Upload
carlos-alberto-rodriguez
View
995
Download
1
Embed Size (px)
Citation preview
Cisco 642-637
642-637 Securing Networks with Cisco Routers and
Switches (SECURE) v1.0
Practice TestVersion 3.0
Actu
alTe
sts.
com
QUESTION NO: 1
QUESTION NO: 2
Refer to the exhibit. Given the partial output of the debug command, what can be determined?
A. There is no ID payload in the packet, as indicated by the message ID = 0.
B. The peer has not matched any offered profiles.
C. This is an IKE quick mode negotiation.
D. This is normal output of a successful Phase 1 IKE exchange.
Answer: B
QUESTION NO: 3 DRAG DROP
Answer:
Cisco 642-637: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 2
Actu
alTe
sts.
com
Explanation:
Existing lists of LAN switches
Existing user credentials
Existing addressing scheme
Existing transport protocols used in the environment.
QUESTION NO: 4
Cisco 642-637: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 3
Actu
alTe
sts.
com
Refer to the exhibit. Which two Cisco IOS WebVPN features are enabled with the partial
configuration shown? (Choose two.)
A. The end-user CiscoAnyConnect VPN software will remain installed on the end system.
B. If the CiscoAnyConnect VPN software fails to install on the end-user PC, the end user cannot
use other modes.
C. Client based full tunnel access has been enabled.
D. Traffic destined to the 10.0.0.0/8 network will not be tunneled and will be allowed access via a
split tunnel.
E. Clients will be assigned IP addresses in the 10.10.0.0/16 range.
Answer: A,C
QUESTION NO: 5
Which two of these are benefits of implementing a zone-based policy firewall in transparent mode?
(Choose two.)
A. Less firewall management is needed.
B. It can be easily introduced into an existing network.
C. IP readdressing is unnecessary.
Cisco 642-637: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 4
Actu
alTe
sts.
com
D. It adds the ability tostatefully inspect non-IP traffic.
E. It has less impact on data flows.
Answer: B,C
QUESTION NO: 6
When configuring a zone-based policy firewall, what will be the resulting action if you do not
specify any zone pairs for a possible pair of zones?
A. All sessions will pass through the zone without being inspected.
B. All sessions will be denied between these two zones by default.
C. All sessions will have to pass through the router "self zone" for inspection before being allowed
to pass to the destination zone.
D. This configurationstatelessly allows packets to be delivered to the destination zone.
Answer: B
QUESTION NO: 7
Refer to the exhibit. What can be determined from the output of this show command?
A. The IPsec connection is in an idle state.
B. The IKE association is in the process of being set up.
C. The IKE status is authenticated.
D. The ISAKMP state is waiting for quick mode status to authenticate before IPsec parameters are
passed between peers
E. IKE Quick Mode is in the idle state, indicating a problem with IKE phase 1.
Answer: C
QUESTION NO: 8 DRAG DROP
Cisco 642-637: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 5
Actu
alTe
sts.
comAnswer:
Explanation:
Delete IPsec security association -> clear crypto sa
Verify cryptographic configurations and show SA lifetimes -> show crypto map
Verify the IPsec protection policy settings -> show crypto ipsec transform-set
Verify current IPsec settings in use by the SAs - show cyrpto ipsec sa
Clear active IKE connections - clear crypto isakmp
Cisco 642-637: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 6
Actu
alTe
sts.
com
QUESTION NO: 9
You are running Cisco lOS IPS software on your edge router. A new threat has become an issue.
The Cisco lOS IPS software has a signature that can address the new threat, but you previously
retired the signature. You decide to unretire that signature to regain the desired protection level.
How should you act on your decision?
A. Retired signatures are not present in the routers memory. You will need to download a new
signature package to regain the retired signature.
B. You should re-enable the signature and start inspecting traffic for signs of the new threat.
C. Unretiring a signature will cause the router to recompile the signature database, which can
temporarily affect performance.
D. You cannotunretire a signature. To avoid a disruption in traffic flow, it's best to create a custom
signature until you can download a new signature package and reload the router.
Answer: C
QUESTION NO: 10
Which statement best describes inside policy based NAT?
A. Policy NAT rules are those that determine which addresses need to be translated per the
enterprise security policy
B. Policy NAT consists of policy rules based on outside sources attempting to communicate with
inside endpoints.
C. These rules use source addresses as the decision for translation policies.
Cisco 642-637: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 7
Actu
alTe
sts.
com
D. These rules are sensitive to all communicating endpoints.
Answer: A
QUESTION NO: 11
Refer to the exhibit. What can be determined about the IPS category configuration shown?
A. All categories are disabled.
B. All categories are retired.
C. After all other categories weredisabled, a custom category named "os ios" was created
D. Only attacks on the Cisco IOS system result in preventative actions.
Answer: D
QUESTION NO: 12
When Cisco IOS IPS is configured to use SDEE for event notification, how are events managed?
A. They are stored in the router's event store and will allow authenticated remote systems to pull
events from the event store.
B. All events are immediately sent to the remote SDEE server.
C. Events are sent viasyslog over a secure SSUTLS communications channel.
D. When the event store reaches its maximum configured number of event notifications, the stored
events are sent via SDEE to a remote authenticated server and a new event store is created.
Answer: A
QUESTION NO: 13
Which two of these will match a regular expression with the following configuration parameters?
[a-zA-Z][0-9][a-z] (Choose two.)
Cisco 642-637: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 8
Actu
alTe
sts.
com
A. Q3h
B. B4Mn
C. aaB132AA
D. c7lm
E. BBpjnrIT
Answer: A,D
QUESTION NO: 14
Which of these is a configurable Cisco IOS feature that triggers notifications if an attack attempts
to exhaust critical router resources and if preventative controls have been bypassed or are not
working correctly?
A. Control Plane Protection
B. Management Plane Protection
C. CPU and memorythresholding
D. SNMPv3
Answer: A
QUESTION NO: 15
Which Cisco IOS IPS feature allows to you remove one or more actions from all active signatures
based on the attacker and/or target address criteria, as well as the event risk rating criteria?
A. signature event action filters
B. signature event action overrides
C. signature attack severity rating
D. signature event risk rating
Answer: A
QUESTION NO: 16
You are troubleshooting reported connectivity issues from remote users who are accessing
corporate headquarters via an IPsec VPN connection. What should be your first step in
troubleshooting these issues?
A. issue a show cryptoisakmp policy command to verify matching policies of the tunnel endpoints
B. ping the tunnel endpoint
Cisco 642-637: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 9
Actu
alTe
sts.
com
C. run a traceroute to verify the tunnel path
D. debug the connection process and look for any error messages in tunnel establishment
Answer: B
QUESTION NO: 17
Which of these is correct regarding the configuration of virtual-access interfaces?
A. They cannot be saved to the startup configuration.
B. You must use static routes inside the tunnels.
C. DVTI interfaces should be assigned a unique IP address range.
D. The Virtual-Access 1 interface must be enabled in an up/up state administratively
Answer: A
QUESTION NO: 18
Refer to the exhibit. The INSIDE zone has been configured and assigned to two separate router
interfaces. All other zones and interfaces have been properly configured. Given the configuration
example shown, what can be determined.
A. Hosts in the INSIDE zone, with addresses in the 10.10.10.0/24 network, can access any host in
the 10.10.10.0/24 network using the SSH protocol.
B. If a host in the INSIDE zone attempts to communicate via SSH with another host on a different
interface within the INSIDE zone, communications must pass through the router self zone using
the INTRAZONE policy.
C. This is an illegal configuration. You cannot have the same source and destination zones.
D. This policy configuration is notneeded, traffic within the same zone is allowed to pass by
default.
Cisco 642-637: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 10
Actu
alTe
sts.
com
Answer: D
QUESTION NO: 19
Which action does the command private-vlan association 100,200 take?
A. configures VLANs 100 and 200 and associates them as a community
B. associates VLANs 100 and 200 with the primary VLAN
C. creates two private VLANs with the designation of VLAN 100 and VLAN 200
D. assigns VLANs 100 and 200 as an association of private VLANs
Answer: B
QUESTION NO: 20
Which of these allows you to add event actions globally based on the risk rating of each event,
without having to configure each signature individually?
A. event action summarization
B. event action filter
C. event action override
D. signature event action processor
Answer: C
QUESTION NO: 21
When using Cisco Easy VPN, what are the three options for entering an XAUTH username and
password for establishing a VPN connection from the Cisco Easy VPN remote router? (Choose
three.)
A. using an external AAA server
B. entering the information via the router cryptoipsec client ezvpn connect CLI command in
privileged EXEC mode
C. using the router local user database
D. entering the information from the PC via a browser
E. storing the XAUTH credentials in the router configuration file
Answer: B,C,E
Cisco 642-637: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 11
Actu
alTe
sts.
com
QUESTION NO: 22
Which of these is true regarding tunnel configuration when deploying a Cisco ISR as a DMVPN
hub router?
A. Only one tunnel can be created per tunnel source interface.
B. Only one tunnel can be created and should be associated with a loopback interface for dynamic
redundancy
C. The GRE tunnel key is used to encrypt the traffic going through the tunnel through the hub.
D. You can run multiple parallel DMVPNs on the hub router, but each tunnel requires a unique
tunnel key.
Answer: D
QUESTION NO: 23
Given the Cisco IOS command crypto key generate rsa label MY_KEYS modulus 2048, which
additional command keyword should be added if you would like to use these keys on another
router or have the ability to back them up to another device?
A. redundancy
B. exportable
C. on:USB smart-token
D. usage-keys
Answer: B
QUESTION NO: 24
Which two types of deployments can be implemented for a zone-based policy firewall? (Choose
two.)
A. routed mode
B. interzone mode
C. fail open mode
D. transparent mode
E. inspection mode
Answer: A,E
QUESTION NO: 25 DRAG DROP
Cisco 642-637: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 12
Actu
alTe
sts.
com
Answer:
Explanation:
Dropping application layer protocol units that do not confirm to the protocol standard.
An application-aware method of filtering that works on OSI layers 3 and 4.
Filtering inside the protocol and its related content
QUESTION NO: 26
What is the result of configuring the command dotlx system-auth-control on a Cisco Catalyst
switch?
A. enables the switch to operate as the 802.1X supplicant
B. globally enables 802.1X on the switch
C. globally enables 802.1X and defines ports as 802.1X-capable
D. places the configuration sub-mode intodotix-auth mode, in which you can identify the
authentication server parameters
Cisco 642-637: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 13
Actu
alTe
sts.
com
Answer: B
QUESTION NO: 27
Which information is displayed when you enter the Cisco IOS command show epm session?
A. Enforcement Policy Module sessions
B. External Proxy Mappings, per authenticated sessions
C. Encrypted Policy Management sessions
D. Enhanced Protected Mode sessions
Answer: A
QUESTION NO: 28
Refer to the exhibit. Based on the partial configuration shown, which additional configuration
parameter is needed under the GET VPN group member GDOI configuration?
A. key server IP address
B. local priority
C. mapping of theIPsec profile to the IPsec SA
D. mapping of theIPsec transform set to the GDOI group
Answer: A
QUESTION NO: 29
Cisco 642-637: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 14
Actu
alTe
sts.
com
Refer to the exhibit. Given the partial configuration shown, which two statements are correct?
(Choose two.)
A. The tunnel will use the routing protocol configured forGigabitEthemet 1/1 for all tunnel
communication with the peer.
B. The IP route statement to reach the remote network behind the DMVPN peer is incorrect, it
should be ip route 192.168.2.0 255.255.255.0 tunnel 0.
C. This is an example of a static point-to-point VTI tunnel.
D. The tunnel will useesp-sha-hmac encryption in ESP tunnel mode.
E. The tunnel will use 128-bit AES encryption in ESP tunnel mode.
Answer: C,E
QUESTION NO: 30
You are troubleshooting a Cisco Easy VPN installation that is experiencing session establishment
problems. You have verified that matching IKE and IPsec polices exist on both peers. The remote
client has also successfully entered authentication credentials. What is the next step to take in
troubleshooting this problem?
A. verify that the router is not denying traffic from the tunnel
B. verify that the router is able to assign an IP address to the client
C. examine routing tables
D. issue a ping from the client to the router to verifyreachability
Answer: B
QUESTION NO: 31
Which of these is a result of using the same routing protocol process for routing outside and inside
the VPN tunnel?
A. This will provide for routing-protocol-based failover redundancy.
Cisco 642-637: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 15
Actu
alTe
sts.
com
B. Spoke routers will able to dynamically learn routes to peer networks.
C. This will allow VPN-encapsulated packets to be routed out the correct physical interface used to
reach the remote peer
D. The tunnel will constantly flap.
Answer: B
QUESTION NO: 32 DRAG DROP
Answer:
Explanation:
VLAN Assignment
Time-based access
Endpoint posture assessment
QUESTION NO: 33
Refer to the exhibit. What can be determined from the output of this show command?
Cisco 642-637: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 16
Actu
alTe
sts.
com
A. The switch port interface is enabled and operating as a community port.
B. The interface is acting as an isolated switch port operating in VLAN 1.
C. The interface is configured for Private VLAN Edge.
D. The switch port interface is not a trusted port.
Answer: D
QUESTION NO: 34
You are troubleshooting a problem related to IPsec connectivity issues. You see that there is no
ISAKMP security association established between peers. You debug the connection process and
see an error message of 1d00h: ISAKMP (0:1): atts are not acceptable. Next payload is 0. What
does this message indicate?
A. This indicates a policy mismatch.
B. This indicates that the offered attributes did not contain a payload.
C. IKE has failed initial attempts and will resend policy offerings to the peer router.
D. The time stamp of the message shows that it is one day old. This could indicate a possible
mismatch of system clocks and invalidate the connection attempt.
Answer: A
QUESTION NO: 35
Refer to the exhibit. Given the output shown, what can be determined?
Cisco 642-637: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 17
Actu
alTe
sts.
com
A. An attacker has sent a spoofed DHCP address.
B. An attacker has sent a spoofed ARP response that violates a static mapping.
C. The MAC address has matched a deny rule within the ACL.
D. This is an invalid proxy ARP packet, as indicated by the 0000.0000.0000 MAC address on the
destination
Answer: C
QUESTION NO: 36
Which command will enable a SCEP interface when you are configuring a Cisco router to be a
certificate server?
A. seep enable (under interface configuration mode)
B. cryptopki seep enable
C. grant auto
D. ip http server
Answer: D
QUESTION NO: 37
When 802.1X is implemented, how do the client (supplicant) and authenticator communicate?
A. RADIUS
B. TACACS+
C. MAB
D. EAPOL
Answer: D
QUESTION NO: 38
Refer to the exhibit. Assuming that all other supporting configurations are correct, what can be
determined from the partial IP admission configuration shown?
Cisco 642-637: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 18
Actu
alTe
sts.
com
A. The router will forward authentication requests toa AAA server for authentication and
authorization.
B. The local user password is thl3F4ftvA.
C. The router will intercept incoming HTTP sessions on interface G0/0 for authentication.
D. The SUPERUSER's privilege level is being restricted.
E. The attribute type supplicant-group "SUPERUSER" configuration can be used to match criteria
in the "inspect" class-map type using the match access-group option.
Answer: C
QUESTION NO: 39
Which of these is an implementation guideline when deploying the IP Source Guard feature in an
environment with multiple switches?
A. Do not configure IP Source Guard oninterswitch links.
B. Configure PACLs for DHCP-addressed end devices.
C. IP Source Guard must be configured in the trunksubconfiguration mode to work on interswitch
links.
D. Configure static IP Source Guard mapping for all access ports.
Answer: A
QUESTION NO: 40 DRAG DROP
Cisco 642-637: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 19
Actu
alTe
sts.
com
Answer:
Explanation:
Dynamic Inside NAT
Dynamic Inside PAT
Static Inside NAT
Static Inside PAT
QUESTION NO: 41
What does the command errdisable recovery cause arp-inspection interval 300 provide for?
A. It will disable a port when the ARP rate limit of 300 packets per second is received and wait a
configured interval time before placing the port back in normal operation.
Cisco 642-637: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 20
Actu
alTe
sts.
com
B. It will inspect for ARP-disabled ports every 300 seconds.
C. It will recover a disabled port and limit ARP traffic to 300 packets per second to avoid potential
ARP attacks from reoccurring.
D. It will recover a disabled port due to an ARP inspection condition in 5 minutes.
Answer: D
QUESTION NO: 42
You have configured Management Plane Protection on an interface on a Cisco router. What is the
resulting action on implementing MPP?
A. Inspection of protected management interfaces is automatically configured to ensure that
management protocols comply with standards.
B. The router gives preference to the configured management interface. If that interface becomes
unavailable, management protocols will be allowed on alternate interfaces.
C. Along with normal user data traffic, management traffic is also allowed only on the protected
interface.
D. Only management protocols are allowed on the protected interface.
Answer: C
QUESTION NO: 43 DRAG DROP
Answer:
Cisco 642-637: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 21
Actu
alTe
sts.
com
Explanation:
Use static access ports
Disable DTP
Avoid trunk native VLAN on access ports
QUESTION NO: 44
Refer to the exhibit. What can be determined from the configuration shown?
A. The community SNMP string is SNMP-MGMT-VIEW.
B. All interfaces will be included in the SNMP GETs.
C. This SNMP group will only allow read access to interface MIBs.
D. The SNMP server group is using 128-bit SHA authentication.
Answer: C
QUESTION NO: 45
When enabling the Cisco IOS IPS feature, which step should you perform to prevent rogue
signature updates from being installed on the router?
A. configure authentication and authorization for maintaining signature updates
B. install a known RSA public key that correlates to a private key used by Cisco
C. manually import signature updates from Cisco to a secure server, and then transfer files from
the secure server to the router
D. use the SDEE protocol for all signature updates from a known secure management station
Answer: B
QUESTION NO: 46
A user has requested a connection to an external website. After initiating the connection, a
message appears in the user's browser stating that access to the requested website has been
Cisco 642-637: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 22
Actu
alTe
sts.
com
denied by the company usage policy. What is the most likely reason for this message to appear?
A. An antivirus software program has blocked the session request due to potential malicious
content.
B. The network has been configured with a URL filtering service.
C. The network has been configured for 802.1X authentication and the user has failed to
authenticate
D. The user's configured policy access level does not contain proper permissions
Answer: B
QUESTION NO: 47
Refer to the exhibit. Given the partial configuration shown, what can be determined.
A. This is an example of a dynamic policy PAT rule.
B. This is an example of a static policy NAT rule.
C. Addresses in the 10.10.30.0 network will be exempt from translation when destined for the
10.100.100.0 network.
D. The extended access list provides for one-to-one translation mapping of the 10.10.30.0 network
to the 10.100.100.0 network
Answer: A
QUESTION NO: 48
When is it most appropriate to choose IPS functionality based on Cisco IOS software?
A. when traffic rates are low and a complete signature is not required
B. when accelerated, integrated performance is required using hardware ASIC-based IPS
inspections
C. when integrated policy virtualization is required
D. when promiscuous inspection meets security requirements
Answer: A
Cisco 642-637: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 23
Actu
alTe
sts.
com
QUESTION NO: 49
When performing NAT, which of these is a limitation you need to account for?
A. exhaustion of port number translations
B. embedded IP addresses
C. security payload identifiers
D. inability to provide mutual connectivity to networks with overlapping address spaces
Answer: B
QUESTION NO: 50 DRAG DROP
Answer:
Explanation:
Routing Protocol Filtering
BPDU Guard
VTP Authentication
Routing Protocol Authentication
QUESTION NO: 51
Cisco 642-637: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 24
Actu
alTe
sts.
com
You have enabled Cisco IOS IPS on a router in your network. However, you are not seeing
expected events on your monitoring system (such as Cisco IME). On the router, you see events
being captured. What is the next step in troubleshooting the problem?
A. verify thatsyslog is configured to send events to the correct server
B. verify SDEE communications
C. verify event action rules
D. verify that the IPS license is valid
Answer: B
QUESTION NO: 52
Which two of these are features of control plane security on a Cisco ISR? (Choose two.
A. CoPP
B. RBAC
C. AAA
D. CPPr
E. uRPF
F. FPM
Answer: A,D
QUESTION NO: 53
Which two of these are potential results of an attacker performing a DHCP server spoofing attack?
(Choose two.)
A. DHCP snooping
B. DoS
C. confidentiality breach
D. spoofed MAC addresses
E. switch ports being converted to anuntrusted state
Answer: B,C
QUESTION NO: 54
When Cisco IOS IPS signatures are being tuned, how is the Target Value Rating assigned?
Cisco 642-637: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 25
Actu
alTe
sts.
com
A. It is calculated from the Event Risk Rating.
B. It is calculated from a combination of the Attack Severity Rating and Signature Fidelity Rating
C. It is manually set by the administrator.
D. It is set based upon SEAP functions.
Answer: C
QUESTION NO: 55
Which of these should you do before configuring IP Source Guard on a Cisco Catalyst switch?
A. enable NTP for event correlation
B. enable IP routing authentication
C. configure an access list with exempt DHCP-initiated IP address ranges
D. turn DHCP snooping on at least 24 hours in advance
Answer: D
QUESTION NO: 56
What action will the parameter-map type ooo global command enable?
A. globally initiates tuning of the router's TCPnormalizer parameters for out-of-order packets
B. globally classifies typeooo packets within the parameter map and subsequent policy map
C. enables a parameter map namedooo
D. configures a global parameter map for traffic destined to the router itself
Answer: A
QUESTION NO: 57 DRAG DROP
Cisco 642-637: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 26
Actu
alTe
sts.
com
Answer:
Explanation:
Port ACLs
Port Security
VLAN ACLs
Private VLANs
QUESTION NO: 58 HOTSPOT
Answer:
Cisco 642-637: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 27
Actu
alTe
sts.
com
QUESTION NO: 59 HOTSPOT
Answer:
Cisco 642-637: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 28
Actu
alTe
sts.
com
QUESTION NO: 60 HOTSPOT
Answer:
Cisco 642-637: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 29
Actu
alTe
sts.
com
QUESTION NO: 61 HOTSPOT
Answer:
Cisco 642-637: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 30
Actu
alTe
sts.
com
QUESTION NO: 62 HOTSPOT
Answer:
Cisco 642-637: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 31
Actu
alTe
sts.
com
QUESTION NO: 63
Which protocol is EAP encapsulated in for communications between the authenticator and the
authentication server?
A. EAP-MD5
B. IPsec
C. EAPOL
D. RADIUS
Answer: D
QUESTION NO: 64
You are loading a basic IPS signature package onto a Cisco router. After a period of time, you see
this message:
%IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 275013 ms. What do you expect
happened during downloading and compilation of the files?
A. The files were successfully copied with an elapse time of 275013 ms.The router will continue
with extraction and compilation of the signature database.
B. The signature engines were compiles, but there is no indication that the actual signatures were
compiled.
C. The compilation failed for some of the signature engines. There are 16 engines, but only 6 were
completed according to the %IPS-6 message
Cisco 642-637: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 32
Actu
alTe
sts.
com
D. The files were compiled without error.
Answer: D
QUESTION NO: 65
Refer to the exhibit. Given the configuration shown, which of these statements is correct?
A. An external service is providing URL filtering via a subscription service.
B. All HTTP traffic to websites with the name "Gambling" included in the URL will be reset.
C. A service policy on the zone pair needs to be configured in the opposite direction or all return
HTTP traffic will be blocked by policy
Cisco 642-637: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 33
Actu
alTe
sts.
com
D. The URL filter policy has been configured in a fail-closed scenario.
Answer: A
QUESTION NO: 66 DRAG DROP
Answer:
Explanation:
Spoke-to-hub GRE and IPSec tunnels are created
NHRP mappings are created.
All spoke traffic is forwarded to the hub.
QUESTION NO: 67
Refer to the exhibit. Which two of these are most likely to have caused the issue with NHRP, given
this output of the show command? (Choose two.)
Cisco 642-637: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 34
Actu
alTe
sts.
com
A. There was a network ID mismatch.
B. The spoke router has not yet sent a request via Tunnel0.
C. The spoke router received a malformed NHRP packet.
D. There was an authentication key mismatch.
E. The registration request was expecting a return request ID of 1201, but received an ID of 120.
Answer: A,D
QUESTION NO: 68 DRAG DROP
Answer:
Explanation:
Event action filter
Event action override
Target value rating
QUESTION NO: 69
Cisco 642-637: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 35
Actu
alTe
sts.
com
You have configured a guest VLAN using 802.1X on a Cisco Catalyst switch. A client incapable of
using 802.1X has accessed the port and has been assigned to the guest VLAN. What happens
when a client capable of using 802.1Xjoins the network on the same port?
A. The client capable of using 802.1X is allowed access and proper security policies are applied to
the client.
B. EAPOL packets will not be allowed on the guest VLAN and the access attempt with fail.
C. The port is put into the unauthorized state in the user-configured access VLAN, and
authentication is restarted.
D. This is considered a security breach by the authentication server and all users on the access
port will be placed into the restricted VLAN.
Answer: C
QUESTION NO: 70
Refer to the exhibit. What can be determined from the information shown?
A. The user has been restricted to privilege level 1.
B. The standard access list should be reconfigured as an extended access list to allow desired
user permissions
C. RBAC has been configured with restricted views.
D. IP access list DMZ_ACL has not yet been configured with proper permissions.
Answer: C
QUESTION NO: 71
Refer to the exhibit. Assuming that all other supporting configurations are correct, what can be
determined from the partial IP admission configuration shown?
Cisco 642-637: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 36
Actu
alTe
sts.
com
A. The router will forward authentication requests toa AAA server for authentication and
authorization.
B. The user maint3nanc3 will have complete CLI command access once authenticated.
C. After a period of 20 minutes, the user will again be required to provide authentication
credentials.
D. The authentication proxy will fail, because the router's HTTP server has not been enabled.
E. All traffic entering interface GO/1 will be intercepted for authentication, but only Telnet traffic will
be authorized.
Answer: C
QUESTION NO: 72
What will the authentication event fail retry 0 action authorize vlan 300 command accomplish?
A. assigns clients that fail 802.1X authentication into the restricted VLAN 300
B. assigns clients to VLAN 300 and attempts reauthorization
C. assigns a client to the guest VLAN 300 if it does not receive a response from the client to its
EAPOL request/identity frame
D. locks out a user who fails an 802.1X authentication and does not allow the user to try to gain
network access again for 300 seconds
Answer: A
Cisco 642-637: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 37
Actu
alTe
sts.
com
QUESTION NO: 73 DRAG DROP
Answer:
Explanation:
Application Layer Inspections
Payload Minimization
Protocol Minimization
Protocol Verification
Cisco 642-637: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 38