642 825 PDF

Exam : 642-825
Title : Implementing Secure Converged Wide

Area Networks
Ver : 05.19.09
642-825
QUESTION 1
When configuring the Cisco VPN Client with transparent tunneling, what is true about the IPSec
over TCP option?
A. The port number is negotiated automatically.

B. Clients will have access to the secured tunnel and local resources.
C. The port number must match the configuration on the secure gateway.
D. Packets are encapsulated using Protocol 50 (Encapsulating Security Payload, or ESP).
Answer: C
QUESTION 2
Refer to the exhibit.
MPLS must be enabled on all routers in the MPLS domain that consists of Cisco routers and
equipment of other vendors. What MPLS distribution protocol(s) should be used on router R2
Fast Ethernet interface Fa0/0 so that the Label Information Base (LIB) table is populated across
the MPLS domain?
A. Only LDP should be enabled on Fa0/0 interface.
Actualtests.com - The Power of Knowing

642-825
B. Only TDP should be enabled on Fa0/0 interface.

C. Both distribution protocols LDP and TDP should be enabled on the Fa0/0 interface.
D. MPLS cannot be enabled in a domain consisting of Cisco and non-Cisco devices.
Answer: C
QUESTION 3
Which two statements about common network attacks are true? (Choose two.)
A. Access attacks can consist of password attacks, trust exploitation, port redirection, and man-in-the- middle
attacks.
B. Access attacks can consist of password attacks, ping sweeps, port scans, and man-in-the- middle attacks.
C. Access attacks can consist of packet sniffers, ping sweeps, port scans, and man-in-the- middle attacks.
D. Reconnaissance attacks can consist of password attacks, trust exploitation, port redirection
and Internet information queries.
E. Reconnaissance attacks can consist of packet sniffers, port scans, ping sweeps, and Internet
information queries.
F. Reconnaissance attacks can consist of ping sweeps, port scans, man-in-middle attacks and
Internet information queries.
Answer: A, E
QUESTION 4
Which two statements about worms, viruses, or Trojan horses are true? (Choose two.)
A. A Trojan horse has three components: an enabling vulnerability, a propagation mechanism,

and a payload.
B. A Trojan horse virus propagates itself by infecting other programs on the same computer.
C. A virus cannot spread to a new computer without human assistance.
D. A virus has three components: an enabling vulnerability, a propagation mechanism, and a
payload.
E. A worm can spread itself automatically from one computer to the next over an unprotected
network.
F. A worm is a program that appears desirable but actually contains something harmful.
Answer: C, E
QUESTION 5
Which two statements about management protocols are true? (Choose two.)
A. Syslog version 2 or above should be used because it provides encryption of the syslog
messages.
B. NTP version 3 or above should be used because these versions support a cryptographic
authentication mechanism between peers.
C. SNMP version 3 is recommended since it provides authentication and encryption services for
management packets.

642-825
D. SSH, SSL and Telnet are recommended protocols to remotely manage infrastructure devices.
E. TFTP authentication (username and password) is sent in an encrypted format, and no
additional encryption is required.
Answer: B, C
QUESTION 6
Which two statements about the Cisco Autosecure feature are true? (Choose two.)
A. All passwords entered during the Autosecure configuration must be a minimum of 8

characters in length.
B. Cisco 123 would be a valid password for both the enable password and the enable secret
commands.
C. The auto secure command can be used to secure the router login as well as the NTP and
SSH protocols.
D. For an interactive full session of AutoSecure, the auto secure login command should be used.
E. If the SSH server was configured, the 1024 bit RSA keys are generated after the auto secure
command is enabled.
Answer: C, E
QUESTION 7
Which three statements are correct about MPLS-based VPNs? (Choose three.)
A. Route Targets (RTs) are attributes attached to a VPNv4 BGP route to indicate its VPN
membership.
B. Scalability becomes challenging for a very large, fully meshed deployment.
C. Authentication is done using a digital certificate or pre-shared key.
D. A VPN client is required for client-iniated deployments.
E. A VPN client is not required for users to interact with the network.
F- An MPLS-based VPN is highly scalable because no site-to-site peering is required.
Answer: A, E, F
QUESTION 8
Which IPsec mode will encrypt a GRE tunnel to provide multiprotocol support and reduced
overhead?
A. 3DES
B. multipoint GRE
C. tunnel
D. transport
Answer: D

642-825
QUESTION 9
Which two statements are true about broadband cable (HFC) systems? (Choose two.)
A. Cable modems only operate at Layer 1 of the OSI model.

B. Cable modems operate at Layers 1 and 2 of the OSI model.
C. Cable modems operate at Layers 1, 2, and 3 of the OSI model.
D. A function of the cable modem termination system (CMTS) is to convert the modulated signal
from the cable modem into a digital signal.
F. A function of the cable modem termination system is to convert the digital data stream from
the end user host into a modulated RF signal for transmission onto the cable system.
Answer: B, D
QUESTION 10
Which two statements about the AAA configuration are true? (Choose two.)
A. A good security practice is to have the none parameter configured as the final method used to
ensure that no other authentication method will be used.
B. If a TACACS+ server is not available, then a user connecting via the console port would not
be able to gain access since no other authentication method has been defined.
C. If a TACACS+ server is not available. then the user Bob could be able to enter privileged
mode as long as the proper enable password is entered.
D. The aaa new-model command forces the router to override every other authentication method
previously configured for the router lines.
E. To increase security, group radius should be used instead of group tacacs+.
F. Two authentication options are prescribed by the displayed aaa authentication command.
Answer: D, F
QUESTION 11
Which two statements are correct about mitigating attacks by the use of access control lists
(ACLs)? (Choose two.)
A. Extended ACLs on routers should always be placed as close to the destination as possible.
B. Each ACL that is created ends with an implicit permit all statement.
C. Ensure that earlier statements in the ACL do not negate any statements that are found later in
the list.
D. Denied packets should be logged by an ACL that traps informational (level 6) messages.
E. IP packets that contain the source address of any internal hosts or networks inbound to a
private network should be permitted.
F. More specific ACL statements should be placed earlier in the ACL.

642-825
Answer: D, F
QUESTION 12
What is needed to complete the PPPoA configuration?
A. A static route to the ISP needs to be configured.

B. The VPDN group needs to be created.
C. The ATM PVC needs to be configured.
D. PPP0E encapsulation needs to be configured on the ATM interface.
E. PAP authentication needs to be configured.
Answer: C

642-825
QUESTION 13
Which three configuration steps must be taken to connect a DSL ATM interface to a service
provider? (Choose three.)
A. Enable VPDN.
B. Configure PPP0E on the VPDN group.
C. Configure the ATM PVC.
D. Assign a VPDN group name.
E. Configure a dialer interface.
F. Configure the correct PPP encapsulation on the ATM virtual circuit.
Answer: C, E, F
QUESTION 14
When configuring the Cisco software VPN client on a PC, which values need to be entered to
complete the setup when pre-shared key authentication is used?
A. IP address of server, groupname, and password

B. IP address of server, groupname and password, and default gateway
C. IP address of server, groupname and password, default gateway, and DNS servers
D. IP address of server, groupname and password, default gateway, DNS servers, and local IP
address
Answer: A
QUESTION 15
What is one benefit of AutoSecure?
A. By default, all passwords are encrypted with level 7 encryption.

B. By default, a password is enabled on all ports.
C. Command line questions are created that automate the configuration of security features.
D. A multiuser logon screen is created with different privileges assigned to each member.
Answer: C
QUESTION 16
Which two steps must be taken for SSH to be implemented on a router? (Choose two.)
A. Ensure that the Cisco lOS Firewall feature set is installed on the devices.
B. Ensure that the target routers are configured for MA either locally or through a database
C. Ensure that each router is using the correct domain name for the network
D. Ensure that an ACL is configured on the VTY lines to block Telnet access
Answer: B, C

642-825
QUESTION 17
What is meant by the attack classification of "false positive" on a Cisco IPS device?
A. A signature is fired for nonmalicious traffic, benign activity.

B. A signature is not fired when offending traffic is detected.
C. A signature is correctly fired when offending traffic is detected and an alarm is generated.
D. A signature is not fired when non-offending traffic is captured and analyzed.
Answer: A
QUESTION 18
Which statement is true about signature-based intrusion detection?
A. It performs analysis that is based on a predefined network security policy.

B. It performs analysis that is based on known intrusive activities by matching predefined
patterns in network traffic.
C. It performs analysis that is based on anomalies in packets or packet sequences. It also
verifies anomalies in traffic behavior.
D. It performs analysis by intercepting the procedural calls to the operating system kernel.
Answer: B
QUESTION 19
What are three objectives that the no ip inspect command achieves? (Choose three.)
A. removes the entire CBAC configuration

B. removes all associated static ACLs
C. turns off the automatic audit feature in SDM
D. denies HTTP and Java applets to the inside interface but permits this traffic to the DMZ
E. resets all global timeouts and thresholds to the defaults
F. deletes all existing sessions
Answer: A, E, F
QUESTION 20
When packets in a session match a signature, what are three actions that the Cisco lOS Firewall
IPS can take? (Choose three.)
A. notify a centralized management interface of a false positive

B. remove the virus or worm from the packets
C. use the signature micro-engine to prevent a CAM Table Overflow Attack
D. reset the connection
E. drop the packets
F. send an alarm to a syslog server
Answer: D, E, F

642-825
QUESTION 21
SDM has added the commands in the exhibit to the router's configuration. What are the three
objectives that these commands accomplish? (Choose three.)
A. forces the user to authenticate twice to prevent man-in-the-middle attacks

B. inspects SSH packets across all enabled interfaces every 60 seconds
C. specifies SSH for remote management access
D. prevents Telnet access to the device unless it is from the SDM workstation
E. sets the SSH timeout value to 60 seconds, a value that causes incomplete SSH connections
to shut down after 60 seconds
F. sets the maximum number of unsuccessful SSH login attempts to two before locking access
to the router
Answer: C, E, F
QUESTION 22
Which three MPLS statements are true? (Choose three.)
A. Cisco Express Forwarding (CEF) must be enabled as a prerequisite to running MPLS on a

Cisco router.
B. Frame-mode MPLS inserts a 32-bit label between the Layer 3 and Layer 4 headers.
C. MPLS is designed for use with frame-based Layer 2 encapsulation protocols such as Frame
Relay, but is not supported by ATM because of ATM fixed-length cells.
D. OSPF, EIGRP, IS-IS, RIP, and SGP can be used in the control plane.
E. The control plane is responsible for forwarding packets.
F. The two major components of MPLS include the control plane and the data plane.
Answer: A, D, F
QUESTION 23

642-825
The configuration in the exhibit is found on an Internet service provider (ISP) Multiprotocol Label
Switching (MPLS) network. What is its purpose?
A. to prevent man-in-the-middle attacks

B. to use OBAC to shut down Distributed Denial of Service attacks
C. to use IPS to protect against session-replay attacks
D. to prevent customers from running TDP with the ISP routers
E. to prevent customers from running LDP with the ISP routers
F. to prevent other ISPs from running LDP with the ISP routers
Answer: D
QUESTION 24
Which three features are benefits of using GRE tunnels in conjunction with lPsec for building siteto-
site VPNs? (Choose three.)
A. Allows dynamic routing over the tunnel

B. Supports multi-protocol (non-IP) traffic over the tunnel
C. Reduces IPsec headers overhead since tunnel mode is used
D. Simplifies the ACL used in the crypto map
E. Uses Virtual Tunnel Interface (VTI) to simplify the IPsec VPN configuration
Answer: A, B, D
QUESTION 25
What are the four main steps in configuring an IPsec site-to-site VPN tunnel on Cisco routers?
(Choose four.)
A. Define the ISAKMP policy.

B. Define the IPsec transform set.
C. Define the pre-shared key used in the DH (Diffie-Hellman) exchange.
D. Create a crypto access list to define which traffic should be sent through the tunnel.
E. Create a crypto map and apply it to the outgoing interface of the VPN device.
F. Configure dynamic routing over the IPsec tunnel interface.
Answer: A, B, D, E

642-825
QUESTION 26
Which statement is true about an IPsec/GRE tunnel?
A. The GRE tunnel source and destination addresses are specified within the IPsec transform
set.
B. An IPsec/GRE tunnel must use IPsec tunnel mode.
C. GRE encapsulation occurs before the IPsec encryption process.
D. Crypto map ACL is not needed to match which traffic will be protected.
Answer: C
QUESTION 27
Which feature is an accurate description of the Diffie-Hellman (DH) exchange between two IPsec
peers?
A. allows the two peers to communicate the pre-shared secret key to each other during IKE
phase 1
B. allows the two peers to communicate its digital certificate to each other during IKE phase 1
C. allows the two peers to jointly establish a shared secret key over an insecure
communications channel
D. allows the two peers to negotiate its IPsec transforms during IKE phase 2
E. allows the two peers to authenticate each other over an insecure communications channel
Answer: C
QUESTION 28
Which three modulation signaling standards are used in broadband cable technology? (Choose
three.)
A. S-Video
B. PAL
C. NTSC
D. SECAM
E. FDM
F. FEC
Answer: B, C, D
QUESTION 29
Which statement is true about the default operation of frame-mode MPLS?
A. LSRs must wait to get the next-hop label from their downstream neighbors before propagating
information
B. LSRs will only propagate label mappings to their neighbors by request.
C. Labels are sequentially generated for neighbors.

642-825
D. Interfaces can share the same labels.
Answer: D
QUESTION 30
What technique can help to counter a reconnaissance attack?
A. Implement a switched infrastructure.

B. Disable accounts after a specific number of unsuccessful logins.
C. Disable port redirection.
D. Configure RFC 2827 filtering.
Answer: A
QUESTION 31
Which can be used to mitigate Trojan horse attacks?
A. the use or an antivirus software

B. the disabling of port redirection
C. RFC 2827 filtering
D. implementation of traffic rate limiting
F. implementing anti-Dos features
Answer: A
QUESTION 32
How can application layer attacks be mitigated?
A. Install the latest patches.

B. Implement RFC 2827 filtering.
C. Implement traffic rate limiting.
D. Implement Anti-Dos features.
E. Disable port redirection.
Answer: A
QUESTION 33
What does the dsl operating-mode auto command configure on a Cisco router?
A. It configures a Cisco router to automatically detect the proper modulation method to use when
connecting an ATM interface
B. It configures a Cisco router to automatically detect the proper encapsulation method to use
when connecting an ATM interface
C. It configures a Cisco router to automatically detect the proper DSL type (ADSL, IDSL, HDSL,
VDSL) to use when connecting an ATM interface
D. It configures a Cisco router to automatically detect the proper authentication method to use

642-825
when connecting an ATM interface
Answer: A
QUESTION 34
Which three statements describe the steps that are required to configure an IPsec site-to-site
VPN using a GRE tunnel? (Choose three.)
A. The command access-list 110 permit gre must be configured to specify which traffic will be
encrypted.
B. The command access-list 110 permit ip must be configured to specify which hosts can use the
tunnel.
C. The tunnel destination 172.17.63.18 command must be configured on the Tunnel0 interface.
D. The tunnel mode gre command must be configured on the Tunnel0 interface.
E. The tunnel source Ethernet1 command must be configured on the Tunnel0 interface
F. The tunnel source Tunnel0 command must be configured on the Tunnel0 interface.
Answer: A, C, E

642-825
QUESTION 35
Which three IPsec VPN statements are true? (Choose three.)
A. IKE keepalives are unidirectional and sent every ten seconds.

B. IKE uses the Diffie-Hellman algorithm to generate symmetrical keys to be used by IPsec
peers.
C. IPsec uses the Encapsulating Security Protocol (ESP) or the Authentication Header (AH)
protocol for exchanging keys.
D. Main mode is the method used for the IKE phase two security association negotiations.
E. Quick mode is the method used for the IKE phase one security association negotiations.
F. To establish IKE SA, main mode utilizes six packets while aggressive mode utilizes only three
packets.
Answer: A, B, F
QUESTION 36
Which three statements are true about Cisco lOS Firewall? (Choose three.)
A. It can be configured to block Java traffic.

B. It can be configured to detect and prevent SYN-flooding denial-of-service (DoS) network
attacks
C. It can only examine network layer and transport layer information.
D. It can only examine transport layer and application layer information.
E. The inspection rules can be used to set timeout values for specified protocols.
F. The ip inspect cbac-name command must be configured in global configuration mode.
Answer: A, B, E
QUESTION 37
Which two statements are true about the configuration of the Cisco IOS Firewall using the SDM?
(Choose two.)
A. Cisco IOS Firewall features may be configured by choosing the Additional Tasks wizard.
B. Firewall policies can be viewed from the Home screen of the SDM.
C. To simplify the Firewall configuration task, the SDM provides Basic Firewall, Intermediate
Firewall, and Advanced Firewall wizards.
D. The Basic Firewall Configuration wizard applies default access rules to the inside (trusted),
outside (untrusted) and DMZ interfaces
E. The Advanced Firewall Configuration wizard applies access rules to the inside (trusted),
outside (untrusted) and DMZ interfaces.
Answer: B, E
QUESTION 38

642-825
A site-to-site VPN connection has been configured using SDM. What option can aid in the
configuration of the VPN on the peer router?
A. the Generate Mirror option on the VPN Edit tab

B. the Monitor Mode option on the VPN Status tab
C. the VPN Components option on the VPN tab
D. the IPSec Policies from the VPN Components tab
Answer: A
QUESTION 39
What should a security administrator who uses SDM consider when configuring the firewall on an
interface that is used in a VPN connection?

642-825
A. The firewall must permit traffic going out of the local interface only.
B. The firewall must permit traffic to a VPN concentrator only.
C. The firewall must permit encrypted traffic between the local and remote VPN peers.
D. The firewall cannot be configured in conjunction with a VPN.
Answer: C
QUESTION 40
A GRE tunnel has been configured between the R1 headquarters router and the R2 branch site
router. Why are users at the branch site unable to access the corporate intranet?
A. The source IP address of the GRE tunnel must be different from the IP address of interface
S0/0 on router R1.
B. The destination IP address of the GRE tunnel must be different from the IP address of the
interface S0/1 on router R2.
C. The IP address of the interface tunnel1 must be the same as the IP address of the interface
SO/0 on router R1.

642-825
D. The interface 50/0 on router R1 must be enabled with the no shutdown command.
The GRE tunnel must be configured with the encapsulation ppp command.
Answer: D
QUESTION 41
What is missing in the configuration of both IPSec peers concerning the IPSec/GRE
configuration?
A. crypto map vpnmap2 on the Ethernet1 interface

B. access-list 110 on both peers to permit ISAKMP and IPsec traffic between 172.16.175.75 and
172.17.63.18
C. access-list 110 on both peers to encrypt GRE traffic between 172.16.175.75 and
172.17.63.18
D. mode tunnel under the crypto ipsec transform-set trans2
E. mode transport under the crypto ipsec transform-set trans2
F. DH group configuration under the crypto ipsec transform-set trans2
Answer: C

642-825
QUESTION 42
Which three statements are correct about a GRE over IPsec VPN tunnel configuration on Cisco
lOS routers? (Choose three.)
A. The crypto map must be applied on the physical interface.

B. The crypto map must be applied on the tunnel interface.
C. A dynamic routing protocol can be configured to run over the tunnel interface.
D. A crypto ACL will dictate the GRE traffic to be encrypted between the two IPsec peers.
E. A crypto ACL will dictate the ISAKMP and IPsec traffic to be encrypted between the two IPsec
peers.
F. Crypto maps must specify the use of IPsec transport mode.
Answer: A, C, D
QUESTION 43
Which two statements about Cisco Easy VPN are true? (Choose two.)
A. An lOS router, a PIX firewall or a VPN client can operate as an Easy VPN terminal point.
B. A VPN client can also be configured to operate as an Easy VPN server.
C. Easy VPN does not support split tunnels.
D. Easy VPN tunnel endpoint addresses can be the virtual IP address of an HSRP configuration.
E. Easy VPN is only appropriate for smaller deployments.
Answer: A, D
QUESTION 44
Which two statements are true about the information that is shown from the Cisco VPN screens?
(Choose two.)

642-825
A. The 10.10.32.32 network entry in the Route Details screen represents the lP address of the
server end of the encrypted tunnel.
B. The 10.10.32.32 network entry in the Route Details screen represents an IP address that will
be accessed without traversing the VPN.
C. Selecting Enable Transparent Tunneling on the connection entry on the right allows Local
LAN Routes to be available on the Route Details on the left screen.
D. Selecting IPSec over TCP on the connection entry on the right allows Local LAN Routes to be
available on the Route Details on the left screen.
E. Selecting Allow Local LAN Access on the connection entry on the right allows Local LAN
Routes to be available on the Route Details on the left screen.
Answer: B, E
QUESTION 45
Which statement is true about the configuration of split tunnels using SDM?
A. Any protected subnets that are entered represent subnets at the end user's site that will be
accessed without going through the encrypted tunnel.
B. Any protected subnets that are entered represent subnets at the end user's site that will be
accessed through the encrypted tunnel.
C. Any protected subnets that are entered represent subnets at the VPN server site that will be

642-825
D. Any protected subnets that are entered represent subnets at the VPN server site that will be
Answer: D
QUESTION 46
What is the function of the MPLS data plane?
A. The data plane exchanges Layer 3 routing information using OSPF, EIGRP, IS-IS, and BGP
protocols.
B. The data plane exchanges labels using the label exchange protocols TDP, LDP, BGP. and
RSVP.
C. The data plane uses the Forwarding Information Base (FIB) to forward packets based on the
routing information.
D. The data plane uses Label Forwarding Information Base (LFIB) to forwards packets based on
the labels.
Answer: D
QUESTION 47
Which two statements about packet sniffers or packet sniffing are true? (Choose two.)
A. A packet sniffer requires the use of a network adapter card in no promiscuous mode to
capture all network packets that are sent across a LAN.
B. Packet sniffers can only work in a switched Ethernet environment.
C. To reduce the risk of packet sniffing, cryptographic protocols such as Secure Shell Protocol
(SSH) and Secure Sockets Layer (SSL) should be used.
D. To reduce the risk of packet sniffing, strong authentication, such as one time passwords,
should be used.
E. To reduce the risk of packet sniffing, traffic rate limiting and RFC 2827 filtering should be
used.
Answer: C, D
QUESTION 48
Which two network attack statements are true? (Choose two.)
A. Access attacks can consist of password attacks, trust exploitation, port redirection, and man- in-the-middle
attacks.
B. Access attacks can consist of UDP and TCP SYN flooding, ICMP echo-request floods, and
ICMP directed broadcasts.
C. DoS attacks can be reduced through the use of access control configuration, encryption, and
RFC 2827 filtering.
D. DoS attacks can consist of IP spoofing and DDoS attacks.
E. IP spoofing can be reduced through the use of policy-based routing.
F. IP spoofing exploits known vulnerabilities in authentication services, FTP services, and web

642-825
services to gain entry to web accounts, confidential databases, and other sensitive
information.
Answer: A, D
QUESTION 49
Which three statements are true about Cisco Intrusion Detection System (IDS) and Cisco
Intrusion Prevention System (IPS) functions? (Choose three.)
A. Only IDS systems provide real-time monitoring that includes packet capture and analysis of
network packets.
B. Both IDS and IPS systems provide real-time monitoring that involves packet capture and
analysis of network packets.
C. The signatures on the IDS devices are configured manually whereas the signature on the IPS
devices are configured automatically.
D. IDS can detect misuse, abuse, and unauthorized access to networked resources but can only
respond after an attack is detected.
E. IPS can detect misuse, abuse, and unauthorized access to networked resources and respond
before network security can be compromised.
F. IDS can deny malicious traffic from the inside network whereas IPS can deny malicious traffic
from outside the network.
Answer: B, D, E
QUESTION 50
What are the four steps, in their correct order, to mitigate a worm attack?
A. contain, inoculate, quarantine, and treat

B. inoculate, contain, quarantine, and treat
C. quarantine, contain, inoculate, and treat
D. preparation, identification, traceback, and postmortem
E. preparation, classification, reaction, and treat
F. identification, inoculation, postmortem, and reaction
Answer: A
QUESTION 51
Which three benefits does IPsec VPNs provide? (Choose three.)
A. Origin authentication
B. Adaptive threat defense
C. Confidentiality
D. Qos
E. Data integrity
F. A fully-meshed topology with low overhead

642-825
Answer: A, C, E
QUESTION 52
When you are using the Quick Setup option of the Site-to-Site VPN wizard on the SDM to
configure an IPsec VPN, which three settings can you configure? (Choose three.)
A. Peer identity
B. Crypto map
C. Pre-shared key
D. Transform set priority
E. Source interface and destination IP address
F. Encapsulation security payload
Answer: A, C, E
QUESTION 53
Which IPsec VPN term describes a policy contract that specifies how two peers will use IPsec
security services to protect network traffic?
A. Encapsulation security payload

642-825
B. Transform set
C. Authentication header
D. Security association
Answer: D
QUESTION 54
What command generates the pictured output?
A. Show crypto ipsec transform-set

B. Debug crypto ipsec
C. Show crypto ipsec sa
D. Show crypto map
Answer: C
QUESTION 55
If an edge Label Switch Router (LSR) is properly configured, which three combinations are
possible? (Choose three.)
A. A received lP packet is forwarded based on the lP destination address and the packet is sent

642-825
as an lP packet.
B. An lP destination exists in the IP forwarding table. A received labeled packet is dropped
because the label is not found in the LFIB table.
C. There is an MPLS label-switched path toward the destination. A received IP packet is dropped
because the destination is not found in the IP forwarding table.
D. A received IP packet is forwarded based on the IP destination address and the packet is sent
as a labeled packet.
E. A received labeled IP packet is forwarded based upon both the label and the IP address.
F. A received labeled packet is forwarded based on the label. Alter the label is swapped, the
newly labeled packet is sent.
Answer: A, D, F
QUESTION 56
Which three techniques should be used to secure management protocols? (Choose three.)
A. Configure SNMP with only read-only community strings.

B. Encrypt TFTP and syslog traffic in an IPSec tunnel.
C. Implement RFC 2827 filtering at the perimeter router when allowing syslog access from
devices on the outside of a firewall.
D. Synchronize the NTP master clock with an Internet atomic clock.
E. Use SNMP version 2.
F. Use TFTP version 3 or above because these versions support a cryptographic authentication
mechanism between peers.
Answer: A, B, C
QUESTION 57
Which two management protocols provide security enhancements such as cryptographic
authentication and packet encryption of management traffic? (Choose two.)
A. NTP version 3
B. SNMP version 3
C. Syslog version3
D. Telnet version 3
E. TFTP version 3
Answer: A, B
QUESTION 58

642-825
SDM has been used to configure IPS on the router. While reviewing the Secure Device Event
Exchange (SDEE) error messages, you noticed that SDM failed to load a signature definition file
(SDF) from the specified URL locations. Which other location, if enabled, could the SDF be
loaded from?
A. The RAM of a router

B. The flash memory of a router
C. The startup configuration file of a router
D. The running configuration file of a router
E. The RAM of a PC
Answer: B
QUESTION 59

642-825
What is one of the objectives accomplished by the default startup configuration file created by the
SDM?
A. Blocks both Telnet and SSH

B. Prevents the router from ever being used as an HTTP server
C. Encrypts all HTTP traffic to prevent man-in-the-middle attacks
D. Enables local logging to support the log monitoring function
E. Requires access authentication by a TACACS+ server
Answer: D
QUESTION 60

642-825
What is the exhibited configuration an example of?
A. Authentication Proxy
B. lOS firewall
C. Distributed time-based ACLs
D. Infrastructure protection ACLs
E. Turbo ACLs
F. Reflexive ACLs
Answer: B
QUESTION 61
What does the configuration accomplish?
A. The configuration permits ICMP outbound traffic, denies ICMP inbound traffic, and permits
traffic that has been initiated from inside a router that has been synched with an NTP server.
B. The configuration permits ICMP inbound traffic, denies ICMP outbound traffic, and permits
traffic that has been initiated from inside a router that has been synched with an NTP server.
C. For the specified protocols, the configuration results in a timeout value of 3600 seconds for
authentication of encrypted traffic.
642-825
D. The configuration uses NTP synchronization to implement time-based ACLs.

E. The configuration creates temporary openings in the access lists of the firewall. These
openings time out alter the specified period of inactivity.
F. The configuration creates temporary openings in the access lists of the firewall. These
openings have an absolute timeout value.
Answer: E
QUESTION 62
Refer to the exhibit
What type of security configuration is being verified?
A. TurboACLs
B. Reflexive ACLs
C. Authentication Proxy
D. lOS Firewall
E. Distributed Time-Based ACLs
F. Infrastructure Protection ACLs
Answer: D
QUESTION 63
Which firewall feature allows per-user policy to be downloaded dynamically to the router from a
TACACS+ or RADIUS server using AAA services?
A. Intrusion Prevention System

B. Reflexive ACLs
D. Lock-and-Key (dynamic ACLs)
E. Port-to-Application Mapping (RAM)
Answer: C
QUESTION 64
Which statement describes Reverse Route Injection (RRI)?
A. A static route that points towards the Cisco Easy VPN server is created on the remote client.
B. A static route is created on the Cisco Easy VPN server for the internal IP address of each
VPN client.
C. A default route is injected into the route table of the remote client.
D. A default route is injected into the route table of the Cisco Easy VPN server.
Answer: B

642-825
QUESTION 65
Which two commands will start services that should be enabled for SDM operations? (Choose
two.)
A. ip http secure-server
B. ip http authentication local
C. service password-encryption
D. ip dhcp-client network-discovery
E. service tcp-small-servers
Answer: A, B
QUESTION 66
Which privilege level is required when configuring the SDM?
A. 0
B. 1
C. 8
D. 10
E. 12
F. 15
Answer: F
QUESTION 67
Which two actions will take place when One-Step Lockdown is implemented? (Choose two.)
A. CDP will be enabled.

B. A banner will be set.
C. Logging will be enabled.
D. Security passwords will be required to be a minimum of 8 characters.
E. Telnet settings will be disabled.
Answer: B, C
QUESTION 68

642-825
What does the "Allow Local LAN Access" option enable a Cisco software VPN client to do?
A. allows remote connections tram trusted clients to access local resources

B. allows secured remote clients to access local LAN resources through the VPN connection
C. allows local traffic from trusted resources to pass through the VPN connection
D. allows a user to access the resources on the local LAN when connected through a secure
gateway to a central-site VPN device
Answer: D
QUESTION 69
Which two statements are true about Cisco lOS Firewall? (Choose two.)
A. It enhances security for TCP applications only.

B. It enhances security for TCP and UDP applications.
C. It enhances security for UDP applications only.
D. It is implemented as a per-application process.
F. It is implemented as a per-destination process.
Answer: B, D

642-825
QUESTION 70
Of the numbered items in the exhibit, which combination is required to implement only SSH?
A. 1, 3, 5, 6, 7, and 9
B. 5, 6, and 7
C. 5, 6, 7, and 9
D. 1, 4, 5, and 9
E. 2, 3, 5, and 9
Answer: D
QUESTION 71
Which statement is true about the super view of Role-Based CLI?
A. A CLI view cannot be shared by multiple super views.

B. Any user with level 15 privileges can create or modify views and super views.
C. Commands cannot be directly configured for a super view.
D. The maximum number of CLI views which can exist is limited only by the amount of flash
available.
Answer: C
QUESTION 72
Which HFC cable network statement is true about the downstream data channel to the customer
and the upstream data channel to the service provider?

642-825
A. The downstream data path is assigned a 30 MHz channel and the upstream data path is
assigned a 1 MHz channel.
B. The downstream data path is assigned a fixed bandwidth channel and the upstream data path
uses a variable bandwidth channel.
C. Both upstream and downstream data paths are assigned in 6 MHz channels.
D. The upstream data path is assigned a channel in a higher frequency range than the
downstream path has.
Answer: C
QUESTION 73
Which statement about xDSL implementations is true?
A. All xDSL standards operate in higher frequencies than the POTS system and therefore can
coexist on the same media.
B. All xDSL standards operate in lower frequencies than the POTS system and can therefore
C. The ADSL standard operates in higher frequencies than the POTS system and can therefore
D. The HDSL standard operates in higher frequencies than the POTS system and can therefore
E. Other than providing higher data rates, HDSL is identical to ADSL.
Answer: C
QUESTION 74
Which two statements about the Autosecure feature are true? (Choose two.)
A. Auto Secure automatically disables the CDP feature.

B. If you enable AutoSecure, the minimum length of the login and enable passwords is set to 6
characters.
C. The auto secure full command automatically configures the management and forwarding
planes without any user interaction.
D. To enable AutoSecure, the auto secure global configuration command must be used.
E. Once AutoSecure has been configured, the user can launch the SDM Web interface to
perform a security audit.
Answer: A, B
QUESTION 75
Which statement is true about the global configuration command ntp server 198.133.219.25?
A. Entering the command ntp server 198.133.219.26 would replace the original command ntp
server 196.133.219.25.
B. The command configures the router to be the NTP time source for a peer located at IP

642-825
address 198.133.219.25.
C. The command configures the router to provide the date and clock setting for a host located at
IP address 198.133.219.25.
D. The command configures the router to synchronize with an NTP time source located at IP
address 198.133.219.25.
Answer: D
QUESTION 76
Which statement is true about a router configured with the ntp trusted-key 10 command?
A. This router only synchronizes to a system that uses this key in its NTP packets.
B. The lOS will not permit '10' as an argument to the ntp trusted-key command.
C. This command enables DES encryption of NTP packets.
D. This router will join an NTP multicast group where all routers share the same trusted key.
Answer: A
QUESTION 77
Which statement about the aaa authentication enable default group radius enable command is
true?"
A. lf the radius server returns an error the enable password will be used.
B. It the radius server returns a 'failed' message, the enable password will be used.
C. The command login authentication group will associate the AAA authentication to a specified
interface.
D. If the group database is unavailable, the radius server will be used.
Answer: A
QUESTION 78
Which command sequence is an example of a correctly configured AAA configuration that uses
the local database?
A. RTA(config)# username Bob password cisco

RTA(config)# aaa new-model
RTA(config)# aaa authentication login LOCAL_AUTH local
RTA(config)# line con 0
RTA(config-line)# login authentication LOCAL_AUTH
B. RTA(config)# username Bob password cisco
RTA(config)# aaa new-model
RTA(config)# aaa authentication login LOCAL_AUTH local
RTA(config-line)# login authentication default
C. RTA(config)# aaa new-model
RTA(config)# tacacs-server host 10.1.1.10

642-825
RTA(config)# tacacs-server key cisco 123

RTA(config)# aaa authentication login LOCAL_AUTH group tacacs+
RTA(config-line)# login authentication default
D. RTA(config)# aaa new-model
RTA(config)#tacacs-server host 10.1.1.10
RTA(config)# tacacs-server key cisco 123
RTA(config)# aaa authentication login LOCAL_AUTH group tacacs+
RTA(config-line)# login authentication LOCAL AUTH
Answer: A
QUESTION 79
Based on the partial configuration, which two statements are true? (Choose two.)
A. If configured, the enable password could also be used to log into the console port.
B. The local parameter is missing at the end of each aaa authentication LOCAL-AUTH
command.
C. The command aaa authentication default should be issued for each line instead of the login
authentication LOCAL_AUTH command.
B. This is an example of a self-contained AAA configuration using the local database.
E. To make the configuration more secure, the none parameter should be added to the end of
the aaa authentication login LOCAL_AUTH local command.
F. To successfully establish a Telnet session with RTA, a user can enter the username Bob and
password cisco.
Answer: D, F
QUESTION 80

642-825
A network administrator wishes to mitigate network threats. Given that purpose, which two
statements about the lOS firewall configuration that is revealed by the output are true?
A. The command ip inspect FIREWALL_ACL out must be applied on interface FastEthernet 0/0.
B. The command ip inspect FIREWALL_ACL out must be applied on interface FastEthernet 0/1.
C. The command ip access-group FIREWALL_ACL in must be applied on interface FastEthernet
0/0.
D. The command ip access-group FIREWALL_ACL in must be applied on interface FastEthernet
0/1.
E. The configuration excerpt is an example of a CBAC list.
F. The configuration excerpt is an example of a reflexive ACL.
Answer: B, E
QUESTION 81
In an MPLS VPN implementation, how are overlapping customer prefixes propagated?
A. A separate instance of the core lGP is used for each customer.

B. Separate BGP sessions are established between each customer edge LSR.
C. Because customers have their own unique LSPs, address space is kept separate.
D. A route target is attached to each customer prefix.
E. Because customers have their own interfaces, distributed CEFs keep the forwarding tables
separate.
Answer: D

642-825
QUESTION 82
On the basis of the information presented, which configuration change would correct the Secure
Shell (SSH) problem?
A. Configure router RTA with the ip domain name domain-name global configuration command.
B. Configure router RTA with the crypto key generate rsa general-keys modulus modulus- number
global configuration command.
C. Configure router RTA with the crypto key generate rsa usage-keys modulus modulus-number
global configuration command.
D. Configure router RTA with the transport input ssh vty line configuration command.
E. Configure router RTA with the no transport input telnet vty line configuration command.
Answer: D
QUESTION 83
When configuring a site-to-site IPsec VPN tunnel, which configuration must be the exact reverse
of the other IPsec peer?
A. the IPsec transform

B. the crypto ACL
C. the ISAKMP policy
D. the pre-shared key
E. the crypto map
Answer: B
QUESTION 84

642-825
A user is unable to initiate an SSH session with RTA. To help troubleshoot the problem, RTA has
been configured as indicated in the exhibit. However, a second attempt to initiate an SSH
connection to RTA fails to generate debug information on the Syslog server. What configuration
change would display the debug information on the Syslog server?
A. Router RTA should be configured with the debug ip packet EXEC command.
B. Router RTA must be configured with the correct Syslog IP address.
C. Router RTA must be configured with the logging buffered informational global configuration
command.
D. Router RTA must be configured with the logging monitor debugging global configuration
command.
E. Router RTA must be configured with the logging trap debugging global configuration
command.
Answer: E
QUESTION 85
When you are using the SDM to configure a GRE tunnel over IPsec, which two parameters are
required when defining the tunnel interface information? (Choose two.)
A. MTU size of the GRE tunnel interface

B. GRE tunnel source interface or IP address, and tunnel destination IP address
C. IPSEC mode (tunnel or transport)
D. GRE tunnel interface IP address
E. crypto ACL number

642-825
Answer: B, D
QUESTION 86
Routers RTB and RTC have established LDP neighbor sessions. Troubleshooting discovered that
labels are being distributed between the two routers but no label swapping information is in the
LEIB. What is the most likely cause of this problem?
A. The IGP is summarizing the address space.

B. IP CEF has not been enabled on both routers RTB and RTC.
C. BGP neighbor sessions have not been configured on both routers.
D. LDP has been enabled on one router and TDP has been enabled on the other.
E. LDP is using the loopback address as the LDP ID and the loopback address is not in the
routing table.
Answer: B
QUESTION 87
All routers participate in the MPLS domain. An ISP propagates the routing information for network
10.10.10.0/24 from R3 to R1. However, router R3 summarizes the routing information to
10.10.0.0/16. How will the routes be propagated through the MPLS domain?
A. R3, using LDP, will advertise labels for both networks, and the information will be propagated
throughout the MPLS domain.
B. R3 will label the summary route using a pop label. The route will then be propagated through

642-825
the rest of the MPLS domain. R3 will label the 10.10.10.0/24 network and forward to R2
where the network will be dropped.
C. R3 will label the 10.10.10.0/24 network using a pop label which will be propagated through
the rest of the MPLS domain. R3 will label the summary route and forward to R2 where the
network will be dropped.
D. None of the networks will be labeled and propagated through the MPLS domain because
aggregation breaks the MPLS domain.
Answer: B
QUESTION 88
MPLS and LDP are enabled on routers RTB and RTC and all interfaces are enabled. However,
the routers will not establish an LDP neighbor session. Troubleshooting has revealed that there is
forwarding information in the FIB table, but there is no forwarding information in the LFIB table.
Which issue would cause this problem?
A. IP CEF is not enabled on one or both of the routers.

B. MPLS has been enabled on the interface but has not been enabled globally on one or both of
the routers.
C. BGP neighbor sessions have not been configured on one or both of the routers.
D. One or both of the routers are using the loopback address as the LDP ID and the loopback is
not being advertised by the IGP.
Answer: D
QUESTION 89
What can be configured to provide resiliency when using SDM to configure a site-to-site GRE
over IPsec VPN tunnel?
A. HSRP
B. Stateful IPsec failover
C. A backup GRE over IPsec tunnel
D. Load balancing using two GRE over IPsec tunnels
E. Redundant dynamic crypto maps

642-825
Answer: C
QUESTION 90
Refer to the exhibit and the partial configuration on a DSL router.
The DSL Router is connected to a service provider using a PPPoE session over a DSL line. The

642-825
FTP traffic. generated from inside the network 10.92.1.0/24. fails to reach the PPP0E Server.
What should be configured on the DSL Router to fix the problem?
A. The ip mtu command with a bytes argument set greater than 1500 needs to be configured for
the Dialer 1 interface.
B. The ip mtu command with a bytes argument set lower than 1500 needs to be configured for
the Dialer 1 interface.
C. The ip mtu command with a bytes argument set greater than 1500 needs to be configured
for the ATM0 interface
D. The ip mtu command with a bytes argument set lower than 1500 needs to be configured for
the ATM0 interface.
Answer: B
QUESTION 91
On the basis of the command output, which statement is true?
A. The value 32 is a local label ID.

B. Traffic associated with local label 26 will be forwarded to an interface that is not associated
with label switching.
C. Traffic associated with local label 30 will have a next hop of 10.250.0.97/32.
D. Traffic associated with local label 29 will be forwarded to an interface that is not associated

642-825
with label switching.
Answer: B
QUESTION 92
Which three routing protocols can be configured when configuring a site-to-site GRE over IPsec
tunnel using SDM? (Choose three.)
A. BGP
B. RIP
C. IGRP
D. EIGRP
E. OSPF
F. IS-IS
Answer: B, D, E
QUESTION 93
When configuring an IPsec VPN to backup a WAN connection, what can be configured to
influence the EIGRP routing process to select the primary WAN link over the backup lPsec
tunnel?
A. Configure a lower clock rate value on the tunnel interface.

B. Configure a longer FIGRP hello interval on the tunnel interface.
C. Configure a higher bandwidth value on the tunnel interface.
D. Configure a longer delay value on the tunnel interface.
E. Configure the EIGRP variance to 1.
F. Configure the FIGRP variance to 2.
Answer: D
QUESTION 94
Which high availability option uses the concept of a virtual IP address to ensure that the default IP
gateway for an IPsec site-to-site tunnel is always reachable?
A. Backup IPsec peer

B. Reverse Route Injection (RRI)
C. HSRP
D. Dynamic Crypto Map
E. GRE over IPsec
Answer: C
QUESTION 95
What are three features in the SDM that role-based access provides? (Choose three.)

642-825
A. provides configuration wizards for all routing protocols (like RIP, OSPF, EIGRP, SGP, IS-IS)
B. provides to end customers Multiservice switching platforms (MSSPs) with a graphical, read-
only view of the customer premises equipment (CPE) services
C. provides advanced troubleshooting using debug output analysis
D. provides secure access to the SDM user interface and Telnet interface specific to the profile
of each administrator
E. provides logical separation of the router between different router administrators and users
F. provides dynamic update of new R3 signatures for administrator, firewall administrator, easy
VPN client, and read-only users
Answer: B, D, E
QUESTION 96
What two types of attacks does the lOS firewall configuration prevent? (Choose two.)
A. Java applets
B. SYN flood
C. Trojan horse
D. DDOS
E. packet sniffers
Answer: B, D
QUESTION 97

642-825
What Cisco feature generated the configuration?
A. EZ VPN
B. lOS Firewall
C. AutoSecure
D. IOS IPS
E. AAA
F. TACACS+
Answer: C
QUESTION 98
Which two statements are true about the Easy VPN Server configuration that is shown? (Choose
two).

642-825
A. Digital Certificate is used to authenticate the remote VPN client.

B. To connect, the remote VPN client will use a groupname of "test."
C. The remote VPN client will be assigned an internal IP address from the SDM_POOL_1 IP
address pool.
D. Split tunneling is enabled where traffic that matches ACL 100 will not be encrypted.
E. Split tunneling is disabled because no protected subnets have been defined.
Answer: B, C
QUESTION 99
What are the tour fields in an MPLS label? (Choose tour.)
A. version
B. experimental
C. label
D. protocol
E. TTL
F. bottom-of-stack indicator
Answer: B, C, E, F

642-825
QUESTION 100
Which global configuration mode command will configure a Cisco router as an authoritative NTP
server?
A. ntp broadcast
B. ntp peer
C. ntp server
D. ntp master
Answer: D
QUESTION 101
SDM has been used to configure the locations from which the signature definition file (SDF) will
be loaded. What will happen if the SDF files in flash are not available at startup?
A. All traffic will flow uninspected or will be dropped.

B. All traffic will be marked as uninspected and will be checked after the signature file is loaded.
C. All traffic will be inspected by the built-in signatures bundled with Cisco lOS Software.

642-825
D. All traffic will be inspected by the pre-built signatures bundled in the attack-drop.sdf file.
Answer: A
QUESTION 102
Which statement is true about convergence in an MPLS network?
A. MPLS convergence will take place at the same time as the routing protocol convergence.
B. MPLS convergence will take place after the routing protocol convergence.
C. MPLS convergence will take place before the routing protocol convergence.
D. MPLS must be reconfigured after the routing protocol convergence.
Answer: B
QUESTION 103
Which statement is true about the output of the show crypto engine connections active
command?
A. The device that is shown has not established a VPN connection with a peer.
B. No sub interfaces are involved in VPN connections.
C. All three interfaces are active and are encrypting and decrypting traffic.
D. The state of "set" indicates that the connection is configured but not connected to a peer.
Answer: C
QUESTION 104
Which two protocols can be used to prevent a reconnaissance attack? (Choose two.)
A. SSH
B. Telnet
C. IPsec
D. NTP
E. SNMP
Answer: A, C
QUESTION 105
What is a possible way to prevent a worm attack on a host PC?

642-825
A. Enable SSH.
B. Enable encryption.
C. Implement TACACS+.
D. Keep the operating system current with the latest patches.
Answer: D
QUESTION 106
Which procedure is recommended to protect SNMP from application layer attacks?

B. Implement RFC 2827 filtering.
C. Use SNMP version 2.
D. Create an access list on the SNMP server.
Answer: A
QUESTION 107
What is the result of the ACL configuration that is displayed?
A. Inbound packets to request a TCP session with the 10.10.10.0/24 network are allowed.
B. TCP responses from the outside network for TCP connections that originated on the inside
network are allowed.
C. TCP responses from the inside network for TCP connections that originated on the outside
network are denied.
D. Any inbound packet with the SYN flag set to be routed is permitted.
Answer: B

642-825
QUESTION 108
Which two statements are true about the Cisco lOS Firewall set? (Choose two.)
A. protects against denial of service (DoS) attacks

B. An ACL entry is statically created and added to the existing, permanent ACL.
C. Traffic originating within the router is not inspected.
D. Temporary ACL entries are created and persist for the duration of the communication session.
Answer: A, D
QUESTION 109
Which statement is true about the SDM Basic Firewall wizard?
A. The wizard applies predefined rules to protect the private and DMZ networks.
B. The wizard can configure multiple DMZ interfaces for outside users.
C. The wizard permits the creation of a custom application security policy.
D. The wizard configures one outside interface and one or more inside interfaces.
Answer: D
QUESTION 110
Which three statements about frame-mode MPLS are true? (Choose three.)
A. MPLS has three distinct components consisting of the data plane, the forwarding plane, and
the control plane.
B. The control plane is a simple label-based forwarding engine that is independent of the type of
routing protocol or label exchange protocol.
C. The CEF FIB table contains information about outgoing interfaces and their corresponding
Layer 2 header.
D. The MPLS data plane takes care of forwarding based on either destination addresses or
labels.
E. To exchange labels, the control plane requires protocols such as Tag Distribution Protocol
(TDP) or MPLS Label Distribution Protocol (LDP).
F. Whenever a router receives a packet that should be CEF-switched, but the destination is not
in the FIB, the packet is dropped.
Answer: D, E, F
QUESTION 111
Which three statements about the Cisco Easy VPN feature are true? (Choose three.)
A. It the VPN server is configured for Xauth, the VPN client waits for a username / password
challenge.
B. The Cisco Easy VPN feature only supports transform sets that provide authentication and
encryption.

642-825
C. The VPN client initiates aggressive mode (AAA) if a pre-shared key is used for authentication
during the IKE phase 1 process.
D. The VPN client verifies a server username/password challenge by using a AAA authentication
server that supports TACACS+ or RADIUS.
E. The VPN server can only be enabled on Cisco PIX Firewalls and Cisco VPN 3000 series
concentrators.
F. When connecting with a VPN client, the VPN server must be configured for ISAKMP group 1.
2 or 5.
Answer: A, B, C
QUESTION 112
Which two statements are true about the use of SDM to configure the Cisco Easy VPN feature on
a router? (Choose two.)
A. An Easy VPN connection is a connection that is configured between two Easy VPN clients.
B. The Easy VPN server address must be configured when configuring the SDM Easy VPN
Server wizard.
C. The SDM Easy VPN Sewer wizard displays a summary of the configuration before applying
the VPN configuration.
D. The SDM Easy VPN Sewer wizard can be used to configure a GRE over IPSec site-to-site
VPN or a dynamic multipoint VPN (DMVPN).
E. The SDM Easy VPN Sewer wizard can be used to configure user XAuth authentication locally
on the router or externally with a RADIUS sewer.
F. The SDM Easy VPN Server wizard recommends using the Quick setup feature when
configuring a dynamic multipoint VPN.
Answer: C, E
QUESTION 113
Which three statements are true when configuring Cisco 103 Firewall features using the SDM?
(Choose three.)
A. A custom application security policy can be configured in the Advanced Firewall Security
Configuration dialog box.
B. An optional DMZ interface can be specified in the Advanced Firewall Interface Configuration
dialog box.
C. Custom application policies for e-mail, instant messaging, HTTP, and peer-to-peer services
can be created using the Intermediate Firewall wizard.
D. Only the outside (untrusted) interface is specified in the Basic Firewall Interface Configuration
dialog box.
E. The outside interface that SDM can be launched from is configured in the Configuring Firewall
for Remote Access dialog box.
F- The SDM provides a basic, intermediate, and advanced firewall wizard.
Answer: A, B, E

642-825
QUESTION 114
Which device is responsible for attaching a VPN label to a packet traversing an MPLS network?
A. the provider (P) router

B. the provider edge (PE) router
C. the customer edge (CE) router
D. the customer (C) router
Answer: B
QUESTION 115
Given the partial tunnel configuration that is shown, which tunneling encapsulation is set?
A. GRE
B. GRE multipoint
C. cayman
D. DVMRP
Answer: A
QUESTION 116
Which three statements about lOS Firewall configurations are true? (Choose three.)
A. The IP inspection rule can be applied in the inbound direction on the secured interface.
B. The IP inspection rule can be applied in the outbound direction on the unsecured interface.
C. The ACL applied in the outbound direction on the unsecured interface should be an extended
ACL.
D. The ACL applied in the inbound direction on the unsecured interface should be an extended
ACL.
E. For temporary openings to be created dynamically by Cisco lOS Firewall, the access-list for
the returning traffic must be a standard ACL.
F. For temporary openings to be created dynamically by Cisco lOS Firewall, the IP inspection
rule must be applied to the secured interface.
Answer: A, B, D

642-825
QUESTION 117
Which statement describes the Authentication Proxy feature?
A. All traffic is permitted from the inbound to the outbound interface upon successful
authentication of the user.
B. A specific access profile is retrieved from a TACACS+ or RADIUS server and applied to an
lOS Firewall based on user provided credentials.
C. Prior to responding to a proxy APP, the router will prompt the user for a login and password
which are authenticated based on the configured AAA policy.
D. The proxy server capabilities of the lOS Firewall are enabled upon successful authentication
of the user.
Answer: B
QUESTION 118
Which two statements about an IDS are true? (Choose two.)
A. The IDS is in the traffic path.

B. The IDS can send TCP resets to the source device.
C. The IDS can send TCP resets to the destination device.
D. The IDS listens promiscuously to all traffic on the network.
E. Default operation is for the IDS to discard malicious traffic.
Answer: B, D
QUESTION 119
Which statement is true about the SDM IPS Policies wizard?
A. In order to configure the lPS, the wizard requires that customized signature files be created.
B. The lPS Policies wizard only allows the use of default signatures which cannot be modified.
C. The lPS Policies wizard can be used to modify, delete, or disable signatures that have been
deployed on the router.
D. When initially enabling the IPS Policies wizard, SDM automatically checks and downloads
updates of default signatures available from CCO (cisco.com).
E. The wizard verifies whether the command is correct but does not verify available router
resources before the signatures are deployed to the router.
Answer: C
QUESTION 120
Which statement is correct about Security Device Event Exchange (SDEE) messages?
A. SDEE messages can be viewed in real time using SDM.

B. SDEE messages displayed at the SDM window cannot be filtered.
C. SDFE messages are the SDM version of syslog messages.

642-825
D. SDEE specifies the IPS/IDS message exchange format between an IPS/IDS device and IPS
the management/monitoring station.
E. For SDEE messages to be viewed, the show ip ips all or show logging commands must be
given first.
Answer: D
QUESTION 121
What are the ramifications of Fail Closed being enabled under Engine Options?
A. The router will drop all packets that arrive on the affected interface.
B. If the IPS engine is unable to scan data, the router will drop all packets.
C. If the IPS detects any malicious traffic, it will cause the affected interlace to close any open
TCP connections.
D. The IPS engine is enabled to scan data and drop packets depending upon the signature of
the flow.
Answer: B
QUESTION 122
A router interface is configured with an inbound access control list and an inspection rule. How
will an inbound packet on this interface be processed?
A. The packet is processed by the inbound ACL. If the packet is dropped by the ACL, it is
processed by the inspection rule.

642-825
B. The packet is processed by the inbound ACL. If the packet is not dropped by the ACL, it is
processed by the inspection rule.
C. The packet is processed by the inspection rule. If the packet matches the inspection rule, the
inbound ACL is invoked.
D. The packet is processed by the inspection rule. If the packet does not match the inspection
rule, the inbound ACL is invoked.
Answer: B
QUESTION 123
Assume that a signature can identity an IP address as the source of an attack. Which action
would automatically create an ACL that denies all traffic from an attacking IP address?
A. alarm
B. drop
C. reset
D. deny Flow ln line
E. denyAttackerlnline
F. deny-connection-inline
Answer: E
QUESTION 124
A site requires support for skinny and H.323 voice protocols. How is this configured on an lOS
firewall using the SDM?
A. The Basic Firewall wizard is executed and the High Security Application policy is selected.
B. The Advanced Firewall wizard is executed and a custom Application Security policy is
selected in place of the default Application Security policies.
C. The Application Security tab is used to create a policy with voice support before the Firewall
wizard is run.
D. The Application Security tab is used to modify the SDM_High policy to add voice support prior
to the Firewall wizard being run.

642-825
Answer: B
QUESTION 125
The Basic Firewall wizard has been used to configure a router. What is the purpose of the
highlighted access list statement?
A. to prevent spoofing by blocking traffic entering interface Fa0/0 with a source address in the
same subnet as interface VLAN10
B. to prevent spoofing by blocking traffic entering Fa0/0 with a source address in the RFC 1916
private address space
C. to establish a DMZ by preventing traffic from interface VLAN10 being sent out interface
Fa0/0
D. to establish a DMZ by preventing traffic from interface Fa0/0 being sent out interface VLAN1
0
Answer: A
QUESTION 126
When establishing a VPN connection from the Cisco software VPN client to an Easy VPN server
router using pre-shared key authentication, what is entered in the configuration GUI of the Cisco
software VPN client to identify the group profile that is associated with this VPN client?
A. group name
B. client name
C. distinguished name
D. organizational unit

642-825
Answer: A
QUESTION 127
An lOS firewall has been configured to support skinny and H.323. Voice traffic is not passing
through the firewall as expected. What needs to be corrected in this configuration?
A. Access list 100 needs to permit skinny and H.323.

B. Access list 101 needs to permit skinny and H.323.
C. The ip inspect Voice in command on interface FastEthernet 0/1 should be applied in the
outbound direction.
D. The ip inspect Voice out command should be applied to interface FastEthernet 0/0.
Answer: C
QUESTION 128
During the Easy VPN Remote connection process, which phase involves pushing the IP address,
Domain Name System (DNS), and split tunnel attributes to the client?

642-825
A. mode configuration
B. the VPN client establishment of an ISAKMP SA
C. IPsec quick mode completion of the connection
D. VPN client initiation of the IKE phase 1 process
Answer: A
QUESTION 129
When entering the Group Authentication information while configuring the Cisco VPN Client on a
PC, what information is entered in the "Name" field?
A. login name of the user (such as "jsmith")

B. client name of the device (such as "jsmith-laptop")
C. IPsec group information (such as "Engineering")
D. the group pre-shared secret (such as "CiNl1iNFTW")
E. host name of the remote VPN device (such as "vpna.cisco.com")
Answer: C
QUESTION 130
Drag each Cisco Easy VPN connection process on the left to its step on the right.
Answer:

642-825
QUESTION 131
When configuring the Cisco VPN Client, what action is required prior to installing Mutual Group
Authentication?
A. Transparent tunneling must be enabled.

B. A valid root certificate must be installed.
C. A group pre-shared secret must be properly configured.
D. The option to "Allow Local LAN Access" must be selected.
Answer: B
QUESTION 132
This item contains several questions that you must answer. You can view these questions by
clicking on the Questions button to the left. Changing questions can be accomplished by clicking
the numbers to the left of each question. In order to complete the questions, you will need to refer
to the SDM and the topology, neither of which is currently visible. To gain access to either the
topology or the SDM, click on the button to left side of the screen that corresponds to the section
you wish to access. When you have finished viewing the topology or the SDM, you can return to
your questions by clicking on the Questions button to the left. Off Shore Industries is a large
worldwide sailing charter. The company has recently upgraded its Internet connectivity. As a
recent addition to the network engineering team, you have been tasked with documenting the
active Firewall configurations on the Annapolis router using the Cisco Router and Security Device
Manager (SDM) utility. Using the SDM output from Firewall and ACL Tasks under the Configure
tab, answer the following questions:

642-825

642-825

642-825

642-825

642-825

642-825

642-825
Which statement is true? (We can't offer correct answers for this question, hope you can help us,
and send your suggestions to supportCompany.com, it is greatly appreciated.)
A. Both FastEthernet 0/0 and Serial 0/0/0 are trusted interface

B. Both FastEthernet 0/0 and Serial 0/0/0 are untrusted interfaces.
C. FastEthernet 0/0 is a trusted interface and Serial 0/0/0 is an untrusted interface.
D. FastEthernet 0/0 is an untrusted interface and Serial 0/0/0 is a trusted interface.
Answer: C
QUESTION 133
to the SDM and the topology, neither of which is currently visible.
To gain access to either the topology or the SDM, click on the button to left side of the screen that
corresponds to the section you wish to access. When you have finished viewing the topology or
the SDM, you can return to your questions by clicking on the Questions button to the left.
Off Shore Industries is a large worldwide sailing charter. The company has recently upgraded its
Internet connectivity. As a recent addition to the network engineering team, you have been tasked
with documenting the active Firewall configurations on the Annapolis router using the Cisco
Router and Security Device Manager (SDM) utility. Using the 3SM output from Firewall and ACL
Tasks under the Configure tab, answer the following questions:

642-825

642-825

642-825

642-825

642-825

642-825

642-825
Which two statements would be true for a permissible incoming TCP packet on an untrusted
Interface in the this configuration? (Choose two.)
(We can't offer correct answers for this question, hope you can help us, and send your
suggestions to supportCompany.com, it is greatly appreciated.)
A. The packedt has a source address of 10.79.233.186

B. The packet has a source address of 172.16.81.108
C. The packet has a source address of 198.133.219.135
D. The session originated from an untrusted interface
E. The session originated from a trusted Interface
F. The application is not specified within the inspection rule SDM_LOW.
Answer: C, E
QUESTION 134
corresponds to the section you wish to access. When you have finished viewing the topology or
the SDM, you can return to your questions by clicking on the Questions button to the left.
Off Shore Industries is a large worldwide sailing charter. The company has recently upgraded its
Internet connectivity. As a recent addition to the network engineering team, you have been tasked

642-825
with documenting the active Firewall configurations on the Annapolis router using the Cisco
Router and Security Device Manager (SDM) utility. Using the SDM output from Firewall and ACL
Tasks under the Configure tab, answer the following questions:

642-825

642-825

642-825

642-825

642-825

642-825
Which two statements would specify a permissible incoming TCP packet on a trusted interface in
this configuration? (Choose two.)
A. The packet has a source address of 10.79.233.107

C. The packet has a source address of 198.133.21940
D. The destination address is not specified within the inspection rule SDM_LOW.
E. The destination address is specified within the inspection rule SDM_LOW.
Answer: A, C
QUESTION 135
corresponds to the section you wish to access. When you have finished viewing the topology the
SDM, you can return to your questions by clicking on the Questions button to the left.

642-825

642-825

642-825

642-825

642-825

642-825

642-825

642-825

642-825

642-825

642-825

642-825

642-825
Which defined peer IP address and local subnet belong to Crete? (Choose two.)
A. peer address 192.168.55.159

B. peer address 192.168.77.120
C. peer address 192.168.167.85
D. subnet 10.5.15.0/24
E. subnet 10.8.28.0/24
F. subnet 10.5.33.0/24
Answer:
QUESTION 136

642-825

642-825

642-825

642-825

642-825

642-825

642-825

642-825

642-825

642-825

642-825

642-825

642-825

642-825
Which IPSec rule is used for the Onlympia branch and what does it define? (Choose two.)
suggestions to supportCompany .com, it is greatly appreciated.)
A. 102
B. 116
C. 127
D. IP traffic sourced from 10.10.10.0/24 destined to 10.5.15.0/24 will use the VPN.
E. IP traffic sourced from 10.10.10.0/24 destined to 10.8.28.0/24 will use the VPN.
F. IP traffic sourced from 10.10.10.0/24 destined to 10.5.33.0/24 will use the VPN.
Answer:
QUESTION 137

642-825


642-825

642-825

642-825

642-825

642-825

642-825

642-825

642-825

642-825

642-825

642-825

642-825

642-825
Which algorithm as defined by the transform set is used for providing data confidentiality when
connected to Tyre?
suggestions to supportCompany .com, it is greatly appreciated.)
A. ESP-3DES-SHA
B. ESP-3DES-SHA1
C. ESP-3DES-SHA2
D. ESP-3DES
E. ESP-SHA-HMAC
Answer:
QUESTION 138

642-825


642-825

642-825

642-825

642-825

642-825

642-825

642-825

642-825

642-825

642-825

642-825

642-825

642-825
Which peer authentication method and which IPSEC mode is used to connect to the branch
locations? (Choose two.)
suggestions to supportCompanycom, it is greatly appreciated)
A. Digital Certificate
B. Pre-Shared Key
C. Transport Mode
D. Tunnel Mode
E. GRE/IPSEC Transport Mode
F. GRE/IPSEC Tunnel Mode
Answer: Pending.
QUESTION 139
What are two steps that must be taken when mitigating a worm attack? (Choose two.)

642-825
A. Inoculate systems by applying update patches.

B. Limit traffic rate.
C. Apply authentication.
D. Quarantine infected machines.
E. Enable anti-spoof measures
Answer: A, D
QUESTION 140
What is a reason for implementing MPLS in a network?
A. MPLS eliminates the need of an IGP in the core.

B. MPLS reduces the required number of BGP-enabled devices in the core.
C. Reduces routing table lookup since only the MPLS core routers perform routing table lookups.
D. MPLS eliminates the need for fully meshed connections between BGP enabled devices.
Answer: B
QUESTION 141
What are three features of the Cisco IOS Firewall feature set? (Choose three.)
A. Network-based application recognition (NBAR)

B. Authentication proxy
C. Stateful packet filtering
D. AAA services
E. Proxy server
F. IPS
Answer: B, C, F
QUESTION 142
Which two mechanisms can be used to detect IPsec GRE tunnel failures? (Choose two).
A. Dead Peer Detection (DPD)

B. CDP
C. isakmp keepalives
D. GRE keepalive mechanism
E. The hello mechanism of the routing protocol across the IPsec tunnel
Answer: A, E
QUESTION 143

642-825

E. A function of the cable modem termination system is to convert the digital data stream from
Answer: B, D
QUESTION 144
What are three configurable parameters when editing signatures in Security Device Manager
(SDM)? (Choose three.)
A. AlarmSeverity
B. AlarmKeepalive
C. AlarmTraits
D. EventMedia
E. EventAlarm
F. EventAction
Answer: A, C, F
QUESTION 145
A. Access attacks can consist of password attacks, trust exploitation, port redirection, and manin-
the-middle attacks.
B. Access attacks can consist of password attacks, ping sweeps, port scans, and man-in-themiddle
attacks.
C. Access attacks can consist of packet sniffers, ping sweeps, port scans, and man-in-themiddle
attacks.
Answer: A, E
QUESTION 146
Which form of DSL technology is typically used as a replacement for T1 lines?
A. VDSL
B. HDSL
C. ADSL

642-825
D. SDSL
E. G.SHDSL
F. IDSL
Answer: B
QUESTION 147
Which three statements are true when configuring Cisco IOS Firewall features using the SDM?
(Choose three.)
A. A custom application security policy can be configured in the Advanced Firewall Security
Configuration dialog box.
B. An optional DMZ interface can be specified in the Advanced Firewall Interface Configuration
dialog box.
C. Custom application policies for e-mail, instant messaging, HTTP, and peer-to-peer services
can be created using the Intermediate Firewall wizard.
D. Only the outside (untrusted) interface is specified in the Basic Firewall Interface Configuration
dialog box.
E. The outside interface that SDM can be launched from is configured in the Configuring
Firewall for Remote Access dialog box.
F. The SDM provides a basic, intermediate, and advanced firewall wizard.
Answer: A, B, E
QUESTION 148
Which three statements about frame-mode MPLS are true? (Choose three.)
A. MPLS has three distinct components consisting of the data plane, the forwarding plane, and
the control plane.
B. The control plane is a simple label-based forwarding engine that is independent of the type of
routing protocol or label exchange protocol.
C. The CEF FIB table contains information about outgoing interfaces and their corresponding
Layer 2 header.
D. The MPLS data plane takes care of forwarding based on either destination addresses or
labels.
E. To exchange labels, the control plane requires protocols such as Tag Distribution Protocol
(TDP) or MPLS Label Distribution Protocol (LDP).
F. Whenever a router receives a packet that should be CEF-switched, but the destination is not in
the FIB, the packet is dropped.
Answer: D, E, F
QUESTION 149
What are the four fields in an MPLS label? (Choose four.)
A. Version

642-825
B. Experimental
C. Label
D. Protocol
E. TTL
F. Bottom-of-stack indicator
Answer: B, C, E, F
QUESTION 150
Which statement is true when ICMP echo and echo-reply are disabled on edge devices?
A. Pings are allowed only to specific devices.

B. CDP information is not exchanged.
C. Port scans can no longer be run.
D. Some network diagnostic data is lost.
E. Wireless devices need to be physically connected to the edge device.
F. OSPF routing needs the command ip ospf network non-broadcast enabled.
Answer: D
QUESTION 151
Which statement is true about a worm attack?
A. Human interaction is required to facilitate the spread.

B. The worm executes arbitrary code and installs copies of itself in the memory of the infected
computer.
C. Extremely large volumes of requests are sent over a network or over the Internet.
D. Data or commands are injected into an existing stream of data. That stream is passed
between a client and server application.
Answer: B
QUESTION 152
the-middle attacks.
RFC 2827 filtering.
information.

642-825
Answer: A,D
QUESTION 153
C. Ensure that earlier statements in the ACL do not negate any statements that are found later
in the list.
Answer: D, F
QUESTION 154
Which two Network Time Protocol (NTP) statements are true? (Choose two.)
A. A stratum 0 time server is required for NTP operation.

B. NTP is enabled on all interfaces by default, and all interfaces receive NTP packets.
C. NTP operates on IP networks using User Datagram Protocol (UDP) port 123.
D. The ntp server global configuration is used to configure the NTP master clock to which other
peers synchronize themselves.
E. The show ntp status command displays detailed association information of all NTP peers.
F. Whenever possible, configure NTP version 5 because it automatically provides authentication
and encryption services.
Answer: B, C
QUESTION 155
Which statement is true about the SDM Basic Firewall wizard?
A. The wizard applies predefined rules to protect the private and DMZ networks.
B. The wizard can configure multiple DMZ interfaces for outside users.
C. The wizard permits the creation of a custom application security policy.
D. The wizard configures one outside interface and one or more inside interfaces.
Answer: D
QUESTION 156
Which two statements are true about the configuration of the Cisco IOS Firewall using the SDM?
(Choose two.)

642-825
A. Cisco IOS Firewall features may be configured by choosing the Additional Tasks wizard.
B. Firewall policies can be viewed from the Home screen of the SDM.
C. To simplify the Firewall configuration task, the SDM provides Basic Firewall, Intermediate
Firewall, and Advanced Firewall wizards.
D. The Basic Firewall Configuration wizard applies default access rules to the inside (trusted),
E. The Advanced Firewall Configuration wizard applies access rules to the inside (trusted),
Answer: B, E
QUESTION 157
How can virus and Trojan horse attacks be mitigated?
A. Disable port scan.

B. Deny echo replies on all edge routes.
C. Implement RFC 2827 filtering.
D. Use antivirus software.
E. Enable trust levels.
Answer: D
QUESTION 158
What are three objectives that the no ip inspect command achieves? (Choose three.)
A. Removes the entire CBAC configuration

B. Removes all associated static ACLs
C. Turns off the automatic audit feature in SDM
D. Denies HTTP and Java applets to the inside interface but permits this traffic to the DMZ
E. Resets all global timeouts and thresholds to the defaults
F. Deletes all existing sessions
Answer: A, E, F
QUESTION 159
What is required when configuring IOS Firewall using the CLI?
A. IOS IPS enabled on the untrusted interface

B. NBAR enabled to perform protocol discovery and deep packet inspection
C. Route-map to define the trusted outgoing traffic
D. Route-map to define the application inspection rules
E. An inbound extended ACL applied to the untrusted interface
Answer: E

642-825
QUESTION 160
A. A packet sniffer requires the use of a network adapter card in nonpromiscuous mode to
C. To reduce the risk of packet sniffing, cryptographic protocols such as Secure Shell
Protocol(SSH) and Secure Sockets Layer (SSL) should be used.
should be used.
used.
Answer: C, D
QUESTION 161
Which statement is true about the management protocols?
A. TFTP data is sent encrypted.

B. Syslog data is sent encrypted between the server and device.
C. SNMP v1/v2 can be compromised because the community string information for
authentication is sent in clear text.
D. NTP v.3 does not support a cryptographic authentication mechanism between peers.
Answer: C
QUESTION 162
Which statement about an IPS is true?
A. The IPS is in the traffic path.

B. Only one active interface is required.
C. Full benefit of an IPS will not be realized unless deployed in conjunction with an IDS.
D. When malicious traffic is detected, the IPS will only send an alert to a management station.
Answer: A
QUESTION 163
When configuring the Cisco VPN Client, what action is required prior to installing Mutual Group
Authentication?
A. Transparent tunneling must be enabled.

B. A valid root certificate must be installed.
C. A group pre-shared secret must be properly configured.
D. The option to "Allow Local LAN Access" must be selected.
Answer: B

642-825
QUESTION 164
For what purpose does SDM use Security Device Event Exchange (SDEE)?
A. To extract relevant SNMP information

B. To pull event logs from the router
C. To perform application-level accounting
D. To provide a keepalive mechanism
Answer: B
QUESTION 165
Which three statements are true about Cisco Intrusion Detection System (IDS) and Cisco
Intrusion Prevention System (IPS) functions? (Choose three.)
A. Only IDS systems provide real-time monitoring that includes packet capture and analysis of
network packets.
B. Both IDS and IPS systems provide real-time monitoring that involves packet capture and
analysis of network packets.
C. The signatures on the IDS devices are configured manually whereas the signature on the IPS
devices are configured automatically.
D. IDS can detect misuse, abuse, and unauthorized access to networked resources but can only
respond after an attack is detected.
E. IPS can detect misuse, abuse, and unauthorized access to networked resources and
respond before network security can be compromised.
F. IDS can deny malicious traffic from the inside network whereas IPS can deny malicious traffic
from outside the network.
Answer: B, D, E
QUESTION 166
What phrase best describes a Handler in a distributed denial of service (DDoS) attack?
A. Person who launches the attack

B. Host that generates a stream of packets that is directed toward the intended victim
C. Host running the attacker program
D. Host being attacked
Answer: C
QUESTION 167
Which PPPoA configuration statement is true?
A. The dsl operating-mode auto command is required if the default mode has been changed.
B. The encapsulation ppp command is required.
C. The ip mtu 1492 command must be applied on the dialer interface.

642-825
D. The ip mtu 1496 command must be applied on the dialer interface.

E. The ip mtu 1492 command must be applied on the Ethernet interface.
F. The ip mtu 1496 command must be applied on the Ethernet interface.
Answer: A
QUESTION 168
What is a recommended practice for secure configuration management?

B. Use SSH or SSL.
C. Deny echo replies on all edge routers.
D. Enable trust levels.
E. Use secure Telnet.
Answer: B
QUESTION 169
Which three statements about hybrid fiber-coaxial (HFC) networks are true? (Choose three.)
A. A tap produces a significantly larger output signal.

B. An amplifier divides the input RF signal power to provide subscriber drop connections.
C. Baseband sends multiple pieces of data simultaneously to increase the effective rate of
transmission.
D. Downstream is the direction of an RF signal transmission (TV channels and data) from the
source (headend) to the destination (subscribers).
E. The term CATV refers to residential cable systems.
F. Upstream is the direction from subscribers to the headend.
Answer: D, E, F
QUESTION 170
Which two active response capabilities can be configured on an intrusion detection system (IDS)
in response to malicious traffic detection? (Choose two.)
A. The initiation of dynamic access lists on the IDS to prevent further malicious traffic
B. The configuration of network devices to prevent malicious traffic from passing through
C. The shutdown of ports on intermediary devices
D. The transmission of a TCP reset to the offending end host
E. The invoking of SNMP-sourced controls
Answer: B, D
QUESTION 171
Which IPsec VPN backup technology statement is true?

642-825
A. Each Hot Standby Routing Protocol (HSRP) standby group has two well-known MAC
addresses and a virtual IP address.
B. Reverse Route Injection (RRI) is configured on at the remote site to inject the central site
networks.
C. The crypto isakmp keepalive command is used to configure the Stateful Switchover (SSO)
protocol.
D. The crypto isakmp keepalive command is used to configure stateless failover.
E. The reverse-route command should be applied directly to the outside interface.
Answer: D
QUESTION 172
Which two statements describe the functions and operations of IDS and IPS systems? (Choose
two.)
A. A network administrator entering a wrong password would generate a true-negative alarm.

B. A false positive alarm is generated when an IDS/IPS signature is correctly identified.
C. An IDS is significantly more advanced over IPS because of its ability to prevent network
attacks.
D. Cisco IDS works inline and stops attacks before they enter the network.
E. Cisco IPS taps the network traffic and responds after an attack.
F. Profile-based intrusion detection is also known as "anomaly detection".
Answer: B, F
QUESTION 173
Which three DSL technologies support an analog POTS channel and utilize the entire bandwidth
of the copper to carry data? (Choose three.)
A. ADSL
B. IDSL
C. SDSL
D. RADSL
E. VDSL
Answer: A, D, E
QUESTION 174
What actions can be performed by the Cisco IOS IPS when suspicious a tivity is detected?
(Choose four.)
A. Send an alarm to a syslog server or a centralized management interface

B. Initiate antivirus software to clean the packet
C. Drop the packet
D. Reset the connection
E. Request packet to be resent

642-825
F. Deny traffic from the source IP address associated with the connection
Answer: A, C, D, F
QUESTION 175
What are the four steps that occur with an IPsec VPN setup?
A. Step 1: Interesting traffic initiates the IPsec process.
A. Step 2: AH authenticates IPsec peers and negotiates IKE SAs.

B. Step 3: AH negotiates IPsec SA settings and sets up matching IPsec SAs in the peers.
C. Step 4: Data is securely transferred between IPsec peers.
B. Step 1: Interesting traffic initiates the IPsec process.
D. Step 2: ESP authenticates IPsec peers and negotiates IKE SAs.
E. Step 3: ESP negotiates IPsec SA settings and sets up matching IPsec SAs in the peers.
F. Step 4: Data is securely transferred between IPsec peers.
C. Step 1: Interesting traffic initiates the IPsec process.
G. Step 2: IKE authenticates IPsec peers and negotiates IKE SAs.
H. Step 3: IKE negotiates IPsec SA settings and sets up matching IPsec SAs in the peers.
I. Step 4: Data is securely transferred between IPsec peers.
D. Step 1: Interesting traffic initiates the IPsec process.
J. Step 2: IKE negotiates IPsec SA settings and sets up matching IPsec SAs in the peers.
K. Step 3: IKE authenticates IPsec peers and negotiates IKE SAs.
L. Step 4: Data is securely transferred between IPsec peers.
Answer: C
QUESTION 176
What is a recommended practice for secure configuration management?

B. Use SSH or SSL.
C. Deny echo replies on all edge routers.
D. Enable trust levels.
E. Use secure Telnet.
Answer: B
QUESTION 177
Which statement is true about a worm attack?
A. Human interaction is required to facilitate the spread.

B. The worm executes arbitrary code and installs copies of itself in the memory of the infected
computer.
C. Extremely large volumes of requests are sent over a network or over the Internet.
D. Data or commands are injected into an existing stream of data. That stream is passed

642-825
between a client and
A. server application.
Answer: B
QUESTION 178
Which two statements are true about the troubleshooting of VPN connectivity on a Cisco router?
(Choose two.)
A. SDM can be used to provide statistical output that is related to IPsec SAs.
B. The debug crypto isakmp command output displays detailed IKE phase 1 and phase 2
negotiation processes.
C. SDM can be used to perform advance troubleshooting.
D. Knowledge of Cisco IOS CLI commands is required.
E. The Monitor Tunnel Operation page in SDM is the primary tool for troubleshooting VPN
connectivity.
Answer: B, D
QUESTION 179
Which action can be taken by Cisco IOS IPS when a packet matches a signature pattern?
A. Drop the packet

B. Reset the UDP connection
C. Block all traffic from the destination address for a specified amount of time
D. Perform a reverse path verification to determine if the source of the malicious packet was
spoofed
E. Forward the malicious packet to a centralized NMS where further analysis can be taken
Answer: A
QUESTION 180
Which statement about the aaa authentication enable default group radius enable command is
true?
A. If the radius server returns an error, the enable password will be used.
B. If the radius server returns a 'failed' message, the enable password will be used.
C. The command login authentication group will associate the AAA authentication to a specified
interface.
D. If the group database is unavailable, the radius server will be used.
Answer: A
QUESTION 181
Which three DSL technologies support an analog POTS channel and utilize the entire bandwidth

642-825
of the copper to carry data? (Choose three.)
A. ADSL
B. IDSL
C. SDSL
D. RADSL
E. VDSL
Answer: A, D, E
QUESTION 182
C. Ensure that earlier statements in the ACL do not negate any statements that are found later
in the list.
Answer: D, F
QUESTION 183
If an edge Label Switch Router (LSR) is properly configured, which three combinations are
possible? (Choose three.)
A. A received IP packet is forwarded based on the IP destination address and the packet is sent
as an IP packet.
B. An IP destination exists in the IP forwarding table. A received labeled packet is dropped
because the label is not found in the LFIB table.
C. There is an MPLS label-switched path toward the destination. A received IP packet is
dropped because the destination is not found in the IP forwarding table.
D. A received IP packet is forwarded based on the IP destination address and the packet is sent
as a labeled packet.
E. A received labeled IP packet is forwarded based upon both the label and the IP address.
F. A received labeled packet is forwarded based on the label. After the label is swapped, the
newly labeled packet is sent.
Answer: A, D, F
QUESTION 184
What three features does Cisco Security Device Manager (SDM) offer? (Choose three.)

642-825
A. Smart wizards and advanced configuration support for NAC policy features
B. Single-step mitigation of Distributed Denial of Service (DDoS) attacks
C. One-step router lockdown
D. Security auditing capability based upon CERT recommendations
E. Multi-layered defense against social engineering
F. Single-step deployment of basic and advanced policy settings
Answer: A, C, F
QUESTION 185
What are the four steps that occur with an IPsec VPN setup?
A. Step 1: Interesting traffic initiates the IPsec process.

A. Step 2: AH authenticates IPsec peers and negotiates IKE SAs.
B. Step 3: AH negotiates IPsec SA settings and sets up matching IPsec SAs in the peers.
C. Step 4: Data is securely transferred between IPsec peers.
B. Step 1: Interesting traffic initiates the IPsec process.
D. Step 2: ESP authenticates IPsec peers and negotiates IKE SAs.
E. Step 3: ESP negotiates IPsec SA settings and sets up matching IPsec SAs in the peers.
F. Step 4: Data is securely transferred between IPsec peers.
C. Step 1: Interesting traffic initiates the IPsec process.
G. Step 2: IKE authenticates IPsec peers and negotiates IKE SAs.
H. Step 3: IKE negotiates IPsec SA settings and sets up matching IPsec SAs in the peers.
I. Step 4: Data is securely transferred between IPsec peers.
D. Step 1: Interesting traffic initiates the IPsec process.
J. Step 2: IKE negotiates IPsec SA settings and sets up matching IPsec SAs in the peers.
K. Step 3: IKE authenticates IPsec peers and negotiates IKE SAs.
L. Step 4: Data is securely transferred between IPsec peers.
Answer: C
QUESTION 186
Which form of DSL technology is typically used as a replacement for T1 lines?
A. VDSL
B. HDSL
C. ADSL
D. SDSL
E. G.SHDSL
F. IDSL
Answer: B
QUESTION 187
Which three categories of signatures can a Cisco IPS microengine identify? (Choose three.)

642-825
A. DDoS signatures
B. Strong signatures
C. Exploit signatures
D. Numeric signatures
E. Spoofing signatures
F. Connection signatures
Answer: A, C, F
QUESTION 188
What are two principles to follow when configuring ACLs with IOS Firewall? (Choose two.)
A. Prevent traffic that will be inspected by IOS Firewall from leaving the network through the
firewall.
B. Configure extended ACLs to prevent IOS Firewall return traffic from entering the network
through the firewall.
C. Configure an ACL to deny traffic from the protected networks to the unprotected networks.
D. Permit broadcast messages with a source address of 255.255.255.255.
E. Allow traffic that will be inspected by IOS Firewall to leave the network through the firewall.
Answer: B, E
QUESTION 189
With MPLS, what is the function of the protocol ID (PID) in a Layer 2 header?
A. It specifies that the bottom-of-stack bit immediately follows.

B. It specifies that the payload starts with a label and is followed by an IP header.
C. It specifies that the receiving router use the top label only.
D. It specifies how many labels immediately follow.
Answer: B
QUESTION 190
Which statement identifies a limitation in the way Cisco IOS Firewall tracks UDP connections
versus TCP connections?
A. It cannot track the source IP.

B. It cannot track the source port.
C. It cannot track the destination IP.
D. It cannot track the destination port.
E. It cannot track sequence numbers and flags.
F. It cannot track multicast or broadcast packets.
Answer: E

642-825
QUESTION 191
What are three methods of network reconnaissance? (Choose three.)
A. IP spoofing
B. One-time password
C. Dictionary attack
D. Packet sniffer
E. Ping sweep
F. Port scan
Answer: D, E, F
QUESTION 192
What are three options for viewing Security Device Event Exchange (SDEE) messages in
Security Device Manager (SDM)? (Choose three.)
A. To view SDEE status messages

B. To view SDEE keepalive messages
C. To view all SDEE messages
D. To view SDEE statistics
E. To view SDEE alerts
F. To view SDEE actions
Answer: A, C, E
QUESTION 193
Which IOS command would display IPS default values that may not be displayed using the show
running-config command?
A. Show ip ips configuration

B. Show ip ips interface
C. Show ip ips statistics
D. Show ip ips session
Answer: A
QUESTION 194
Which statement describes the Authentication Proxy feature?
A. All traffic is permitted from the inbound to the outbound interface upon successful
authentication of the user.
B. A specific access profile is retrieved from a TACACS+ or RADIUS server and applied to an
IOS Firewall based on user provided credentials.
C. Prior to responding to a proxy ARP, the router will prompt the user for a login and password
D. The proxy server capabilities of the IOS Firewall are enabled upon successful authentication

642-825
of the user.
Answer: B
QUESTION 195
Which two actions will take place when One-Step Lockdown is implemented? (Choose two.)
A. CDP will be enabled.

B. A banner will be set.
C. Logging will be enabled.
D. Security passwords will be required to be a minimum of 8 characters.
E. Telnet settings will be disabled.
Answer: B, C
QUESTION 196
What are the two main features of Cisco IOS Firewall? (Choose two.)
A. TACACS+
B. AAA
C. Cisco Secure Access Control Server
D. Intrusion Prevention System
E. Authentication Proxy
Answer: D, E
QUESTION 197
Which two statements about an IDS are true? (Choose two.)
A. The IDS is in the traffic path.

B. The IDS can send TCP resets to the source device.
C. The IDS can send TCP resets to the destination device.
D. The IDS listens promiscuously to all traffic on the network.
E. Default operation is for the IDS to discard malicious traffic.
Answer: B, D
QUESTION 198
Which statement is true about the management protocols?
A. TFTP data is sent encrypted.

B. Syslog data is sent encrypted between the server and device.
C. SNMP v1/v2 can be compromised because the community string information for
authentication is sent in clear text.
D. NTP v.3 does not support a cryptographic authentication mechanism between peers.

642-825
Answer: C
QUESTION 199
What are two ways to mitigate IP spoofing attacks? (Choose two.)
A. Disable ICMP echo.

B. Use RFC 3704 filtering (formerly know as RFC 2827).
C. Use encryption.
D. Configure trust levels.
E. Use NBAR.
F. Use MPLS.
Answer: B, C
QUESTION 200
What technology must be enabled as a prerequisite to running MPLS on a Cisco router?
A. Process switching
B. Routing-table driven switching
C. Cache driven switching
D. CEF switching
E. Fast switching
Answer: D
QUESTION 201
Which two statements are true about signatures in a Cisco IOS IPS? (Choose two.)
A. The action of a signature can be enabled on a per-TCP-session basis.

B. Common signatures are hard-coded into the IOS image.
C. IOS IPS signatures are propagated with the SDEE protocol.
D. IOS IPS signatures are stored in the startup config of the router.
E. Selection of an SDF file should be based on the amount of RAM memory available on the
router.
Answer: B, E
QUESTION 202


642-825
E. A function of the cable modem termination system is to convert the digital data stream from
Answer: B, D
QUESTION 203
the-middle attacks.
RFC 2827 filtering.
information.
Answer: A, D
QUESTION 204
Which two statements about the AutoSecure feature are true? (Choose two.)
A. AutoSecure automatically disables the CDP feature.

B. If you enable AutoSecure, the minimum length of the login and enable passwords is set to 6
characters.
C. The auto secure full command automatically configures the management and forwarding
planes without any user interaction.
D. To enable AutoSecure, the auto secure global configuration command must be used.
E. Once AutoSecure has been configured, the user can launch the SDM Web interface to
perform a security audit.
Answer: A, B
QUESTION 205
What two proactive preventive actions are taken by an intrusion prevention system (IPS) when
malicious traffic is detected? (Choose two.)
A. The IPS shuts down intermediary ports.

B. The IPS invokes SNMP-enabled controls.
C. The IPS sends an alert to the management station.
D. The IPS enables a dynamic access list.
E. The IPS denies malicious traffic.

642-825
Answer: C, E
QUESTION 206
Which three MPLS statements are true? (Choose three.)
A. Cisco Express Forwarding (CEF) must be enabled as a prerequisite to running MPLS on a

Cisco router.
B. Frame-mode MPLS inserts a 32-bit label between the Layer 3 and Layer 4 headers.
C. MPLS is designed for use with frame-based Layer 2 encapsulation protocols such as Frame
Relay, but is not supported by ATM because of ATM fixed-length cells.
D. OSPF, EIGRP, IS-IS, RIP, and BGP can be used in the control plane.
E. The control plane is responsible for forwarding packets.
F. The two major components of MPLS include the control plane and the data plane.
Answer: A, D, F
QUESTION 207
Which three statements are correct about MPLS-based VPNs? (Choose three.)
A. Route Targets (RTs) are attributes attached to a VPNv4 BGP route to indicate its VPN
membership.
B. Scalability becomes challenging for a very large, fully meshed deployment.
C. Authentication is done using a digital certificate or pre-shared key.
D. A VPN client is required for client-initiated deployments.
E. A VPN client is not required for users to interact with the network.
F. An MPLS-based VPN is highly scalable because no site-to-site peering is required.
Answer: A, E, F
QUESTION 208
When configuring backup IPsec VPNs with Cisco IOS Release 12.2(8)T or later, what are the
default parameters?
A. Cisco IOS keepalives are sent every 10 seconds if there is no traffic to send.
B. Dead peer detection (DPD) hello messages are sent every 10 seconds if there is no traffic to
send.
C. Cisco IOS keepalives are sent every 10 seconds if the router has traffic to send.
D. DPD hello messages are sent every 10 seconds if the router has traffic to send.
Answer: D
QUESTION 209

642-825
the-middle attacks.
B. Access attacks can consist of password attacks, ping sweeps, port scans, and man-in-themiddle
attacks.
C. Access attacks can consist of packet sniffers, ping sweeps, port scans, and man-in-themiddle
attacks.
Answer: A, E
QUESTION 210
Which two mechanisms can be used to detect IPsec GRE tunnel failures? (Choose two).
A. Dead Peer Detection (DPD)

B. CDP
C. Isakmp keepalives
D. GRE keepalive mechanism
E. The hello mechanism of the routing protocol across the IPsec tunnel
Answer: A,
QUESTION 211
How can virus and Trojan horse attacks be mitigated?

B. Deny echo replies on all edge routes.
C. Implement RFC 2827 filtering.
D. Use antivirus software.
E. Enable trust levels.
Answer: D
QUESTION 212
Which two statements are true about the use of SDM to configure the Cisco Easy VPN feature on
a router? (Choose two.)
A. An Easy VPN connection is a connection that is configured between two Easy VPN clients.
B. The Easy VPN server address must be configured when configuring the SDM Easy VPN
Server wizard.
C. The SDM Easy VPN Server wizard displays a summary of the configuration before applying
the VPN configuration.
D. The SDM Easy VPN Server wizard can be used to configure a GRE over IPSec site-to-site

642-825
VPN or a dynamic multipoint VPN (DMVPN).

E. The SDM Easy VPN Server wizard can be used to configure user XAuth authentication
locally on the router or externally with a RADIUS server.
F. The SDM Easy VPN Server wizard recommends using the Quick setup feature when
configuring a dynamic multipoint VPN.
Answer: C, E
QUESTION 213
A site requires support for skinny and H.323 voice protocols. How is this configured on an IOS
firewall using the SDM?
A. The Basic Firewall wizard is executed and the High Security Application policy is selected.
B. The Advanced Firewall wizard is executed and a custom Application Security policy is
selected in place of the default Application Security policies.
C. The Application Security tab is used to create a policy with voice support before the Firewall
wizard is run.
D. The Application Security tab is used to modify the SDM_High policy to add voice support
prior to the Firewall wizard being run.
Answer: B
QUESTION 214
What are two steps that must be taken when mitigating a worm attack? (Choose two.)

C. Apply authentication.
D. Quarantine infected machines.
E. Enable anti-spoof measures
Answer: A, D
QUESTION 215
A. A packet sniffer requires the use of a network adapter card in nonpromiscuous mode to
C. To reduce the risk of packet sniffing, cryptographic protocols such as Secure Shell Protocol
(SSH) and Secure Sockets Layer (SSL) should be used.
should be used.
used.

642-825
Answer: C, D
QUESTION 216
Which two statements about Cisco Easy VPN are true? (Choose two.)
A. An IOS router, a PIX firewall or a VPN client can operate as an Easy VPN terminal point.
B. A VPN client can also be configured to operate as an Easy VPN server.
C. Easy VPN does not support split tunnels.
D. Easy VPN tunnel endpoint addresses can be the virtual IP address of an HSRP configuration.
E. Easy VPN is only appropriate for smaller deployments.
Answer: A, D
QUESTION 217
When you are using the SDM to configure a GRE tunnel over IPsec, which two parameters are
required when defining the tunnel interface information? (Choose two.)
A. MTU size of the GRE tunnel interface

B. GRE tunnel source interface or IP address, and tunnel destination IP address
C. IPSEC mode (tunnel or transport)
D. GRE tunnel interface IP address
E. crypto ACL number
Answer: B, D
QUESTION 218
Which two statements about the Security Device Manager (SDM) Intrusion Prevention System
(IPS) Rule wizard are true? (Choose two.)
A. By default, the Use Built-In Signatures (as backup) checkbox is not selected.
B. Changes to the IPS rules can be made using the Configure IPS tab.
C. Changes to the IPS rules can be made using the Edit Firewall Policy/ACL tab.
D. Once all interfaces have rules applied to them, you can re-initiate the IPS Rule wizard to
make changes.
E. Once all interfaces have rules applied to them, you cannot re-initiate the IPS Rule wizard to
make changes.
F. When using the wizard for the first time, you will be prompted to enable the Security Device
Event Exchange (SDEE).
Answer: D, F
QUESTION 219
At what size should the MTU on LAN interfaces be set in the implementation of MPLS VPNs with
traffic engineering?

642-825
A. 1512 bytes
B. 1516 bytes
C. 1520 bytes
D. 1524 bytes
E. 1528 bytes
F. 1532 bytes
Answer: A
QUESTION 220
Which two devices serve as the main endpoint components in a DSL data service network?
(Choose two.)
A. SOHO workstation
B. ATU-R
C. ATU-C
D. POTS splitter
E. CO switch
Answer: B,
QUESTION 221
Which three protocols are available for local redundancy in a backup VPN scenario? (Choose
three.)
A. VRRP
B. A routing protocol
C. RSVP
D. HSRP
E. Proxy ARP
F. GLBP
Answer: A, D, F
QUESTION 222
Which PPPoE configuration statement is true?
A. A PVC must be created before the pppoe enable command on the Ethernet interface is
entered.
B. The dsl operating-mode auto command is required.
C. The encapsulation ppp command must be applied on the Ethernet interface.
D. The ip mtu 1492 command must be applied on the dialer interface.
E. The ip mtu 1496 command must be applied on the Ethernet interface.
F. When the pppoe enable command is applied on the Ethernet interface, a PVC will be
created.

642-825
Answer: D
QUESTION 223
The Cisco SOHO 77 ADSL router provides an affordable, secure, multiuser digital subscriber line
(DSL) access solution to small office/home office customers while reducing deployment and
operational costs for service providers. Refer to the exhibit, which shows a PPPoA diagram and
partial SOHO77 configuration. Which command needs to be applied to the SOHO77 to complete
the configuration?
A. Encapsulation aal5mux ppp dialer applied to the PVC

B. Encapsulation aal5ciscoppp applied to the PVC
C. Encapsulation aal5mux ppp dialer applied to the ATM0 interface
D. Encapsulation aal5ciscoppp applied to the ATM0 interface
Answer: A
QUESTION 224
Which three methods are of network reconnaissance? (Choose three.)
A. Packet sniffer

642-825
B. Ping Sweep
C. Dictionary attack
D. Port scan
Answer: A, B, D
QUESTION 225
Which two steps must be taken when mitigating a worm attack? (Choose two.)

C. Quarantine infected machines.
D. Apply authentication.
Answer: A, C
QUESTION 226
IPSec VPN is a widely-acknowledged solution for enterprise network. Which three IPsec VPN
statements are true? (Choose three.)
A. IKE keepalives are unidirectional and sent every ten seconds.

B. IPsec uses the Encapsulating Security Protocol (ESP) or the Authentication Header (AH)
protocol for exchanging keys.
C. To establish IKE SA, main mode utilizes six packets while aggressive mode utilizes only three
packets
D. IKE uses the Diffie-Hellman algorithm to generate symmetrical keys to be used by IPsec
peers.
Answer: A, C, D
QUESTION 227
Study this exhibit carefully.
What information can be derived from the SDM firewall configuration displayed?

642-825
A. Access-list 101 was configured for the trusted interface, and access-list 100 was configured for
the untrusted interface.
B. Access-list 100 was configured for the trusted interface, and access-list 101 was configured for
the untrusted interface.
C. Access-list 100 was configured for the inbound direction, and access-list 101 was configured
for the outbound direction on the trusted interface.
D. Access-list 100 was configured for the inbound direction, and access-list 101 was configured
for the outbound direction on the untrusted interface.
Answer: A
QUESTION 228
You work as a network technician at Company.com,study the exhibit carefully. What type of
security solution will be provided for the inside network?

642-825
A. The router will intercept the traceroute messages. It will validate the connection requests
before forwarding the packets to the inside network.
B. The router will reply to the TCP connection requests. If the three-way handshake completes
successfully, the router will establish a TCP connection between itself and the server.
C. The TCP traffic that matches the ACL will be allowed to pass through the router and create a
TCP connection with the server.
D. The TCP connection that matches the defined ACL will be reset by the router if the connection
does not complete the three-way handshake within the defined time period.
Answer: B
QUESTION 229
Authentication is the process of determining if a user or identity is who they claim to be. Refer to
the exhibit. Which statement about the authentication process is correct?

642-825
A. The LIST1 list will disable authentication on the console port.

B. All login requests will be authenticated using the group tacacs+ method.
C. The default login authentication will automatically be applied to all login connections.
D. Because no method list is specified, the LIST1 list will not authenticate anyone on the console
port.
Answer: A
QUESTION 230
Which description is correct about the Authentication Proxy feature?
A. All traffic is permitted from

the inbound to the outbound interface upon successful authentication of the user. B.
A Specific access profile is retrieved from a TACACS+ or RADIUS server and applied to an IOS
Firewall based on user provided credentials.
C. Prior to responding to a proxy ARP, the router will prompt the user for a login and password
D. The proxy server capabilities of the IOS Firewall are enabled upon successful authentication of
the user.
Answer: B
QUESTION 231
You are a network technician at Company.com,study the exhibit carefully. What does the "26" in
the first two hop outputs indicate?

642-825
A. The IPv4 label for the forwarding router

B. The IPv4 label for the destination network
C. The IPv4 label for the destination router
D. The outer label used to determine the next hop
Answer: B
QUESTION 232
Authentication is the process of determining whether someone or something is, in fact, who or
what it is declared to be. On the basis of the exhibit. Which two statements correctly describe the
authentication method used to authenticate users who want privileged access into P4S-R1?
(Choose two.)
A. All users will be authenticated using the RADIUS server. If the RADIUS server is unavailable,
the authentication process stops and no other authentication method is attempted.

642-825
B. All users will be authenticated using the RADIUS server. If the RADIUS server is unavailable,
the router will attempt to authenticate the user using its local database.
C. All users will be authenticated using the RADIUS server. If the user authentication fails, the
router will attempt to authenticate the user using its local database.
D. All users will be authenticated using the RADIUS server. If the user authentication fails, the
authentication process stops and no other authentication method is attempted.
Answer: B, D
QUESTION 233
Split tunneling allows you to configure specific network routes that are downloaded to the client.
Refer to the exhibit. Which statement is true about the configuration of split tunnels using SDM?
A. Any protected subnets that are entered represent subnets at the VPN server site that will be
B. Any protected subnets that are entered represent subnets at the end user's site that will be
C. Any protected subnets that are entered represent subnets at the end user's site that will be
D. Any protected subnets that are entered represent subnets at the VPN server site that will be
Answer: D
642-825
QUESTION 234
You work as a network engineer at Company.com, study the exhibit carefully. Based on the
presented information, which configuration was completed on the router CPE?
A. CPE(config)# ip nat inside source list 101 interface Dialer0 overload

CPE(config)# access-list 101 permit ip 10.0.0.0 0.255.255.255 any
B. CPE(config)# ip nat inside source list 101 interface Dialer0
C. CPE(config)# ip nat inside source list 101 interface Ethernet 0/0
D. CPE(config)# ip nat inside source list 101 interface Ethernet 0/0 overload
Answer: A
QUESTION 235
You work as a network technician, refer to the exhibit. Which description is correct about the
partial MPLS configuration that is shown?
A. The route-target both 100:2 command sets import and export route-targets for vrf2.
B. The route-target both 100:2 command changes a VPNv4 route to a IPv4 route.
C. The route-target import 100:1 command sets import route-targets routes specified by the route
map.
D. The route-target import 100:1 command sets import route-targets for vrf2 that override the
other route-target configuration.
Answer: A

642-825
QUESTION 236
As a network technician , study this exhibit below carefully. FastEthernet0/0 has been destined a
network address of 200.0.1.2/24 and no ACL has been applied to that interface. Serial0/0/0 has
been assigned a network address of 200.0.0.1/30. Assuming that there are no network-related
problems, which ping will be successful?
A. From 200.0.0.2 to 200.0.0.1

B. From 200.0.0.1 to 200.0.0.2
C. From 200.0.0.2 to 200.0.1.1
D. From 200.0.0.2 to 200.0.1.2
Answer: B
QUESTION 237
Which method to identify malicious traffic involves looking for a fixed sequence of bytes in a
single packet or in predefined content?
A. Policy-based
B. Anomaly-based
C. Signature-based
D. Honeypot-based

642-825
Answer: C
QUESTION 238
For the following options,which three DSL technologies support an analog POTS channel and
use the entire bandwidth of the copper to carry data? (Choose three.)
A. ADSL
B. IDSL
C. VDSL
D. RADSL
Answer: A, C, D
QUESTION 239
DSL is a family of technologies that provide digital data transmission over the wires of a local
telephone network. Which form of DSL technology is typically used as a replacement for T1
lines?
A. ADSL
B. HDSL
C. VDSL
D. SDSL
Answer: B
QUESTION 240
Refer to the exhibit. Based on the presented information , which description is correct?

642-825
A. The IOS firewall has allowed an HTTP session between two devices.
B. A TCP session that started between 192.168.1.116 and 192.168.101.115 caused dynamic
ACL entries to be created.
C. A UDP session that started between 192.168.1.116 and 192.168.101.115 caused dynamic
ACL entries to be created.
D. Telnet is the only protocol allowed through this IOS firewall configuration.
Answer: B
QUESTION 241
Study the exhibit carefully.
Based on the partial configuration, which two descriptions are correct? (Choose two.)

642-825
A. A CBAC inspection rule is configured on router RTA.

B. On interface Fa0/0, the ip inspect statement should be incoming.
C. A QoS policy has been applied on interfaces Serial 0/0 and FastEthernet 0/1.
D. Interface Fa0/0 should be the inside interface and interface Fa0/1 should be the outside
interface.
E. A named ACL called SDM_LOW is configured on router RTA.
F. The interface commands ip inspect SDM_LOW in allow CBAC to monitor multiple protocols.
Answer: A, F
QUESTION 242
You work as a network engineer, study the exhibit carefully. Do you know which Cisco feature
generated the configuration?\

642-825
A. TACACS+
B. IOS Firewall
C. AutoSecure
D. IOS IPS
Answer: C
QUESTION 243
You work as a network engineer, study the exhibit carefully. Which order correctly identifies the
steps to provision a cable modem to connect to a headend as defined by the DOCSIS standard?

642-825
A. A, D, C, G, E, F, B
B. A, D, E, G, C, F, B
C. C, D, F, G, E, A, B
D. C, D, F, G, A, E, B
E. F, D, C, G, A, E, B
Answer: E
QUESTION 244
Drag and drop the Cisco IOS commands that would be used to configure the dialer Interface
portion of a PPPoE client implementation where the client is facing the internet and private IP
addressing is used on the internal network.

642-825
Answer:
QUESTION 245
Study the exhibit carefully, according to the information that is provided, which two statements are
correct? (Choose two.)

642-825
A. An IPS policy can be edited by choosing the Edit button.

B. Right-clicking on an interface will display a shortcut menu with options to edit an action or to
set severity levels.
C. The Edit IPS window is currently in Global Settings view.
D. The Edit IPS window is currently in IPS Policies view.
Answer: A, D
QUESTION 246
You are a network engineer, study the exhibit carefully. Router Company-R is unable to establish
an ADSL connection with its provider. Which action would correct this problem?
A. On the Dialer0 interface, add the pppoe enable command.

B. On the Dialer0 interface, add the ip mtu 1496 command.
C. On the ATM0/0 interface, add the pppoe-client dial-pool-number 1 command.

642-825
D. On the ATM0/0 interface, add the dialer pool-member 1 command.
Answer: D
QUESTION 247
The exhibit below shows a PPPoA diagram and partial SOHO77 configuration. Which command
needs to be applied to the SOHO77 to accomplish the configuration?
A. Encapsulation aal5snap applied to the PVC.

B. Encapsulation aal5ciscoppp applied to the PVC
C. Encapsulation aal5mux ppp dialer applied to the PVC
D. Encapsulation aal5mux ppp dialer applied to the ATM0 interface
Answer: C
QUESTION 248
The Companay network technician have configured access list on Companay-R router. Please
study the exhibit carefully. What function the access list serves?

642-825
A. It allows TCP traffic from any destination to reach the 16.1.1.0/24 network if the request
originated from the inside network and has a port number greater than 1024.
B. It allows TCP traffic from the 16.1.1.0/24 network to reach any destination if the request
originated from the Internet and has a port number less than 1024.
C. It allows TCP traffic from any destination to reach the 16.1.1.0/24 network if the request
originated from the Internet.
D. It allows TCP traffic from any destination to reach the 16.1.1.0/24 network if the request
originated from the inside network.
Answer: D
QUESTION 249
Study the exhibit carefully, then tell me what is the name given to the security zone occupied by
the public web server?

642-825
A. ALG
B. Extended proxy network
C. multiple DMZs
D. DMZ
Answer: D
QUESTION 250
Which description is true about the results of clicking the OK button in the Security Device
Manager (SDM) Add a Signature Location window?
A. SDM will respond with a message asking for the URL that points to the 256MB.sdf file.
B. Cisco IOS IPS will choose to load the 256MB.sdf only if the Built-in Signatures (as backup)
check box is unchecked.
C. If Cisco IOS IPS fails to load the 256MB.sdf, it will load the built-in signatures provided the
Built-in Signatures (as backup) check box is checked.
D. Cisco IOS IPS will choose to load the 256MB.sdf and then also add the Cisco IOS built-in
signatures.
Answer: C
QUESTION 251
Authentication is the act of establishing or confirming something (or someone) as authentic, that
is, that claims made by or about the thing are true. Refer to the exhibit. Which two statements are
true about the authentication method used to authenticate users who want privileged access into
Companay-R? (Choose two.)

642-825
A. All users will be authenticated using the RADIUS server. If the user authentication fails, the
authentication process stops and no other authentication method is attempted.
B. All users will be authenticated using the RADIUS server. If the user authentication fails, the
router will attempt to authenticate the user using its local database.
C. All users will be authenticated using the RADIUS server. If the RADIUS server is unavailable,
the authentication process stops and no other authentication method is attempted.
D. All users will be authenticated using the RADIUS server. If the RADIUS server is unavailable,
the router will attempt to authenticate the user using its local database.
Answer: A, D
QUESTION 252
Configure Router Companay-R ACL 150 to mitigate against a range of common threats. Based
on the information shown in the exhibit, which statement is correct?

642-825
A. The ip access-group 150 command should have been applied to interface FastEthernet 0/0 in
an outbound direction.
B. Interface Fa0/0 and interface Fa0/1 should have been configured with the IP addresses
10.1.1.1 and 10.2.1.1, respectively.
C. The ip access-group 150 command should have been applied to interface FastEthernet 0/0 in
an inbound direction.
D. ACL 150 will mitigate common threats.
Answer: D
QUESTION 253
You are a network technician, study the exhibit carefully. Which description is correct about the
interface S1/0 on router Companay1?
A. IP label switching has been disabled on this interface.

642-825
B. Labeled packets can be sent over an interface.

C. MPLS Layer 2 negotiations have occurred.
D. None of the MPLS protocols have been configured on the interface.
Answer: D
QUESTION 254
You work as a network technician at Companay.com, study the exhibit carefully.
The configuration has been applied to router Companay-R to mitigate the threat of certain types
of ICMP-based attacks. However, the configuration is incorrect. Base on the information in the
exhibit, which configuration option would correctly configure router Companay-R?
A. ACL 112 should have been applied to interface Fa0/0 in an inbound direction.
B. ACL 112 should have been applied to interface Fa0/1 in an outbound direction.
C. The last statement of ACL 112 should have been access-list 112 deny icmp any 10.1.1.0
0.0.0.255.
D. The last statement of ACL 112 should have been access-list 112 deny icmp any 10.2.1.0
0.0.0.255.
E. The first three statements of ACL 112 should have permitted the ICMP traffic and the last
statement should deny the identified traffic.
F. The last statement of ACL 112 should have been access-list 112 permit icmp any 10.2.1.0
0.0.0.255.
Answer: F
QUESTION 255
A Companay network administrator is troubleshooting an ADSL connection. For which OSI layer
is the ping atm interface command useful for probing problems?
A. Layer 1
B. Layer 2
642-825
C. Layer 3
D. Layer 4
Answer: B
QUESTION 256
Routers P4S-A and P4S-B are customer routers. Routers P4S-1, P4S-2, P4S-3, and P4S-4 are
provider routers. The routers are operating with various IOS versions. Which frame mode MPLS
configuration statement is true?
A. Before MPLS is enabled, the ip cef command is only required on routers P4S-1 and P4S-4.
B. After MPLS is enabled, the ip cef command is only required on routers P4S-1 and P4S-4.
C. Before MPLS is enabled, the ip cef command is only required on the Ethernet 0 interfaces of
routers P4S-1 and P4S-4.
D. After MPLS is enabled, the ip cef command is only required on the Ethernet 0 interfaces of
routers P4S-1 and P4S-4.
E. Before MPLS is enabled, the ip cef command must be applied to all provider routers.
Answer: E
QUESTION 257
You are a network engineer at Company.com ,refer to the exhibit. The DM IPS Policies wizard is
displaying the Select Interfaces window. Which procedure is best for pplying IPS rules to
interfaces?

642-825
A. Apply the IPS rules in the outbound direction on interfaces where incoming malicious traffic is
likely.
B. Apply the rules in the inbound direction on interfaces where outgoing malicious traffic is likely.
C. Apply the IPS rules in the inbound direction on interfaces where incoming malicious traffic is
likely.
D. Apply the IPS rules in the outbound direction on interfaces where outgoing malicious traffic is
likely.
Answer: C
QUESTION 258
As the Company network technician ,in order to prevent a Dos TCP SYN ttack from a spoofed
source into the internal network, you need to configure ACL on the Company-R router, based on
the exhibit below. Which ACL configuration will realize the plan?
A. Company-R (config)# access-list 120 deny icmp any any echo log
Company-R (config)# access-list 120 deny icmp any any redirect log
Company-R (config)# access-list 120 permit icmp any 10.0.0.0 0.0.0.255
Company-R (config)# interface Serial0/0
Company-R (config-if)# ip access-group 120 in
B. Company-R(config)# access-list 120 deny udp 10.0.0.0 0.0.255.255
host 255.255.255.255 eq 512
C. Company-R (config)# access-list 120 deny ip any host 10.0.0.255 log
Company-R (config)# access-list 120 permit ip any 10.0.0.0 0.0.0.255 log
D. Company-R (config)# access-list 120 permit tcp any 172.16.10.0 0.0.0.255 established
Company-R (config)# access-list 120 deny ip any any log
Company-R (config)# interface FastEthernet0/0
Answer: D
QUESTION 259
You are a network technician at Company.com , examine the exhibit carefully. When editing the

642-825
Invalid DHCP Packet signature by use of security device manager (SDM), which additional
severity levels can be chosen? (Choose three.)
A. Low
B. Urgent
C. High
D. Informational
Answer: A, C, D
QUESTION 260
After study the exhibit, can you tell me which description is true about Security Device Event
Exchange (SDEE)?

642-825
A. It is an application level communications protocol that is used to exchange IPS messages

between IPS clients and servers.
B. It is a process for ensuring IPS communication between the SDM-enabled devices.
C. It is a suite of protocols for ensuring IPS communication between the SDM-enabled devices.
D. It is an OSI level-7 protocol, and it is used to exchange IPS messages between IPS agents.
Answer: A
QUESTION 261
Look at the following statements. Which two actions can be taken by a Cisco IOS Firewall when
the threshold for the number of half-opened TCP sessions is exceeded? (Choose two.)
A. It can send a reset message to the endpoints of the oldest half-opened session.
B. It can send a reset message to the endpoints of the newest half-opened session.
C. It can send a reset message to the endpoints of a random half-opened session.
D. It can block all SYN packets temporarily for the duration configured by the threshold value
Answer: A, D
QUESTION 262
Which Cisco IOS Firewall Feature Set allows a per-user policy to be downloaded dynamically to a
router from a TACACS+ or RADIUS server using AAA services?
A. Intrusion Prevention System

642-825
B. Reflexive ACLs
D. Lock-and-Key (dynamic ACLs)
Answer: C
QUESTION 263
Examine the exhibit below carefully, then answer the following question: which network threat
would the configuration in the exhibit mitigate?
A. DoS ping attacks

B. DoS TCP SYN attack
C. IP address spoofing attack - inbound
D. IP address spoofing attack - outbound
Answer: A
QUESTION 264
Part of Company network topology is shown below, according to the exhibit information, which
two statements about the Network Time Protocol (NTP) are correct? (Choose two.)

642-825
A. Router Company-B will adjust for eastern daylight savings time.

B. To enable authentication, the ntp authenticate command is required on routers Company-B
and Company-A.
C. Only NTP time requests are allowed from the host with IP address 10.1.1.1.
D. To enable NTP, the ntp master command must be configured on routers Company-B and
Company-A.
Answer: A, B
QUESTION 265
The out of the show cryto isakmp as command is shown below, based on this information, Which
two options are correct? (Choose two.)
A. QM_idle indicates an active IKE SA.

B. QM_idle indicates an active IPsec SA.
C. QM_idle indicates an inactive IKE SA.
D. The settings of the current SAs are displayed.
E. All current security associations (SA) are displayed.
Answer: A, E
QUESTION 266
Based on the exhibit below. Which of the configuration tasks will make you quickly deploy default

642-825
signatures?
A. Firewall and ACLs

B. Security audit
C. Routing
D. Intrusion prevention
Answer: D
QUESTION 267
You are a network technician, for the following statements. Which Cisco SDM feature expedites
the deployment of the default IPS settings and provides configuration steps for interface and
traffic flow selection, SDF location, and signature deployment?
A. IPS Edit menu

B. IPS Command wizard
C. IPS Policies wizard
D. IPS Signature wizard
Answer: C
QUESTION 268
On the basis of this exhibit. Which three tasks can be configured by use of the IPS Policies
wizard via the Cisco Security Device Manager(SDM)? (Choose three.)

642-825
A. The configuration of an IP address and the enabling of the interface

B. The location of the signature definition file (SDF) to be used by the router
C. The selection of the interface to apply the IPS rule
D. The selection of the traffic flow direction that should be inspected by the IPS rules
Answer: B, C, D
QUESTION 269
In terms of the exhibit.
Which two descriptions about the SDF Locations window of the IPS Rule wizard are correct?
(Choose two.)

642-825
A. The Use Built-In Signatures (as backup) check box is selected by default.
B. The Autosave feature automatically saves the SDF alarms if the router crashes.
C. The Autosave feature is automatically enabled for the default built-in signature file.
D. If all specified SDF locations fail to load, the signature file that is named default.sdf will be
loaded.
E. The name of the built-in signature file is default.sdf.
F. An HTTP SDF file location can be specified by clicking the Add button.
Answer: A, F
QUESTION 270
You work as a technician for Company.com and responsible the Company network.
You have configured MPLS on all routers in the domain. Please study the exhibit carefully, in
order for P4S-2 and P4S-3 to forward frames between them with label headers, what additional
configuration will be required on devices that are attached to the LAN segment?

642-825
A. No additional configuration is required. Frames with larger MTU size will be automatically
fragmented and forwarded on all LAN segments.
B. Increase the maximum MTU requirements on all router interfaces that are attached to the LAN
segment.
C. Decrease the maximum MTU requirements on all router interfaces that are attached to the
LAN segment.
D. No additional configuration is required. Interface MTU size will be automatically adjusted to
accommodate the larger size frames.
Answer: B
QUESTION 271
Drag the correct statements about MPLS-based VPN on the left to the boxes on the right .(Not all
statements will be used)

642-825
Answer:
QUESTION 272
Which type of security solution will be provided for the inside network?

642-825
A. The ACL will block all ICMP echo requests coming from an external host.
B. The ACL will allow TCP connections into the inside network, but will reset the connections in
case of a TCP SYN attack.
C. The ACL will filter all packets whose TCP headers have the SYN flag set.
D. The ACL will prevent router P4S-R from forwarding broadcast traffic to the inside LAN network.
Answer: C
QUESTION 273
You are a network engineer at Company.com,refer to the exhibit. Which description is correct
about the two-interface Cisco IOS firewall configuration?

642-825
A. Blocks all incoming traffic except ICMP unreachable 'packet-too-big' messages that support
MTU Path Discovery
B. Inspects the inbound packets on the fa0/0 interface and automatically allows the
corresponding return traffic
C. Permits all TCP, UDP, and ICMP traffic when the three types of traffic are initiated from
outside the network
D. Blocks all ICMP unreachable 'packet-too-big' messages from reaching the inside network
Answer: A
QUESTION 274
The out of the debug aaa authentication command is shown below. Based on the information,
which statement is true about the authentication process?
A. A user attempted to log in to the router via the tty51 port and tried to access the user mode
(privilege level
1) using the named list ADMIN. The user's access was permitted.
B. A user attempted to log in to the router via the tty51 port and tried to access the user mode

642-825
(privilege level
1) using the default list for authentication against the local user database. The user's access was
permitted.
C. A user attempted to log in to the router via the tty51 port and tried to access the user mode
(privilege level
1) using the default list for authentication against the local user database. The user's access was
denied.
D. A user attempted to log in to the router via the tty51 port and tried to access the user mode
(privilege level
1) using named list ADMIN. The user's access was denied.
Answer: D
QUESTION 275
Which two statements correctly describe the transmission of signals over a cable network?
(Choose two.)
A. Downstream signals travel from the cable operator to the subscriber and use frequencies in
the range of 5 to 42 MHz.
B. Upstream signals travel from the subscriber to the cable operator and use frequencies in the
range of 5 to 42 MHz.
C. Upstream signals travel from the subscriber to the cable operator and use frequencies in the
range of 50 to 860 MHz.
D. Downstream signals travel from the cable operator to the subscriber and use frequencies in
the range of 50 to 860 MHz.
Answer: B, D
QUESTION 276
You work as a network engineer, Look at the following statements. Which three of these would be
classified as access attacks? (Choose three.)
A. Ping sweeps
B. Port scans
C. Trust exploitation
D. Port redirection
E. Man-in-the-middle attacks
Answer: C, D, E
QUESTION 277
Why is the ping between the P4S-HQ router and the 192.168.1.193 interface on the P4S-Branch2
router failing?

642-825
A. The default route is missing from the P4S-Branch2 router.

B. When running EIGRP over GRE tunnels, you must manually configure the neighbor address
using the eigrp neighbor ipaddress command.
C. The tunnel numbers for the tunnel between the P4S-HQ router and the P4S-Branch2 router do
not match.
D. The tunnel source is incorrect on the P4S-Branch2 router. It should be serial 2/0.
Answer: B
QUESTION 278
What is preventing a successful ping between the P4S-HQ router and the 192.168.1.10 interface
on the P4S-Branch3 router?

B. The tunnel interface numbers for the tunnel between the P4S-HQ router and the P4S-Branch3
router do not match.
C. The tunnel source is incorrect on the P4S-Branch3 router. It should be serial 2/0.
D. The IP address on the tunnel interface for the P4S-Branch3 router has wrong IP mask. It
should be 255.255.255.252.
E. The network statement under router EIGRP on the P4S-Branch3 router is incorrect. It should
be network 192.168.2.0.0.0.0.255.
Answer: E

642-825
QUESTION 279
What is preventing the P4S-HQ router and the P4S-Branch1 router from establishing an EIGRP
neighbor relationship?
A. When running EIGRP over GRE tunnels, you must manually configure the neighbor address
B. The tunnel destination address is incorrect on the P4S-HQ router. It should be 10.2.1.1 to
match the interface address of the P4S-Branch1 router.
C. The tunnel source is incorrect on the P4S-Branch1 router. It should be serial 2/0.
D. The default route is missing from the P4S-Branch1 router.
Answer: A
QUESTION 280
What is the reason that tunnel 5 on the P4S-HQ router down while its companion tunnel on the
P4S-Branch5 router is up?
A. The IP address on the tunnel interface on P4S-Branch5 is incorrect. It shoud be 192.168.1.16

255.255.255.252.
B. The tunnel source for tunnel 5 is incorrect on the P4S-HQ router. It should be serial 2/0.
C. The tunnel numbers for tunnel between the P4S-HQ router and the P4S-Branch5 router do not
match.
D. The tunnel destination address for tunnel 5 is incorrect on the P4S-HQ router. It should be
10.2.5.1 to match the interface address of the P4S-Branch5 router.
Answer: C
QUESTION 281
What is preventing the 192.168.1.150 network from showing up in the P4S-HQ router's routing
table?

B. The IP address on the E0/0 interface for the P4S-Branch4 router has the wrong IP mask. It
should be 255.255.255.252
C. The network statement under router EIGRP on the P4S-Branch4 router is incorrect. It should
be network 192.168.1.0.0.0.255.
D. When running EIGRP over GRE tunnels, you must manually configure the neighbor address
Answer: B
QUESTION 282
Which description is correct in terms of this exhibit?

642-825
A. A PPPoE session is established.

B. A PPPoE session is rejected because of the per-MAC session limit.
C. The MAC address of the remote router is 0001.c9f0.0c1c.
D. The CPE router is configured as a PPPoE client over an Ethernet interface.
Answer: A
QUESTION 283
Which two devices are used as the main endpoint components in a DSL data service network?
(Choose two.)
A. POTS splitter
B. ATU-C
C. ATU-R
D. SOHO workstation
Answer: B, C
QUESTION 284
Study the exhibit carefully. In the SDM Site-to-Site VPN wizard, what are three requirements that
are accessed by the Add button? (Choose three.)

642-825
A. IKE lifetime
B. IPsec proposal priority
C. Keyed-hash message authentication code
D. IPsec authentication method
E. Diffie-Hellman group
Answer: A, C, E
QUESTION 285
As a network engineer, can you tell me which four outbound ICMP message types would
normally be permitted? (Choose four.)
A. Time exceeded
B. Echo reply
C. Echo
D. Parameter problem
E. Packet too big
F. Source quench
Answer: C, D, E, F
QUESTION 286
Study the exhibit below carefully.
Based on the information in the exhibit, which two statements are true? (Choose two.)

642-825
A. The Edit IPS window is currently displaying the Global Settings information.
B. The Edit IPS window is currently displaying the signatures in Details view.
C. Any traffic matching signature 1107 will generate an alarm, reset the connection, and be
dropped.
D. Signature 1102 has been triggered because of matching traffic.
E. Signature 1102 has been modified, but the changes have not been applied to the router.
Answer: B, E
QUESTION 287
On the basis of the partial output that is shown in the exhibit, which two statements are correct?
(Choose two.)

642-825
A. The output is the result of the debug ppp negotiation command.

B. The output is the result of the debug pppoe events command.
C. This is the CPE router.
D. The ISP router initiated the connection to the CPE router.
E. The output is the result of the debug ppp authentication command.
Answer: C, E
QUESTION 288
Part of the Company WAN is shown below, please study the exhibit carefully. Based on the
presented information, which statement is correct?
A. ACL 109 is designed to prevent outbound IP address spoofing attacks.

B. ACL 109 is designed to prevent any inbound packets with the ACK flag set from entering the
router.
C. ACL 109 is designed to prevent any inbound packets with the SYN flag set from entering the
router.

642-825
D. ACL 109 is designed to allow packets with the ACK flag set to enter the router.
Answer: D
QUESTION 289
You work as a network engineer at Company.com, refer to the exhibit. What is the reason for the
third hop that only has one label?
A. MPLS is not enabled on that link, so only the VPN label is needed.
B. MPLS is not enabled on that link, so only the LSP label is needed.
C. The PHP process on that link has removed the VPN label, leaving only the LSP label.
D. That link is directly connected to the customer, so only the VPN label is needed.
E. The PHP process on that link has removed the LSP label, leaving only the VPN label.
Answer: E
QUESTION 290
Drag the IPsec protocol description from the above to the correct protocol type on the below.(Not
all descriptions will be used) Drag and Drop question, drag each item to its proper location.\

642-825
Answer:
QUESTION 291
Drag and drop each management protocol on the above to the correct category on the below.
Answer:

642-825
QUESTION 292
You work as a network engineer at Company.com, refer to the exhibit. The SDM IPS Policies
wizard is displaying the Select Interfaces window. Which procedure correctly describes the
application of IPS rules to interfaces?
A. Apply the IPS rules both in the inbound and outbound direction on all interfaces.
B. Apply the rules in the inbound direction on interfaces where outgoing malicious traffic is likely.
C. Apply the IPS rules in the inbound direction on interfaces where incoming malicious traffic is
likely.
D. Apply the IPS rules in the outbound direction on interfaces where outgoing malicious traffic is
likely.
Answer: C
QUESTION 293
Which two options about the Data-over-Cable Service Interface Specifications are correct?
(Choose two.)

642-825
A. Euro-DOCSIS requires the European cable channels to conform to PAL-based standards,

whereas DOCSIS requires the North American cable channels to conform to the NTSC
standard.
B. DOCSIS defines a set of frequency allocation bands that are common to both U.S. and
European cable systems
C. DOCSIS is an international standard developed by CableLabs.
D. DOCSIS defines cable operations at Layer 1, Layer 2, and Layer 3 of the OSI model.
Answer: A, C
QUESTION 294
Drag and drop each function on the above to the hybrid fiber-coaxial architecture component that
it describes on the below.
QUESTION 295
What is an MPLS forwarding equivalence class?
A. A set of source networks forwarded to the same egress router

B. A set of destination networks forwarded to the same egress router
C. A set of destination networks forwarded from the same ingress router
D. A set of source networks forwarded from the same ingress router
Answer: B
642-825
QUESTION 296
The Network Time Protocol (NTP) is widely used to synchronize a computer to Internet time
servers or other sources, such as a radio or satellite receiver or telephone modem service. If you
want to authenticate the NTP associations with other systems for security purposes, which key
type algorithm or algorithms are supported?
A. MD5 only
B. MD7 only
C. Plain text and MD5
D. Plain text and MD7
Answer: A
QUESTION 297
Drag the DSL technologies on the left to their maximum(down/up) data rate values on the below.
Answer:

642-825
QUESTION 298
Drag the DSL local loop topic on the left to the correct descriptions on the right.
Answer:

642-825
QUESTION 299
You are a network technician at Company.com, study the exhibit carefully. The configured access
list is being used in conjunction with an IPsec VPN. Which traffic will be passed through the
IPSec VPN?
A. A TFTP file transfer from host 10.1.1.25 to server 10.1.2.1

B. Telnet traffic from host 10.1.1.1 to host 10.1.2.1
C. A ping from host 10.1.1.1 to host 10.1.2.1
D. A routing update from a router on the 10.1.1.0 network to a router on network 10.1.2.1

642-825
Answer: B
QUESTION 300
Drag the IOS commands from the left that would be used to implement a GRE tunnel using the
10.1.1.0.30 network on interface serial 0/0 to the correct target area on the right.
Answer:

642-825
QUESTION 301
Identify the recommended steps for worm attack mitigation by dragging and dropping them into
the target area in the correct order.
Answer:
642-825
QUESTION 302
On the basis of the configuration, what will happen to the IPSec VPN between the Remote router
and the Head-End router with IP address 172.31.1.100 if receiving no dead-peer detection hello
messages for 20 seconds?
A. The IPSec VPN will transition to a peering relationship with the Head-End router at
172.31.1.200, with a down-time determined by the time required to tear-down and build the
peerings.
B. The IPSec VPN will terminate but will rebuild with the same peer because 3 hello messages
have not yet been missed.
C. The IPSec VPN will not be affected.
D. The IPSec VPN will transition with no down-time to a peering relationship with the Head-End
router at 172.31.1.200.

642-825
Answer: C
QUESTION 303
Based on the exhibit below.
Which one of these options is the ACL used to mitigate in this configuration?
A. ICMP message attacks

B. DOS smurf attacks
C. Traceroute message attacks
D. IP address spoofing attacks
Answer: D
QUESTION 304
Company is a small export company .This firm has an existing enterprise network that is made up
exclusively of routers that are using EIGRP as the IGP. Its network is up and operating normally.
As part of its network expansion, Company has decided to connect to the internet by a broadband
cable ISP. Your task is to enable this connection by use of the information below.
Connection Encapsulation: PPP
Connection Type: PPPoE client
Connection Authentication: None
Connection MTU: 1492 bytes
Address: Dynamically assigned by the ISP
Outbound Interface: E0/0
You will know that the connection has been successfully enabled when you can ping the
simulated
Internet address of 172.16.1.1
Note: Routing to the ISP: Manually configured default route
P4S-R# show ip route

642-825
....
Gateway of last resort is not set
192.168.1.0/27 is subnetted, 7 subnets
C 192.168.1.0 is directly connected, Ethernet0/1
D 192.168.1.32 [90/307200] via 192.168.1.2, 00:02:16,Ethernet0/1
D 192.168.1.64 [90/307200] via 192.168.1.2, 00:02:17,Ethernet0/1
D 192.168.1.96 [90/307200] via 192.168.1.2, 00:02:17,Ethernet0/1
D 192.168.1.128 [90/307200] via 192.168.1.3, 00:02:17,Ethernet0/1
D 192.168.1.192 [90/307200] via 192.168.1.3, 00:02:17,Ethernet0/1
D 192.168.1.224 [90/307200] via 192.168.1.3, 00:02:17,Ethernet0/1
P4S-R# show run
....
no service password-encryption
!
hostname P4S-R
!
boot-start-marker
boot-end-marker
!
no aaa new-model
resource policy
clock timezone PST 0
ip subnet-zero
no ip dhcp use vrf connected
www.examways.com
!
interface Ethernet0/0
description link to cable modem
no ip address
shutdown
!
description link to corporate nework
ip address 192.168.1.1 255.255.255.224
!
no ip address
!
no ip address
shutdown
!
router eigrp 1
network 192.168.1.0
auto-summary
!

642-825
line con 0
line vty 0 15
end
A. Configuration sequence:
P4S-R(config)#int e0/0
P4S-R(config-if)#pppoe enable
P4S-R(config-if)#pppoe-client dial-pool-number 1
P4S-R(config-if)#no sh
P4S-R(config-if)#exit
P4S-R(config)#vpdn enable
P4S-R(config)#vpdn-group 1
P4S-R(config-vpdn)#request-dialin
P4S-R(config-vpdn-req-in)#protocol pppoe
P4S-R(config-vpdn-req-in)#exit
P4S-R(config-vpdn)#exit
P4S-R(config)#dialer-list 1 protocol ip permit
P4S-R(config)#int dialer 1
P4S-R(config-if)#encapsulation ppp
P4S-R(config-if)#ip address negotiated
P4S-R(config-if)#dialer pool 1
P4S-R(config-if)#dialer-group 1
P4S-R(config-if)#ip mtu 1492
P4S-R(config-if)#exit
Answer: A
QUESTION 305
This exhibit is about firewall implementation, inside users should be permitted to browse the
Internet. However, users have indicated that all attempts fail. As a result of troubleshooting, you
have determined that the issue is related to the firewall implementation. What corrective action
should you take?

642-825
A. Add the global command line ip inspect name OUTSIDE www.

B. Add the global command line ip inspect name INSIDE www.
C. Add the ACL command line permit tcp any any eq 80 to INSIDEACL.
D. Change the access group on Fa0/0 from the inbound direction to the outbound direction.
Answer: C
QUESTION 306
Which statement best describes this Cisco IOS Firewall configuration?

642-825
A. OUTSIDEACL permits outbound HTTP sessions; OUTSIDEACL is applied to the inside

interface in the inbound direction.
B. INSIDEACL permits inbound SMTP and HTTP; INSIDEACL is applied to the outside interface
in the inbound direction.
C. Outside hosts are allowed to initiate sessions with the SMTP server (200.1.2.1) and HTTP
server (200.1.2.2) located in the enterprise DMZ.
D. The inspection rules include the generic TCP inspection and are applied to outbound
connections on the inside interface and to inbound sessions on the outside interface
Answer: C
QUESTION 307
Which statement is correct in terms of the exhibit?

642-825
A. The router failed to train or successfully initialize because of a Layer 1 issue.

B. The router failed to train or successfully initialize because of a PPP negotiation issue.
C. The router cannot activate the line because the ISP has not provided the requested IP
address.
D. The router cannot activate the line because of a Layer 2 authentication issue.
Answer: A
QUESTION 308
You are a network technician at Company.com, study the exhibit carefully. Which type of attack
does the ACL prevent the internal user from successfully launching?
A. TCP SYN DOS attacks

B. DOS smurf attack
C. Traceroute message attacks
D. IP address spoofing attack
Answer: D
QUESTION 309
Drag and drop the xDSL type on the above to the appropriate xDSL description on the below.

642-825
Answer:
QUESTION 310
Match the xDSL type on the above to the most appropriate implementation on the below.

642-825
Answer:
QUESTION 311
Drag each element of the Cisco IOS Firewall Feature Set from the above and drop onto its
description on the below.

642-825
Answer:
QUESTION 312
Drag the protocols that are used to distribute MPLS labels from the above to the target area on
the below.(Not all options will be used)

642-825
Answer:
QUESTION 313
As a network engineer, do you know which three techniques should be used to secure
management protocols? (Choose three.)

B. Encrypt TFTP and syslog traffic in an IPSec tunnel.
C. Implement RFC 3704 filtering at the perimeter router when allowing syslog access from
devices on the outside of a firewall.
D. Use SNMP version 2.
Answer: A, B, C
QUESTION 314
The Cisco IOS? IPsec High Availability (IPsec HA) Enhancements feature provides an
infrastructure for reliable and secure networks to provide transparent availability of the VPN
gateways---that is, Cisco IOS Software-based routers. What are the two options that are used to
provide High Availability IPsec? (Choose two.)

642-825
A. HSRP
B. Dual Router Mode (DRM) IPsec
C. IPsec Backup Peerings
D. RRI
Answer: A, D
Case Study#1
Scenerio:
This item involves some questions that you need to answer. You can click on the Questions
button to the left to view these question. Change questions by clicking the numbers to the left of
each question. In order to finish the questions, you will need to refer to the SDM and the topology,
neither of which is currently visible. In order to gain access to either the topology or the SDM,
click on the button to left side of the screen that corresponds to the section you wish to access.
When you have completed viewing the topology or the SDM, you can return to your questions by
clicking on the Questions button to the left. Cruising industries is a large worldwide diving charter.
Recently, this firm has upgraded its internet connectivity. As a new network technician, you have
been tasked with documenting the active Firewall configurations on the P4S-R router using the
Cisco Router and Security Device Manager (SDM) utility. Using the SDM output from Firewall and
ACL Tasks under the Configure tab, answer the following questions:
Topology:

642-825
Case Study# 1 (Questions 3)
QUESTION 315
Which option is Correct?
A. Both FastEthernet 0/0 and Serial 0/0/0 are trusted interface.

B. Both FastEthernet 0/0 and Serial 0/0/0 are untrusted interface.
C. FastEthernet 0/0 is a trusted interface and Serial 0/0/0 is an untrusted interface.
D. FastEthernet 0/0 is an untrusted interface and Serial 0/0/0 is a trusted interface.
Answer: C

642-825
QUESTION 316
Which two statements best describe a permissible incoming TCP packet on an untrusted
interface in this configuration?(Choose two)

C. The session originated from a trusted interface.
D. The application is not specified within the inspection rule SDM_LOW.
E. The packet has a source address of 198.133.219.144
Answer: C, E
QUESTION 317
Which two statements would specify a permissible incoming TCP packet a trusted interface in this
configuration?(choose two)

C. The packet has a source address of 198.133.219.16
D. The destination address is not specified within the inspection rule SDM_LOW.
E. The destination address is specified within the inspection rule SDM_LOW.
Answer: A, C

642 825 PDF

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

642 825 PDF

Uploaded by

Copyright:

Available Formats

Exam : 642-825

Title : Implementing Secure Converged Wide

A. The port number is negotiated automatically.

A. Only LDP should be enabled on Fa0/0 interface.

Actualtests.com - The Power of Knowing

B. Only TDP should be enabled on Fa0/0 interface.

A. A Trojan horse has three components: an enabling vulnerability, a propagation mechanism,

Actualtests.com - The Power of Knowing

A. All passwords entered during the Autosecure configuration must be a minimum of 8

Actualtests.com - The Power of Knowing

A. Cable modems only operate at Layer 1 of the OSI model.

Actualtests.com - The Power of Knowing

What is needed to complete the PPPoA configuration?

A. A static route to the ISP needs to be configured.

Actualtests.com - The Power of Knowing

A. IP address of server, groupname, and password

A. By default, all passwords are encrypted with level 7 encryption.

Actualtests.com - The Power of Knowing

A. A signature is fired for nonmalicious traffic, benign activity.

A. It performs analysis that is based on a predefined network security policy.

A. removes the entire CBAC configuration

A. notify a centralized management interface of a false positive

Actualtests.com - The Power of Knowing

A. forces the user to authenticate twice to prevent man-in-the-middle attacks

A. Cisco Express Forwarding (CEF) must be enabled as a prerequisite to running MPLS on a

Actualtests.com - The Power of Knowing

A. to prevent man-in-the-middle attacks

A. Allows dynamic routing over the tunnel

A. Define the ISAKMP policy.

Actualtests.com - The Power of Knowing

Actualtests.com - The Power of Knowing

D. Interfaces can share the same labels.

A. Implement a switched infrastructure.

A. the use or an antivirus software

A. Install the latest patches.

Actualtests.com - The Power of Knowing

when connecting an ATM interface

Actualtests.com - The Power of Knowing

A. IKE keepalives are unidirectional and sent every ten seconds.

A. It can be configured to block Java traffic.

Actualtests.com - The Power of Knowing

A. the Generate Mirror option on the VPN Edit tab

Actualtests.com - The Power of Knowing

Actualtests.com - The Power of Knowing

A. crypto map vpnmap2 on the Ethernet1 interface

Actualtests.com - The Power of Knowing

A. The crypto map must be applied on the physical interface.

Actualtests.com - The Power of Knowing

Actualtests.com - The Power of Knowing

Actualtests.com - The Power of Knowing

A. contain, inoculate, quarantine, and treat

Actualtests.com - The Power of Knowing

A. Encapsulation security payload

Actualtests.com - The Power of Knowing

What command generates the pictured output?

A. Show crypto ipsec transform-set

Actualtests.com - The Power of Knowing

A. Configure SNMP with only read-only community strings.

Actualtests.com - The Power of Knowing

A. The RAM of a router

Actualtests.com - The Power of Knowing

A. Blocks both Telnet and SSH