Published on February 26, 2014
P a g e | 1 642 7 2‐637 Securing Networ S rks with Cisco Routers a and Swit tches (SE ECURE v v1.0) Cisco o To purch hase Full version o Practic exam click belo of ce ow; www.ce ertshome.com/6 642‐637‐ ‐practice e‐test.ht tml OR Cisco o 642‐637 Exam C Candidates s WWW.CER RTSHOME.C COM Offer rs Two Prod ducts: FO • First is 6 642‐637 Exam m Questions s And Answers in PDF Format. An Easy to use Prod duct that Con ntains Real 642‐637 Exa am Question ns. • y We have 6 642‐637 Exam Practice T Tests. Secondly • tain Real 64 42‐637 Exam Question but in a Self‐Assess m ns sment Envir ronment. Th here are They also Cont ltiple Practic ce Modes, R Reports, you u can Check your Histor ry as you Take the Test Multiple Tim mes and Mul Man ny More Fea atures. Thes se Products are Prepare ed by Cisco S Subject Mat tter Experts, , Who know w what it Take es to Pass 6 642‐637 Exa am. Moreover, We Prov vide you 100 0% Surety o of Passing 64 42‐637 Exam m in First Atte empt or We e Will give y you your Mo oney Back. Both Products Come W With Free DE EMOS, So go o Ahead and Try Yoursel lf The Variou us Features of the Product.
P a g e | 2 Question: : 1 iven the parti ial output of t the debug co ommand, wha at can be dete ermined? Refer to the exhibit. Gi A. There is no ID payload in the pac cket, as indica ated by the m message ID = 0 0. B. The pee er has not ma atched any of ffered profiles. C. This is a an IKE quick m mode negotia ation. D. This is normal outpu ut of a succes ssful Phase 1 IKE exchange e. D Answer: D on: Explanatio Reference e: Verify a Successful Pha ase 1 Exchang ge The debug crypto isak kmp debuggin ng command will display t the “SA has b been authent ticated” debu ug after the IKE Phase 1 peering is success sful. message a Question: : 2 OP DRAG DRO Answer:
P a g e | 3 on: Explanatio Reference e: Page 113 of the CCNP Secure guide Gathering g Input Param meters Because 8 802.1X authe entication req quires severa technologie to work t al es together, up‐ ‐front plannin ng helps ensure the succe ess of the dep ployment. nvolves gathering importan nt input infor rmation: Part of this planning in e list of LAN s switches that currently allo ow unauthorized users ful ll access to th he • Determine the to determine which of the ese devices sh hould be conf figured with 8 802.1X and th he network. Use this list t vailability on the switches. . feature av • Determine wh authentic hat cation databa (such as Windows A is being used for use ase s AD) er credentials. This allow you to det ws termine whether you can leverage the same one and make th n he eployment tra ansparent to your users. 802.1X de • Determine the e types of clie ents being use ed on the net twork (platform and opera ating systems s). quired to choo ose a compat tible supplicant and to con nfigure it appropriately. This is req • Determine the e software distribution me echanism in use by the organization. This will affect T provisioni ing and suppo orting the sup pplicant on cu urrent and future client wo orkstations. • Determine whether the net twork path between the s supplicant and the authen ntication serve er d. th mplementatio whereas a on, is trusted A trusted network pat allows an anonymous EAP‐FAST im nontruste ed network pa ath requires s separate EAP‐FAST creden ntials. : 3 Question: Refer to the exhibit.
P a g e | 4 wo Cisco IOS W WebVPN feat tures are ena abled with th he partial con nfiguration sh hown? (Choos se Which tw two.) AnyConnect V VPN software e will remain installed on t the end system. A. The end‐user Cisco A B. If the C Cisco AnyConnect VPN sof ftware fails to o install on th he end‐user P PC, the end user cannot us se other mod des. C. Client b based full tun nnel access ha as been enabl led. D. Traffic destined to the 10.0.0.0/ /8 network w will not be tunneled and w will be allowe ed access via a split tunnel. ned IP addres sses in the 10.10.0.0/16 range. E. Clients will be assign A, C Answer: A : 4 Question: Which tw wo of these ar re benefits of f implementin ng a zone‐bas sed policy fire ewall in trans sparent mode e? (Choose two.) A. Less firewall manage ement is needed. be easily intro oduced into an existing net twork. B. It can b C. IP readdressing is un nnecessary. D. It adds the ability to o statefully ins spect non‐IP traffic. E. It has le ess impact on n data flows. Answer: B B, C Question: : 5 nfiguring a zo one‐based policy firewall, w what will be t the resulting action if you do not specify When con any zone pairs for a po ossible pair of f zones?
P a g e | 5 A. All sess sions will pass s through the e zone withou ut being inspe ected. B. All sess sions will be d denied betwe een these two o zones by default. C. All sess sions will have e to pass thro ough the rout ter "self zone e" for inspecti ion before be eing allowed t to pass to th he destination n zone. D. This co onfiguration st tatelessly allo ows packets t to be delivere ed to the dest tination zone. Answer: B B on: Explanatio Reference e: Zone Pair Configuration The configuration of the zone pair is important because its configuratio dictates th direction in t r s on he which traffic is allowed to flow. As stated previously, a zone e pair is unidi irectional and d is the part o of the config guration that controls traf ffic between z zones; this is referred to a as interzone. If no zone pa air is defined d, traffic will n not flow betw ween zones : 6 Question: What can be determined fro om the outpu ut of this show w command? ? Refer to the exhibit. W A. The IPs sec connectio on is in an idle e state. B. The IKE E association is in the process of being s set up. C. The IKE E status is aut thenticated. D. The ISA AKMP state i waiting for is r quick mode status to au uthenticate be efore IPsec p parameters are passed be etween peers s E. IKE Quick Mode is in n the idle state, indicating a problem wi ith IKE phase 1. Answer: C C on: Explanatio Reference e: Verify Loc cal IKE Session ns Use the sh how crypto is sakmp sa com mmand to display the curre rity Associatio ons (SA) on th he ent IKE Secur local rout ter. The QM_ _IDLE status in ndicates succ cessful establi ishment of th he IKE SA, me eaning that th he ISAKMP p process is idle e after having successfully negotiated and establishe ed SAs. Examp ple 15‐5 show ws the outpu ut of the show w crypto isakm mp sa comma and. Question: : 7 OP DRAG DRO
P a g e | 6 Answer: Explanatio on: Reference e: Verify cryptographic co onfigs how crypto is sakmp policy router# sh rotection suite priority y 15 DES ‐ Data Enc cryption Standard (56 bit k keys) ncryption algorithm: D ge Digest 5 ash algorithm: Messag uthentication method: : Rivest‐Sham mir‐Adleman S Signature iffie‐Hellm man Group: #2 (1024 bit) ifetime: 5000 seconds, , no volume li imit
P a g e | 7 rotection suite priority 20 ncryption algorithm: DES ‐ Data Encryption Standard (56 bit keys) ash algorithm: Secure Hash Standard authentication method: preshared Ke Question: 8 You are running Cisco IOS IPS software on your edge router. A new threat has become an issue. The Cisco IOS IPS software has a signature that can address the new threat, but you previously retired the signature. You decide to unretire that signature to regain the desired protection level. How should you act on your decision? A. Retired signatures are not present in the routers memory. You will need to download a new signature package to regain the retired signature. B. You should re‐enable the signature and start inspecting traffic for signs of the new threat. C. Unretiring a signature will cause the router to recompile the signature database, which can temporarily affect performance. D. You cannot unretire a signature. To avoid a disruption in traffic flow, it's best to create a custom signature until you can download a new signature package and reload the router. Answer: C Explanation: Reference: Some signatures can be retired. This signature is not present in the router’s memory. Unretiring a retired signature requires that the router recompile the signature database. This can temporarily affect performance and take a long time with a large signature database. Question: 9 Which statement best describes inside policy based NAT? A. Policy NAT rules are those that determine which addresses need to be translated per the enterprise security policy B. Policy NAT consists of policy rules based on outside sources attempting to communicate with inside endpoints. C. These rules use source addresses as the decision for translation policies. D. These rules are sensitive to all communicating endpoints. Answer: A Question: 10 Refer to the exhibit. What can be determined about the IPS category configuration shown?
P a g e | 8 egories are disabled. A. All cate B. All cate egories are re etired. C. After al ll other categ gories were di isabled, a cus stom category y named "os ios" was crea ated D. Only at ttacks on the Cisco IOS sys stem result in preventative e actions. Answer: D D on: Explanatio Reference e: This confi iguration task is complete by enterin the signat ed ng ture category configuratio mode usin y on ng the ip ips signature‐cat tegory comm mand. See Exa ample 13‐3 fo or the relevan nt configuratio on. First, retire and disab ble all signatures because o only the desired signature es will be ena abled. This is a achieved usin ng the categ gory all comm mand. Then, u the retire true and e use ed enabled false commands to disable an e nd retire all signatures by default. Next, enable a signatures that are de b all s esigned to prevent attacks isco IOS Softw ware devices and assign a preventative e action to the em. Enter the e category that against Ci comprises s these signat tures using th he category o os ios command and enable them by us sing the retire ed false and enabled true e commands. Use the even nt‐action produce‐alert de eny‐packet‐in nline comman nd ures to gener rate an alert a and drop the offending packets when they trigger. to enable these signatu
P a g e | 9 CERT TSHOME Exam F E Features: : - CERTSHO C OME offers over 3500 Certification exams for professionals. s 0 50000+ Cu 5 ustomer fee edbacks inv volved in Pr roduct. A Average 10 00% Succe Rate. ess O Over 170 G Global Certification Ve endors Cove ered. S Services of Professional & Certified E Experts av vailable via support. F Free 90 da ays update to match real exam scenarios. es Instant Dow wnload Ac ccess! No S Setup requi ired. E Exam Histo and Pro ory ogress rep ports. V Verified an nswers rese earched by industry ex y xperts. S Study Material update on regula basis. ed ar Q Questions / Answers a downloa are adable in PDF format. P Practice / E Exam are do ownloadabl in Practice Test So le oftware form mat. C Customize your exam based on your object e m tives. S Self-Asses ssment feat tures. G Guaranteed Success d s. F Fast, helpfu support 2 ul 24x7. View list of All certification exa t ams offered d; www.ce ertshome.c com/all_certifications s.php Downloa Any Van ad nder Exam DEMO. www.ce ertshome.c com/all_certifications s-2.php Contact Us any Tim click bel me low; www.ce ertshome.c com/contac ctus.php AND MA ANY Other rs... See Co omplete Lis Here........ st
Free 642-637 Exam Questions and PDFs Demo. You will get 100% Money Back Guarantee. ... Share 642-637 exam - secrets of passing exam in first attempt.
... We Provide you 100% Surety of Passing CRISC Exam in First Attempt or We Will give you your Money Back. ... Secrets of Passing Exam in First Attempt.
... We Provide you 100% Surety of Passing CSSLP Exam in First Attempt or We Will give you your Money Back. ... Secrets of Passing Exam in First Attempt.
Share 1z0-581 exam - secrets of passing exam in first attempt. ... 642-637 exam - secrets of passing exam in first attempt 250-422 exam ...
Title: Jn0 633 exam secrets of passing exam in first attempt, Author: Broza Aklin, ... Issuu on Google+. Page |1. JN0-633. Security, Professional (JNCIP-SEC)
Download CSSLP Exam - Secrets of Passing Exam in First Attempt. Toggle ... Topics; Home; Documents; Share CSSLP Exam - Secrets of Passing Exam in First ...
CPHQ- Secrets of Passing Exam in First Attempt. ... Pass your exam in first attempt with Self-Test Training and get 100% Money Back Guarantee and 90 days ...
Pass your exam in first attempt with Self-Test Training and get 100% Money Back Guarantee and 90 days ... CSSLP Exam - Secrets of Passing Exam in First ...
... Bas 013 exam secrets of passing exam in first attempt, Author ... Issuu on Google+. Page |1. BAS ... CERTSHOME offers over 3500 Certification exams for ...
Updated Cisco 642-637 dumps to pass CCNP Cisco Certified Network Professional ... Whenever Cisco update 642-637 exam, ... 2 Exams Online Test Engine Access;