Authentication Proxy
Answer: D, E
QUESTION 197
Which two statements about an IDS are true? (Choose two.)
Answer: B, D
QUESTION 198
Which statement is true about the management protocols?
Answer: C
QUESTION 199
What are two ways to mitigate IP spoofing attacks? (Choose two.)
Answer: B, C
QUESTION 200
What technology must be enabled as a prerequisite to running MPLS on a Cisco router?
A. Process switching
B. Routing-table driven switching
C. Cache driven switching
D. CEF switching
E. Fast switching
Answer: D
QUESTION 201
Which two statements are true about signatures in a Cisco IOS IPS? (Choose two.)
Answer: B, E
QUESTION 202
Which two statements are true about broadband cable (HFC) systems? (Choose two.)
E. A function of the cable modem termination system is to convert the digital data stream from
the end user host into a modulated RF signal for transmission onto the cable system.
Answer: B, D
QUESTION 203
Which two network attack statements are true? (Choose two.)
A. Access attacks can consist of password attacks, trust exploitation, port redirection, and manin-
the-middle attacks.
B. Access attacks can consist of UDP and TCP SYN flooding, ICMP echo-request floods, and
ICMP directed broadcasts.
C. DoS attacks can be reduced through the use of access control configuration, encryption, and
RFC 2827 filtering.
D. DoS attacks can consist of IP spoofing and DDoS attacks.
E. IP spoofing can be reduced through the use of policy-based routing.
F. IP spoofing exploits known vulnerabilities in authentication services, FTP services, and web
services to gain entry to web accounts, confidential databases, and other sensitive
information.
Answer: A, D
QUESTION 204
Which two statements about the AutoSecure feature are true? (Choose two.)
Answer: A, B
QUESTION 205
What two proactive preventive actions are taken by an intrusion prevention system (IPS) when
malicious traffic is detected? (Choose two.)
Answer: C, E
QUESTION 206
Which three MPLS statements are true? (Choose three.)
Answer: A, D, F
QUESTION 207
Which three statements are correct about MPLS-based VPNs? (Choose three.)
A. Route Targets (RTs) are attributes attached to a VPNv4 BGP route to indicate its VPN
membership.
B. Scalability becomes challenging for a very large, fully meshed deployment.
C. Authentication is done using a digital certificate or pre-shared key.
D. A VPN client is required for client-initiated deployments.
E. A VPN client is not required for users to interact with the network.
F. An MPLS-based VPN is highly scalable because no site-to-site peering is required.
Answer: A, E, F
QUESTION 208
When configuring backup IPsec VPNs with Cisco IOS Release 12.2(8)T or later, what are the
default parameters?
A. Cisco IOS keepalives are sent every 10 seconds if there is no traffic to send.
B. Dead peer detection (DPD) hello messages are sent every 10 seconds if there is no traffic to
send.
C. Cisco IOS keepalives are sent every 10 seconds if the router has traffic to send.
D. DPD hello messages are sent every 10 seconds if the router has traffic to send.
Answer: D
QUESTION 209
Which two statements about common network attacks are true? (Choose two.)
A. Access attacks can consist of password attacks, trust exploitation, port redirection, and manin-
the-middle attacks.
B. Access attacks can consist of password attacks, ping sweeps, port scans, and man-in-themiddle
attacks.
C. Access attacks can consist of packet sniffers, ping sweeps, port scans, and man-in-themiddle
attacks.
D. Reconnaissance attacks can consist of password attacks, trust exploitation, port redirection
and Internet information queries.
E. Reconnaissance attacks can consist of packet sniffers, port scans, ping sweeps, and Internet
information queries.
F. Reconnaissance attacks can consist of ping sweeps, port scans, man-in-middle attacks and
Internet information queries.
Answer: A, E
QUESTION 210
Which two mechanisms can be used to detect IPsec GRE tunnel failures? (Choose two).
Answer: A,
QUESTION 211
How can virus and Trojan horse attacks be mitigated?
Answer: D
QUESTION 212
Which two statements are true about the use of SDM to configure the Cisco Easy VPN feature on
a router? (Choose two.)
A. An Easy VPN connection is a connection that is configured between two Easy VPN clients.
B. The Easy VPN server address must be configured when configuring the SDM Easy VPN
Server wizard.
C. The SDM Easy VPN Server wizard displays a summary of the configuration before applying
the VPN configuration.
D. The SDM Easy VPN Server wizard can be used to configure a GRE over IPSec site-to-site
Answer: C, E
QUESTION 213
A site requires support for skinny and H.323 voice protocols. How is this configured on an IOS
firewall using the SDM?
A. The Basic Firewall wizard is executed and the High Security Application policy is selected.
B. The Advanced Firewall wizard is executed and a custom Application Security policy is
selected in place of the default Application Security policies.
C. The Application Security tab is used to create a policy with voice support before the Firewall
wizard is run.
D. The Application Security tab is used to modify the SDM_High policy to add voice support
prior to the Firewall wizard being run.
Answer: B
QUESTION 214
What are two steps that must be taken when mitigating a worm attack? (Choose two.)
Answer: A, D
QUESTION 215
Which two statements about packet sniffers or packet sniffing are true? (Choose two.)
A. A packet sniffer requires the use of a network adapter card in nonpromiscuous mode to
capture all network packets that are sent across a LAN.
B. Packet sniffers can only work in a switched Ethernet environment.
C. To reduce the risk of packet sniffing, cryptographic protocols such as Secure Shell Protocol
(SSH) and Secure Sockets Layer (SSL) should be used.
D. To reduce the risk of packet sniffing, strong authentication, such as one time passwords,
should be used.
E. To reduce the risk of packet sniffing, traffic rate limiting and RFC 2827 filtering should be
used.
Answer: C, D
QUESTION 216
Which two statements about Cisco Easy VPN are true? (Choose two.)
A. An IOS router, a PIX firewall or a VPN client can operate as an Easy VPN terminal point.
B. A VPN client can also be configured to operate as an Easy VPN server.
C. Easy VPN does not support split tunnels.
D. Easy VPN tunnel endpoint addresses can be the virtual IP address of an HSRP configuration.
E. Easy VPN is only appropriate for smaller deployments.
Answer: A, D
QUESTION 217
When you are using the SDM to configure a GRE tunnel over IPsec, which two parameters are
required when defining the tunnel interface information? (Choose two.)
Answer: B, D
QUESTION 218
Which two statements about the Security Device Manager (SDM) Intrusion Prevention System
(IPS) Rule wizard are true? (Choose two.)
A. By default, the Use Built-In Signatures (as backup) checkbox is not selected.
B. Changes to the IPS rules can be made using the Configure IPS tab.
C. Changes to the IPS rules can be made using the Edit Firewall Policy/ACL tab.
D. Once all interfaces have rules applied to them, you can re-initiate the IPS Rule wizard to
make changes.
E. Once all interfaces have rules applied to them, you cannot re-initiate the IPS Rule wizard to
make changes.
F. When using the wizard for the first time, you will be prompted to enable the Security Device
Event Exchange (SDEE).
Answer: D, F
QUESTION 219
At what size should the MTU on LAN interfaces be set in the implementation of MPLS VPNs with
traffic engineering?
A. 1512 bytes
B. 1516 bytes
C. 1520 bytes
D. 1524 bytes
E. 1528 bytes
F. 1532 bytes
Answer: A
QUESTION 220
Which two devices serve as the main endpoint components in a DSL data service network?
(Choose two.)
A. SOHO workstation
B. ATU-R
C. ATU-C
D. POTS splitter
E. CO switch
Answer: B,
QUESTION 221
Which three protocols are available for local redundancy in a backup VPN scenario? (Choose
three.)
A. VRRP
B. A routing protocol
C. RSVP
D. HSRP
E. Proxy ARP
F. GLBP
Answer: A, D, F
QUESTION 222
Which PPPoE configuration statement is true?
A. A PVC must be created before the pppoe enable command on the Ethernet interface is
entered.
B. The dsl operating-mode auto command is required.
C. The encapsulation ppp command must be applied on the Ethernet interface.
D. The ip mtu 1492 command must be applied on the dialer interface.
E. The ip mtu 1496 command must be applied on the Ethernet interface.
F. When the pppoe enable command is applied on the Ethernet interface, a PVC will be
created.
Answer: D
QUESTION 223
The Cisco SOHO 77 ADSL router provides an affordable, secure, multiuser digital subscriber line
(DSL) access solution to small office/home office customers while reducing deployment and
operational costs for service providers. Refer to the exhibit, which shows a PPPoA diagram and
partial SOHO77 configuration. Which command needs to be applied to the SOHO77 to complete
the configuration?
Answer: A
QUESTION 224
Which three methods are of network reconnaissance? (Choose three.)
A. Packet sniffer
B. Ping Sweep
C. Dictionary attack
D. Port scan
Answer: A, B, D
QUESTION 225
Which two steps must be taken when mitigating a worm attack? (Choose two.)
Answer: A, C
QUESTION 226
IPSec VPN is a widely-acknowledged solution for enterprise network. Which three IPsec VPN
statements are true? (Choose three.)
Answer: A, C, D
QUESTION 227
Study this exhibit carefully.
What information can be derived from the SDM firewall configuration displayed?
A. Access-list 101 was configured for the trusted interface, and access-list 100 was configured for
the untrusted interface.
B. Access-list 100 was configured for the trusted interface, and access-list 101 was configured for
the untrusted interface.
C. Access-list 100 was configured for the inbound direction, and access-list 101 was configured
for the outbound direction on the trusted interface.
D. Access-list 100 was configured for the inbound direction, and access-list 101 was configured
for the outbound direction on the untrusted interface.
Answer: A
QUESTION 228
You work as a network technician at Company.com,study the exhibit carefully. What type of
security solution will be provided for the inside network?
A. The router will intercept the traceroute messages. It will validate the connection requests
before forwarding the packets to the inside network.
B. The router will reply to the TCP connection requests. If the three-way handshake completes
successfully, the router will establish a TCP connection between itself and the server.
C. The TCP traffic that matches the ACL will be allowed to pass through the router and create a
TCP connection with the server.
D. The TCP connection that matches the defined ACL will be reset by the router if the connection
does not complete the three-way handshake within the defined time period.
Answer: B
QUESTION 229
Authentication is the process of determining if a user or identity is who they claim to be. Refer to
the exhibit. Which statement about the authentication process is correct?
Answer: A
QUESTION 230
Which description is correct about the Authentication Proxy feature?
Answer: B
QUESTION 231
You are a network technician at Company.com,study the exhibit carefully. What does the "26" in
the first two hop outputs indicate?
Answer: B
QUESTION 232
Authentication is the process of determining whether someone or something is, in fact, who or
what it is declared to be. On the basis of the exhibit. Which two statements correctly describe the
authentication method used to authenticate users who want privileged access into P4S-R1?
(Choose two.)
A. All users will be authenticated using the RADIUS server. If the RADIUS server is unavailable,
the authentication process stops and no other authentication method is attempted.
B. All users will be authenticated using the RADIUS server. If the RADIUS server is unavailable,
the router will attempt to authenticate the user using its local database.
C. All users will be authenticated using the RADIUS server. If the user authentication fails, the
router will attempt to authenticate the user using its local database.
D. All users will be authenticated using the RADIUS server. If the user authentication fails, the
authentication process stops and no other authentication method is attempted.
Answer: B, D
QUESTION 233
Split tunneling allows you to configure specific network routes that are downloaded to the client.
Refer to the exhibit. Which statement is true about the configuration of split tunnels using SDM?
A. Any protected subnets that are entered represent subnets at the VPN server site that will be
accessed without going through the encrypted tunnel.
B. Any protected subnets that are entered represent subnets at the end user's site that will be
accessed through the encrypted tunnel.
C. Any protected subnets that are entered represent subnets at the end user's site that will be
accessed without going through the encrypted tunnel.
D. Any protected subnets that are entered represent subnets at the VPN server site that will be
accessed through the encrypted tunnel.
Answer: D
Actualtests.com - The Power of Knowing
642-825
QUESTION 234
You work as a network engineer at Company.com, study the exhibit carefully. Based on the
presented information, which configuration was completed on the router CPE?
Answer: A
QUESTION 235
You work as a network technician, refer to the exhibit. Which description is correct about the
partial MPLS configuration that is shown?
A. The route-target both 100:2 command sets import and export route-targets for vrf2.
B. The route-target both 100:2 command changes a VPNv4 route to a IPv4 route.
C. The route-target import 100:1 command sets import route-targets routes specified by the route
map.
D. The route-target import 100:1 command sets import route-targets for vrf2 that override the
other route-target configuration.
Answer: A
QUESTION 236
As a network technician , study this exhibit below carefully. FastEthernet0/0 has been destined a
network address of 200.0.1.2/24 and no ACL has been applied to that interface. Serial0/0/0 has
been assigned a network address of 200.0.0.1/30. Assuming that there are no network-related
problems, which ping will be successful?
Answer: B
QUESTION 237
Which method to identify malicious traffic involves looking for a fixed sequence of bytes in a
single packet or in predefined content?
A. Policy-based
B. Anomaly-based
C. Signature-based
D. Honeypot-based
Answer: C
QUESTION 238
For the following options,which three DSL technologies support an analog POTS channel and
use the entire bandwidth of the copper to carry data? (Choose three.)
A. ADSL
B. IDSL
C. VDSL
D. RADSL
Answer: A, C, D
QUESTION 239
DSL is a family of technologies that provide digital data transmission over the wires of a local
telephone network. Which form of DSL technology is typically used as a replacement for T1
lines?
A. ADSL
B. HDSL
C. VDSL
D. SDSL
Answer: B
QUESTION 240
Refer to the exhibit. Based on the presented information , which description is correct?
A. The IOS firewall has allowed an HTTP session between two devices.
B. A TCP session that started between 192.168.1.116 and 192.168.101.115 caused dynamic
ACL entries to be created.
C. A UDP session that started between 192.168.1.116 and 192.168.101.115 caused dynamic
ACL entries to be created.
D. Telnet is the only protocol allowed through this IOS firewall configuration.
Answer: B
QUESTION 241
Study the exhibit carefully.
Based on the partial configuration, which two descriptions are correct? (Choose two.)
Answer: A, F
QUESTION 242
You work as a network engineer, study the exhibit carefully. Do you know which Cisco feature
generated the configuration?\
A. TACACS+
B. IOS Firewall
C. AutoSecure
D. IOS IPS
Answer: C
QUESTION 243
You work as a network engineer, study the exhibit carefully. Which order correctly identifies the
steps to provision a cable modem to connect to a headend as defined by the DOCSIS standard?
A. A, D, C, G, E, F, B
B. A, D, E, G, C, F, B
C. C, D, F, G, E, A, B
D. C, D, F, G, A, E, B
E. F, D, C, G, A, E, B
Answer: E
QUESTION 244
Drag and drop the Cisco IOS commands that would be used to configure the dialer Interface
portion of a PPPoE client implementation where the client is facing the internet and private IP
addressing is used on the internal network.
Answer:
QUESTION 245
Study the exhibit carefully, according to the information that is provided, which two statements are
correct? (Choose two.)
Answer: A, D
QUESTION 246
You are a network engineer, study the exhibit carefully. Router Company-R is unable to establish
an ADSL connection with its provider. Which action would correct this problem?
Answer: D
QUESTION 247
The exhibit below shows a PPPoA diagram and partial SOHO77 configuration. Which command
needs to be applied to the SOHO77 to accomplish the configuration?
Answer: C
QUESTION 248
The Companay network technician have configured access list on Companay-R router. Please
study the exhibit carefully. What function the access list serves?
A. It allows TCP traffic from any destination to reach the 16.1.1.0/24 network if the request
originated from the inside network and has a port number greater than 1024.
B. It allows TCP traffic from the 16.1.1.0/24 network to reach any destination if the request
originated from the Internet and has a port number less than 1024.
C. It allows TCP traffic from any destination to reach the 16.1.1.0/24 network if the request
originated from the Internet.
D. It allows TCP traffic from any destination to reach the 16.1.1.0/24 network if the request
originated from the inside network.
Answer: D
QUESTION 249
Study the exhibit carefully, then tell me what is the name given to the security zone occupied by
the public web server?
A. ALG
B. Extended proxy network
C. multiple DMZs
D. DMZ
Answer: D
QUESTION 250
Study the exhibit carefully.
Which description is true about the results of clicking the OK button in the Security Device
Manager (SDM) Add a Signature Location window?
A. SDM will respond with a message asking for the URL that points to the 256MB.sdf file.
B. Cisco IOS IPS will choose to load the 256MB.sdf only if the Built-in Signatures (as backup)
check box is unchecked.
C. If Cisco IOS IPS fails to load the 256MB.sdf, it will load the built-in signatures provided the
Built-in Signatures (as backup) check box is checked.
D. Cisco IOS IPS will choose to load the 256MB.sdf and then also add the Cisco IOS built-in
signatures.
Answer: C
QUESTION 251
Authentication is the act of establishing or confirming something (or someone) as authentic, that
is, that claims made by or about the thing are true. Refer to the exhibit. Which two statements are
true about the authentication method used to authenticate users who want privileged access into
Companay-R? (Choose two.)
A. All users will be authenticated using the RADIUS server. If the user authentication fails, the
authentication process stops and no other authentication method is attempted.
B. All users will be authenticated using the RADIUS server. If the user authentication fails, the
router will attempt to authenticate the user using its local database.
C. All users will be authenticated using the RADIUS server. If the RADIUS server is unavailable,
the authentication process stops and no other authentication method is attempted.
D. All users will be authenticated using the RADIUS server. If the RADIUS server is unavailable,
the router will attempt to authenticate the user using its local database.
Answer: A, D
QUESTION 252
Refer to the exhibit.
Configure Router Companay-R ACL 150 to mitigate against a range of common threats. Based
on the information shown in the exhibit, which statement is correct?
A. The ip access-group 150 command should have been applied to interface FastEthernet 0/0 in
an outbound direction.
B. Interface Fa0/0 and interface Fa0/1 should have been configured with the IP addresses
10.1.1.1 and 10.2.1.1, respectively.
C. The ip access-group 150 command should have been applied to interface FastEthernet 0/0 in
an inbound direction.
D. ACL 150 will mitigate common threats.
Answer: D
QUESTION 253
You are a network technician, study the exhibit carefully. Which description is correct about the
interface S1/0 on router Companay1?
Answer: D
QUESTION 254
You work as a network technician at Companay.com, study the exhibit carefully.
The configuration has been applied to router Companay-R to mitigate the threat of certain types
of ICMP-based attacks. However, the configuration is incorrect. Base on the information in the
exhibit, which configuration option would correctly configure router Companay-R?
A. ACL 112 should have been applied to interface Fa0/0 in an inbound direction.
B. ACL 112 should have been applied to interface Fa0/1 in an outbound direction.
C. The last statement of ACL 112 should have been access-list 112 deny icmp any 10.1.1.0
0.0.0.255.
D. The last statement of ACL 112 should have been access-list 112 deny icmp any 10.2.1.0
0.0.0.255.
E. The first three statements of ACL 112 should have permitted the ICMP traffic and the last
statement should deny the identified traffic.
F. The last statement of ACL 112 should have been access-list 112 permit icmp any 10.2.1.0
0.0.0.255.
Answer: F
QUESTION 255
A Companay network administrator is troubleshooting an ADSL connection. For which OSI layer
is the ping atm interface command useful for probing problems?
A. Layer 1
B. Layer 2
Actualtests.com - The Power of Knowing
642-825
C. Layer 3
D. Layer 4
Answer: B
QUESTION 256
Study the exhibit carefully.
Routers P4S-A and P4S-B are customer routers. Routers P4S-1, P4S-2, P4S-3, and P4S-4 are
provider routers. The routers are operating with various IOS versions. Which frame mode MPLS
configuration statement is true?
A. Before MPLS is enabled, the ip cef command is only required on routers P4S-1 and P4S-4.
B. After MPLS is enabled, the ip cef command is only required on routers P4S-1 and P4S-4.
C. Before MPLS is enabled, the ip cef command is only required on the Ethernet 0 interfaces of
routers P4S-1 and P4S-4.
D. After MPLS is enabled, the ip cef command is only required on the Ethernet 0 interfaces of
routers P4S-1 and P4S-4.
E. Before MPLS is enabled, the ip cef command must be applied to all provider routers.
Answer: E
QUESTION 257
You are a network engineer at Company.com ,refer to the exhibit. The DM IPS Policies wizard is
displaying the Select Interfaces window. Which procedure is best for pplying IPS rules to
interfaces?
A. Apply the IPS rules in the outbound direction on interfaces where incoming malicious traffic is
likely.
B. Apply the rules in the inbound direction on interfaces where outgoing malicious traffic is likely.
C. Apply the IPS rules in the inbound direction on interfaces where incoming malicious traffic is
likely.
D. Apply the IPS rules in the outbound direction on interfaces where outgoing malicious traffic is
likely.
Answer: C
QUESTION 258
As the Company network technician ,in order to prevent a Dos TCP SYN ttack from a spoofed
source into the internal network, you need to configure ACL on the Company-R router, based on
the exhibit below. Which ACL configuration will realize the plan?
A. Company-R (config)# access-list 120 deny icmp any any echo log
Company-R (config)# access-list 120 deny icmp any any redirect log
Company-R (config)# access-list 120 permit icmp any 10.0.0.0 0.0.0.255
Company-R (config)# interface Serial0/0
Company-R (config-if)# ip access-group 120 in
B. Company-R(config)# access-list 120 deny udp 10.0.0.0 0.0.255.255
host 255.255.255.255 eq 512
Company-R (config)# interface Serial0/0
Company-R (config-if)# ip access-group 120 in
C. Company-R (config)# access-list 120 deny ip any host 10.0.0.255 log
Company-R (config)# access-list 120 permit ip any 10.0.0.0 0.0.0.255 log
Company-R (config)# interface Serial0/0
Company-R (config-if)# ip access-group 120 in
D. Company-R (config)# access-list 120 permit tcp any 172.16.10.0 0.0.0.255 established
Company-R (config)# access-list 120 deny ip any any log
Company-R (config)# interface FastEthernet0/0
Company-R (config-if)# ip access-group 120 in
Answer: D
QUESTION 259
You are a network technician at Company.com , examine the exhibit carefully. When editing the
Invalid DHCP Packet signature by use of security device manager (SDM), which additional
severity levels can be chosen? (Choose three.)
A. Low
B. Urgent
C. High
D. Informational
Answer: A, C, D
QUESTION 260
After study the exhibit, can you tell me which description is true about Security Device Event
Exchange (SDEE)?
Answer: A
QUESTION 261
Look at the following statements. Which two actions can be taken by a Cisco IOS Firewall when
the threshold for the number of half-opened TCP sessions is exceeded? (Choose two.)
A. It can send a reset message to the endpoints of the oldest half-opened session.
B. It can send a reset message to the endpoints of the newest half-opened session.
C. It can send a reset message to the endpoints of a random half-opened session.
D. It can block all SYN packets temporarily for the duration configured by the threshold value
Answer: A, D
QUESTION 262
Which Cisco IOS Firewall Feature Set allows a per-user policy to be downloaded dynamically to a
router from a TACACS+ or RADIUS server using AAA services?
B. Reflexive ACLs
C. Authentication Proxy
D. Lock-and-Key (dynamic ACLs)
Answer: C
QUESTION 263
Examine the exhibit below carefully, then answer the following question: which network threat
would the configuration in the exhibit mitigate?
Answer: A
QUESTION 264
Part of Company network topology is shown below, according to the exhibit information, which
two statements about the Network Time Protocol (NTP) are correct? (Choose two.)
Answer: A, B
QUESTION 265
The out of the show cryto isakmp as command is shown below, based on this information, Which
two options are correct? (Choose two.)
Answer: A, E
QUESTION 266
Based on the exhibit below. Which of the configuration tasks will make you quickly deploy default
signatures?
Answer: D
QUESTION 267
You are a network technician, for the following statements. Which Cisco SDM feature expedites
the deployment of the default IPS settings and provides configuration steps for interface and
traffic flow selection, SDF location, and signature deployment?
Answer: C
QUESTION 268
On the basis of this exhibit. Which three tasks can be configured by use of the IPS Policies
wizard via the Cisco Security Device Manager(SDM)? (Choose three.)
Answer: B, C, D
QUESTION 269
In terms of the exhibit.
Which two descriptions about the SDF Locations window of the IPS Rule wizard are correct?
(Choose two.)
A. The Use Built-In Signatures (as backup) check box is selected by default.
B. The Autosave feature automatically saves the SDF alarms if the router crashes.
C. The Autosave feature is automatically enabled for the default built-in signature file.
D. If all specified SDF locations fail to load, the signature file that is named default.sdf will be
loaded.
E. The name of the built-in signature file is default.sdf.
F. An HTTP SDF file location can be specified by clicking the Add button.
Answer: A, F
QUESTION 270
You work as a technician for Company.com and responsible the Company network.
You have configured MPLS on all routers in the domain. Please study the exhibit carefully, in
order for P4S-2 and P4S-3 to forward frames between them with label headers, what additional
configuration will be required on devices that are attached to the LAN segment?
A. No additional configuration is required. Frames with larger MTU size will be automatically
fragmented and forwarded on all LAN segments.
B. Increase the maximum MTU requirements on all router interfaces that are attached to the LAN
segment.
C. Decrease the maximum MTU requirements on all router interfaces that are attached to the
LAN segment.
D. No additional configuration is required. Interface MTU size will be automatically adjusted to
accommodate the larger size frames.
Answer: B
QUESTION 271
Drag the correct statements about MPLS-based VPN on the left to the boxes on the right .(Not all
statements will be used)
Answer:
QUESTION 272
Study the exhibit carefully.
Which type of security solution will be provided for the inside network?
A. The ACL will block all ICMP echo requests coming from an external host.
B. The ACL will allow TCP connections into the inside network, but will reset the connections in
case of a TCP SYN attack.
C. The ACL will filter all packets whose TCP headers have the SYN flag set.
D. The ACL will prevent router P4S-R from forwarding broadcast traffic to the inside LAN network.
Answer: C
QUESTION 273
You are a network engineer at Company.com,refer to the exhibit. Which description is correct
about the two-interface Cisco IOS firewall configuration?
A. Blocks all incoming traffic except ICMP unreachable 'packet-too-big' messages that support
MTU Path Discovery
B. Inspects the inbound packets on the fa0/0 interface and automatically allows the
corresponding return traffic
C. Permits all TCP, UDP, and ICMP traffic when the three types of traffic are initiated from
outside the network
D. Blocks all ICMP unreachable 'packet-too-big' messages from reaching the inside network
Answer: A
QUESTION 274
The out of the debug aaa authentication command is shown below. Based on the information,
which statement is true about the authentication process?
A. A user attempted to log in to the router via the tty51 port and tried to access the user mode
(privilege level
1) using the named list ADMIN. The user's access was permitted.
B. A user attempted to log in to the router via the tty51 port and tried to access the user mode
(privilege level
1) using the default list for authentication against the local user database. The user's access was
permitted.
C. A user attempted to log in to the router via the tty51 port and tried to access the user mode
(privilege level
1) using the default list for authentication against the local user database. The user's access was
denied.
D. A user attempted to log in to the router via the tty51 port and tried to access the user mode
(privilege level
1) using named list ADMIN. The user's access was denied.
Answer: D
QUESTION 275
Which two statements correctly describe the transmission of signals over a cable network?
(Choose two.)
A. Downstream signals travel from the cable operator to the subscriber and use frequencies in
the range of 5 to 42 MHz.
B. Upstream signals travel from the subscriber to the cable operator and use frequencies in the
range of 5 to 42 MHz.
C. Upstream signals travel from the subscriber to the cable operator and use frequencies in the
range of 50 to 860 MHz.
D. Downstream signals travel from the cable operator to the subscriber and use frequencies in
the range of 50 to 860 MHz.
Answer: B, D
QUESTION 276
You work as a network engineer, Look at the following statements. Which three of these would be
classified as access attacks? (Choose three.)
A. Ping sweeps
B. Port scans
C. Trust exploitation
D. Port redirection
E. Man-in-the-middle attacks
Answer: C, D, E
QUESTION 277
Why is the ping between the P4S-HQ router and the 192.168.1.193 interface on the P4S-Branch2
router failing?
Answer: B
QUESTION 278
What is preventing a successful ping between the P4S-HQ router and the 192.168.1.10 interface
on the P4S-Branch3 router?
Answer: E
QUESTION 279
What is preventing the P4S-HQ router and the P4S-Branch1 router from establishing an EIGRP
neighbor relationship?
A. When running EIGRP over GRE tunnels, you must manually configure the neighbor address
using the eigrp neighbor ipaddress command.
B. The tunnel destination address is incorrect on the P4S-HQ router. It should be 10.2.1.1 to
match the interface address of the P4S-Branch1 router.
C. The tunnel source is incorrect on the P4S-Branch1 router. It should be serial 2/0.
D. The default route is missing from the P4S-Branch1 router.
Answer: A
QUESTION 280
What is the reason that tunnel 5 on the P4S-HQ router down while its companion tunnel on the
P4S-Branch5 router is up?
Answer: C
QUESTION 281
What is preventing the 192.168.1.150 network from showing up in the P4S-HQ router's routing
table?
Answer: B
QUESTION 282
Which description is correct in terms of this exhibit?
Answer: A
QUESTION 283
Which two devices are used as the main endpoint components in a DSL data service network?
(Choose two.)
A. POTS splitter
B. ATU-C
C. ATU-R
D. SOHO workstation
Answer: B, C
QUESTION 284
Study the exhibit carefully. In the SDM Site-to-Site VPN wizard, what are three requirements that
are accessed by the Add button? (Choose three.)
A. IKE lifetime
B. IPsec proposal priority
C. Keyed-hash message authentication code
D. IPsec authentication method
E. Diffie-Hellman group
Answer: A, C, E
QUESTION 285
As a network engineer, can you tell me which four outbound ICMP message types would
normally be permitted? (Choose four.)
A. Time exceeded
B. Echo reply
C. Echo
D. Parameter problem
E. Packet too big
F. Source quench
Answer: C, D, E, F
QUESTION 286
Study the exhibit below carefully.
Based on the information in the exhibit, which two statements are true? (Choose two.)
A. The Edit IPS window is currently displaying the Global Settings information.
B. The Edit IPS window is currently displaying the signatures in Details view.
C. Any traffic matching signature 1107 will generate an alarm, reset the connection, and be
dropped.
D. Signature 1102 has been triggered because of matching traffic.
E. Signature 1102 has been modified, but the changes have not been applied to the router.
Answer: B, E
QUESTION 287
Refer to the exhibit.
On the basis of the partial output that is shown in the exhibit, which two statements are correct?
(Choose two.)
Answer: C, E
QUESTION 288
Part of the Company WAN is shown below, please study the exhibit carefully. Based on the
presented information, which statement is correct?
D. ACL 109 is designed to allow packets with the ACK flag set to enter the router.
Answer: D
QUESTION 289
You work as a network engineer at Company.com, refer to the exhibit. What is the reason for the
third hop that only has one label?
A. MPLS is not enabled on that link, so only the VPN label is needed.
B. MPLS is not enabled on that link, so only the LSP label is needed.
C. The PHP process on that link has removed the VPN label, leaving only the LSP label.
D. That link is directly connected to the customer, so only the VPN label is needed.
E. The PHP process on that link has removed the LSP label, leaving only the VPN label.
Answer: E
QUESTION 290
Drag the IPsec protocol description from the above to the correct protocol type on the below.(Not
all descriptions will be used) Drag and Drop question, drag each item to its proper location.\
Answer:
QUESTION 291
Drag and drop each management protocol on the above to the correct category on the below.
Answer:
QUESTION 292
You work as a network engineer at Company.com, refer to the exhibit. The SDM IPS Policies
wizard is displaying the Select Interfaces window. Which procedure correctly describes the
application of IPS rules to interfaces?
A. Apply the IPS rules both in the inbound and outbound direction on all interfaces.
B. Apply the rules in the inbound direction on interfaces where outgoing malicious traffic is likely.
C. Apply the IPS rules in the inbound direction on interfaces where incoming malicious traffic is
likely.
D. Apply the IPS rules in the outbound direction on interfaces where outgoing malicious traffic is
likely.
Answer: C
QUESTION 293
Which two options about the Data-over-Cable Service Interface Specifications are correct?
(Choose two.)
Answer: A, C
QUESTION 294
Drag and drop each function on the above to the hybrid fiber-coaxial architecture component that
it describes on the below.
QUESTION 295
What is an MPLS forwarding equivalence class?
Answer: B
Actualtests.com - The Power of Knowing
642-825
QUESTION 296
The Network Time Protocol (NTP) is widely used to synchronize a computer to Internet time
servers or other sources, such as a radio or satellite receiver or telephone modem service. If you
want to authenticate the NTP associations with other systems for security purposes, which key
type algorithm or algorithms are supported?
A. MD5 only
B. MD7 only
C. Plain text and MD5
D. Plain text and MD7
Answer: A
QUESTION 297
Drag the DSL technologies on the left to their maximum(down/up) data rate values on the below.
Answer:
QUESTION 298
Drag the DSL local loop topic on the left to the correct descriptions on the right.
Answer:
QUESTION 299
You are a network technician at Company.com, study the exhibit carefully. The configured access
list is being used in conjunction with an IPsec VPN. Which traffic will be passed through the
IPSec VPN?
Answer: B
QUESTION 300
Drag the IOS commands from the left that would be used to implement a GRE tunnel using the
10.1.1.0.30 network on interface serial 0/0 to the correct target area on the right.
Answer:
QUESTION 301
Identify the recommended steps for worm attack mitigation by dragging and dropping them into
the target area in the correct order.
Answer:
Actualtests.com - The Power of Knowing
642-825
QUESTION 302
Study the exhibit carefully.
On the basis of the configuration, what will happen to the IPSec VPN between the Remote router
and the Head-End router with IP address 172.31.1.100 if receiving no dead-peer detection hello
messages for 20 seconds?
A. The IPSec VPN will transition to a peering relationship with the Head-End router at
172.31.1.200, with a down-time determined by the time required to tear-down and build the
peerings.
B. The IPSec VPN will terminate but will rebuild with the same peer because 3 hello messages
have not yet been missed.
C. The IPSec VPN will not be affected.
D. The IPSec VPN will transition with no down-time to a peering relationship with the Head-End
router at 172.31.1.200.
Answer: C
QUESTION 303
Based on the exhibit below.
Which one of these options is the ACL used to mitigate in this configuration?
Answer: D
QUESTION 304
Company is a small export company .This firm has an existing enterprise network that is made up
exclusively of routers that are using EIGRP as the IGP. Its network is up and operating normally.
As part of its network expansion, Company has decided to connect to the internet by a broadband
cable ISP. Your task is to enable this connection by use of the information below.
Connection Encapsulation: PPP
Connection Type: PPPoE client
Connection Authentication: None
Connection MTU: 1492 bytes
Address: Dynamically assigned by the ISP
Outbound Interface: E0/0
You will know that the connection has been successfully enabled when you can ping the
simulated
Internet address of 172.16.1.1
Note: Routing to the ISP: Manually configured default route
P4S-R# show ip route
....
Gateway of last resort is not set
192.168.1.0/27 is subnetted, 7 subnets
C 192.168.1.0 is directly connected, Ethernet0/1
D 192.168.1.32 [90/307200] via 192.168.1.2, 00:02:16,Ethernet0/1
D 192.168.1.64 [90/307200] via 192.168.1.2, 00:02:17,Ethernet0/1
D 192.168.1.96 [90/307200] via 192.168.1.2, 00:02:17,Ethernet0/1
D 192.168.1.128 [90/307200] via 192.168.1.3, 00:02:17,Ethernet0/1
D 192.168.1.192 [90/307200] via 192.168.1.3, 00:02:17,Ethernet0/1
D 192.168.1.224 [90/307200] via 192.168.1.3, 00:02:17,Ethernet0/1
P4S-R# show run
....
no service password-encryption
!
hostname P4S-R
!
boot-start-marker
boot-end-marker
!
no aaa new-model
resource policy
clock timezone PST 0
ip subnet-zero
no ip dhcp use vrf connected
www.examways.com
!
interface Ethernet0/0
description link to cable modem
no ip address
shutdown
!
interface Ethernet0/1
description link to corporate nework
ip address 192.168.1.1 255.255.255.224
!
interface Ethernet0/2
no ip address
!
interface Ethernet0/3
no ip address
shutdown
!
router eigrp 1
network 192.168.1.0
auto-summary
!
line con 0
line vty 0 15
end
A. Configuration sequence:
P4S-R(config)#int e0/0
P4S-R(config-if)#pppoe enable
P4S-R(config-if)#pppoe-client dial-pool-number 1
P4S-R(config-if)#no sh
P4S-R(config-if)#exit
P4S-R(config)#vpdn enable
P4S-R(config)#vpdn-group 1
P4S-R(config-vpdn)#request-dialin
P4S-R(config-vpdn-req-in)#protocol pppoe
P4S-R(config-vpdn-req-in)#exit
P4S-R(config-vpdn)#exit
P4S-R(config)#dialer-list 1 protocol ip permit
P4S-R(config)#int dialer 1
P4S-R(config-if)#encapsulation ppp
P4S-R(config-if)#ip address negotiated
P4S-R(config-if)#dialer pool 1
P4S-R(config-if)#dialer-group 1
P4S-R(config-if)#ip mtu 1492
P4S-R(config-if)#exit
Answer: A
QUESTION 305
This exhibit is about firewall implementation, inside users should be permitted to browse the
Internet. However, users have indicated that all attempts fail. As a result of troubleshooting, you
have determined that the issue is related to the firewall implementation. What corrective action
should you take?
Answer: C
QUESTION 306
Study the exhibit carefully.
Which statement best describes this Cisco IOS Firewall configuration?
Answer: C
QUESTION 307
Which statement is correct in terms of the exhibit?
Answer: A
QUESTION 308
You are a network technician at Company.com, study the exhibit carefully. Which type of attack
does the ACL prevent the internal user from successfully launching?
Answer: D
QUESTION 309
Drag and drop the xDSL type on the above to the appropriate xDSL description on the below.
Answer:
QUESTION 310
Match the xDSL type on the above to the most appropriate implementation on the below.
Answer:
QUESTION 311
Drag each element of the Cisco IOS Firewall Feature Set from the above and drop onto its
description on the below.
Answer:
QUESTION 312
Drag the protocols that are used to distribute MPLS labels from the above to the target area on
the below.(Not all options will be used)
Answer:
QUESTION 313
As a network engineer, do you know which three techniques should be used to secure
management protocols? (Choose three.)
Answer: A, B, C
QUESTION 314
Study the exhibit carefully.
The Cisco IOS? IPsec High Availability (IPsec HA) Enhancements feature provides an
infrastructure for reliable and secure networks to provide transparent availability of the VPN
gateways---that is, Cisco IOS Software-based routers. What are the two options that are used to
provide High Availability IPsec? (Choose two.)
A. HSRP
B. Dual Router Mode (DRM) IPsec
C. IPsec Backup Peerings
D. RRI
Answer: A, D
Case Study#1
Scenerio:
This item involves some questions that you need to answer. You can click on the Questions
button to the left to view these question. Change questions by clicking the numbers to the left of
each question. In order to finish the questions, you will need to refer to the SDM and the topology,
neither of which is currently visible. In order to gain access to either the topology or the SDM,
click on the button to left side of the screen that corresponds to the section you wish to access.
When you have completed viewing the topology or the SDM, you can return to your questions by
clicking on the Questions button to the left. Cruising industries is a large worldwide diving charter.
Recently, this firm has upgraded its internet connectivity. As a new network technician, you have
been tasked with documenting the active Firewall configurations on the P4S-R router using the
Cisco Router and Security Device Manager (SDM) utility. Using the SDM output from Firewall and
ACL Tasks under the Configure tab, answer the following questions:
Topology:
QUESTION 315
Which option is Correct?
Answer: C
QUESTION 316
Which two statements best describe a permissible incoming TCP packet on an untrusted
interface in this configuration?(Choose two)
Answer: C, E
QUESTION 317
Which two statements would specify a permissible incoming TCP packet a trusted interface in this
configuration?(choose two)
Answer: A, C