Cisco 642-503 Real Questions Answers, First-hand Cisco 642-503 Practice Exam Online Store

100% Valid And Newest–Do not worry about your Cisco 642-503 exam! Just try Flydumps the latest Cisco 642-503 exam dumps.The latest new version with all the official new added Cisco 642-503 questions and answers.High pass rate and money back

QUESTION 45
When you implement 802.1x authentication on the ACS, which two configurations are performed under the ACS System Configuration? (Choose two.)
A. Users
B. Groups
C. Global Authentication Setup
D. RACs
E. Logging
F. NAPs

Correct Answer: CE Section: (none) Explanation
Explanation/Reference:
QUESTION 46
Which three of these statements are correct regarding DMVPN configuration? (Choose three.)
A. If running EIGRP over DMVPN, the hub router tunnel interface must have “next hop self” enabled: ip next-hop-self eigrp AS-Number
B. If running EIGRP over DMVPN, the hub router tunnel interface must have split horizon disabled: no ip split-horizon eigrp AS-Number
C. The spoke routers must be configured as the NHRP servers: ip nhrp nhs spoke-tunnel-ip-address
D. At the spoke routers, static NHRP mapping to the hub router is required: ip nhrp map hub-tunnel-ip-address hub-physical-ip-address
E. The GRE tunnel mode must be set to point-to-point mode: tunnel mode gre point-to-point
F. The GRE tunnel must be associated with an IPsec profile: tunnel protection ipsec profile profile-name

Correct Answer: BDF Section: (none) Explanation
Explanation/Reference:
QUESTION 47
Refer to the exhibit. What will result from this zone-based firewall configuration?

A. All traffic from the private zone to the public zone will be dropped.
B. All traffic from the private zone to the public zone will be permitted but not inspected.
C. All traffic from the private zone to the public zone will be permitted and inspected.
D. All traffic from the public zone to the private zone will be permitted but not inspected.
E. Only HTTP and DNS traffic from the private zone to the public zone will be permitted and inspected.
F. Only HTTP and DNS traffic from the public zone to the private zone will be permitted and inspected.

Correct Answer: A Section: (none) Explanation
Explanation/Reference:
QUESTION 48
Drop

A.
B.
C.
D.

Correct Answer: Section: (none) Explanation
Explanation/Reference:
Answer: Check certifyme eEngine, Download from Member Center
QUESTION 49

A.

B.
C.
D.

Correct Answer: Section: (none) Explanation
Explanation/Reference:
Answer: Check certifyme eEngine, Download from Member Center
QUESTION 50
When you add NADs as AAA clients in the ACS, which three parameters are configured for each AAA client? (Choose three.)
A. the NAD IP address
B. the AAA server IP address
C. the EAP type
D. the shared secret key
E. the AAA protocol to use for communications with the NADs
F. the UDP ports to use for communications with the NADs

Correct Answer: ADE Section: (none) Explanation
Explanation/Reference:
QUESTION 51
Which two statements are true regarding classic Cisco IOS Firewall configurations? (Choose two.)
A. You can apply the IP inspection rule in the inbound direction on the trusted interface.
B. You can apply the IP inspection rule in the outbound direction on the untrusted interface.
C. For temporary openings to be created dynamically by Cisco IOS Firewall, the access list for the returning traffic must be a standard ACL.
D. For temporary openings to be created dynamically by Cisco IOS Firewall, you must apply the IP inspection rule to the trusted interface.
E. For temporary openings to be created dynamically by Cisco IOS Firewall, the inbound access list on the trusted interface must be an extended ACL.

Correct Answer: AB Section: (none) Explanation
Explanation/Reference:
QUESTION 52
Refer to the exhibit. Which two configuration commands are used to apply an inspect policy map for traffic traversing from the E0 or E1 interface to the S3 interface? (Choose two.)

A. zone-pair security test source Z1 destination Z2
B. interface E0
C. policy-map myfwpolicy class class-default inspect
D. ip inspect myfwpolicy out
E. ip inspect myfwpolicy in
F. service-policy type inspect myfwpolicy

Correct Answer: AF Section: (none) Explanation
Explanation/Reference:
QUESTION 53
When you implement Cisco IOS WebVPN on a Cisco router using a self-signed certificate, you notice that the router is not generating a self-signed certificate. What should you check to troubleshoot this issue?
A. Verify the ip http secure-server configuration.
B. Verify the ip http server configuration.
C. Verify that the WebVPN gateway is inservice.
D. Verify the AAA authentication configuration.
E. Verify the WebVPN group policy configuration.
F. Verify the WebVPN context configuration.

Correct Answer: C Section: (none) Explanation
Explanation/Reference:

Free practice questions for Cisco 642-503 exam.These questions are aimed at giving you an idea of the type of questions you can expect on the actual exam.You will get an idea of the level of knowledge each topic goes into but because these are simple web pages you will not see the interactive and performance based questions – those are available in the Cisco 642-503.

Cisco 642-503 Brain Dumps, Money Back Guarantee Cisco 642-503 Demo Download 100% Pass With A High Score

Flydumps offers the first-hand Cisco 642-503 exam real questions and answers, by train the latest Cisco 642-503 PDF and VCE dumps,you will well prepare for the Cisco 642-503 exam. Visit Flydumps.com to get free new version for training.

QUESTION 46
Please study the exhibit carefully.
When you configure DHCP snooping, which ports should be configured as trusted ?
A. port E only
B. port A only
C. ports B and C
D. ports A, B, C, and E
E. ports A, B, and C
F. ports B, C, and E

Correct Answer: E Section: (none) Explanation
Explanation/Reference:
Explanation: Understanding DHCP Snooping and Mitigating DHCP Attacks DHCP snooping is a switch feature that determines which switch ports can respond to DHCP requests. To accomplish this configuration, you must configure a port as either trusted or untrusted. Untrusted ports can source requests only, whereas trusted ports can source DHCP replies. This will help you prevent the attack by controlling where the DHCP server is and the path that you expect DHCP replies to come from. Reference: CCSP SNRS Quick Reference Sheets
QUESTION 47
Refer to the DMVPN topology diagram in the exhibit. Which two statements are correct? (Choose two.)

A. The hub router Certkiller 1 needs to have EIGRP split horizon disabled.
B. At the Certkiller 4 router, the next hop to reach the 192.168.0.0/24 network is 172.17.0.1.
C. The spoke routers Certkiller 2 and Certkiller 4 act as the NHRP servers for resolving the remote spoke physical interface IP address.
D. At the Certkiller 2, the next hop to reach the 192.168.1.0/24 network is 172.17.0.1.
E. Before a spoke-to-spoke tunnel can be built, the spoke router needs to send an NHRP query to the hub to resolve the remote spoke router physical interface IP address.
F. At the Certkiller 4, the next hop to reach the 192.168.2.0/24 network is 10.0.0.1.

Correct Answer: AE Section: (none)
Explanation
Explanation/Reference:
Explanation: For spoke-to-spoke DMVPN networks, a unique challenge exists because the spokes cannot directly exchange information with one another, even though they are on the same logical subnet. This means that the hub router needs to advertise subnets from the other spokes on the same subnet. The IP routing rule known as split horizon prevents the hub from doing this: SNRS_ROUTER(config-router)#interface tunnel 0 SNRS_ROUTER(config-if)#no ip split-horizon eigrp 1 Reference: CCSP SNRS Quick Reference Sheets NHRP-A client and server protocol where the hub is the server and the spokes are the clients. The hub maintains an NHRP database of the public interface addresses of the each spoke. Each spoke registers its real address when it boots and queries the NHRP database for real addresses of the destination spokes in order to build direct tunnels. Reference: Cisco IOS Security Configuration Guide, Release 12.4
QUESTION 48
What does this command do?
Certkiller 3(config)# ip port-map user-1 port tcp 4001

A. enables the Cisco IOS Firewall to inspect TCP port 4001 as part of the ip inspect name xxx TCP inspection rule
B. enables NBAR to recognize a user-defined application on TCP port 4001
C. enables application firewall inspection on a user-defined application that is mapped to TCP port 4001
D. defines a user application in the PAM table where the user-defined application is called “user-1” and that application is mapped to TCP port 4001

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
User-Defined Port Mapping
Network services or applications that use non-standard ports require user-defined entries in the PAM table.
For example, your network might run HTTP services on the non-standard port 8000 instead of on the
system-defined default port (port 80). In this case, you can use PAM to map port 8000 with HTTP services.
If HTTP services run on other ports, use PAM to create additional port mapping entries. After you define a
port mapping, you can overwrite that entry at a later time by simply mapping that specific port with a
different application.
Configuring PAM
To configure PAM, use the ip port-map command in global configuration mode:
QUESTION 49
Which two commands are used to only allow SSH traffic to the router Eth0 interface and deny other management traffic (BEEP, FTP, HTTP, HTTPS, SNMP, Telnet, TFTP) to the router interfaces? (Choose two.)
A. interface eth0
B. service-policy type port-filter input policy-name
C. control-plane host
D. line vty 0 5 transport input ssh
E. policy-map type port-filter policy-name
F. management-interface eth0 allow ssh

Correct Answer: CF Section: (none) Explanation
Explanation/Reference:
Explanation:
Prerequisites
IP Cisco Express Forwarding must be enabled before a management interface can be configured.
SUMMARY STEPS

1.
enable

2.
configure terminal

3.
control-plane host

4.
management-interface interface allow protocols Configures an interface to be a management interface, which will accept management protocols, and specifies which management protocols are allowed. interface-Name of the interface that you are designating as a management interface. protocols-Management protocols you want to allow on the designated management interface. BEEP FTP HTTP HTTPS SSH, v1 and v2 SNMP, all versions Telnet TFTP
QUESTION 50
When configuring ACS 4.0 Network Access Profiles (NAPs), which three things can be used to determine how an access request is classified and mapped to a profile? (Choose three.)
A. the protocol types
B. Network Access Filters (NAFs)
C. RADIUS VSAs
D. the authentication method
E. RADIUS Authorization Components (RACs)
F. advanced filtering

Correct Answer: ABF Section: (none) Explanation
Explanation/Reference:
Explanation: Defining User Access Requests You use the Profile Setup Page to define how ACS classifies access requests. You can use one or all of the following classification methods: NAFs Protocol Types Advanced Filtering You use these three conditions to determine how ACS classifies an access request and maps it to a profile. The profile is selected when all the selected conditions match. For each condition, the value Any always matches the condition. For example, if you create a NAF for wireless and then select the Aironet Protocol type, only devices with the protocol types in the wireless NAF will be selected for filtering.
QUESTION 51
Please study the exhibit carefully. Why is auth-proxy not working?

A. The ip auth-proxy HQU interface configuration command is missing the in direction option.
B. The local username and password database is not configured.
C. AAA accounting is not enabled.
D. The aaa authorization command is not correct.
E. HTTPS is not enabled on the router.
F. The AAA authentication method-list is not configured.

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation: Enable the AAA process on the router. Use the aaa authorization auth-proxy command to authorize traffic via the Authentication Proxy AAA server: SNRS_ROUTER(config)#aaa new-model SNRS_ROUTER(config)#aaa authentication login default group radius SNRS_ROUTER(config)#aaa authorization auth-proxy default group radius
QUESTION 52
SIMULATION Network topology exhibit You work as a network technician at Certkiller .com. Certkiller .com has a server Certkiller A connected to their network infrasctructure through a switch Certkiller A. Certkiller .com is using VLANs to improve security, nevertheless you notice that there is a CAM table overflow attack in progress through port fa0/12.. The attacker is spoofing MAC addresses through the Certkiller A switch. You are required to reconfigure the switch so that the attacker has no change of overflowing the CAM table. If more than one MAC address is larened on a port, the port should sut down. The Certkiller A enable password is Certkiller

A.
B.
C.
D.

Correct Answer: Section: (none) Explanation
Explanation/Reference:
Explanation: Certkiller A# config t Certkiller A(config)#interface fast0/12 Certkiller A(config-if)# switchport port-security Certkiller A(config-if)# switchport port-security maximum 1 Certkiller A(config-if)# switchport port-security violation shutdown
Certkiller .com, Scenario
Network topology exhibit

Simulation output: *** Missing ***
You work as a network technician at Certkiller .com. Your boss, miss Certkiller, has ordered you to
troubleshoot a Certkiller branch of network. You need to answer some questions regarding this network
uysing the network topology and the output you retrieve from Cisco devices on the network.

Certkiller .com (4 Questions)

QUESTION 53
Where are the signatures being loaded from?
A. NVRAM
B. Flash
C. TFTP server
D. Built-in signatures
E. There are no signatures

Correct Answer: Section: (none) Explanation
Explanation/Reference:
QUESTION 54
Which interface is the rule applied to.
A. There is no rule.
B. Fa0/0
C. Fa0/1
D. Fa0/2
E. S0/0
F. S0/1
G. S0/2

Correct Answer: Section: (none) Explanation
Explanation/Reference:
QUESTION 55
How many signatures are loaded?
A. 0
B. 1
C. 81
D. 82
E. 83
F. 100
G. 1000
H. 10000
I. An infinite number

Correct Answer: Section: (none) Explanation
Explanation/Reference:
QUESTION 56
How many total inactive signatures are there?
A. 0
B. 1
C. 81
D. 82
E. 83
F. 100
G. 1000
H. 10000
I. An infinite number

Correct Answer: Section: (none) Explanation
Explanation/Reference:
QUESTION 57
A new Certkiller switch has been installed and you wish to secure it. Which Cisco Catalyst IOS command can be used to mitigate a CAM table overflow attack?
A. switch(config-if)# port-security maximum 1
B. switch(config)# switchport port-security
C. switch(config-if)# port-security
D. switch(config-if)# switchport port-security maximum 1
E. switch(config-if)# switchport access F. switch(config-if)# access maximum 1

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
Enabling and Configuring Port Security:
Beginning in privileged EXEC mode, follow these steps to restrict input to an interface by limiting and
identifying MAC addresses of the stations allowed to access the port:
To ensure that only a single station’s MAC address is allowed on a given port, specify the value of the
“switchport port-security maximum” command to 1. This will safeguard against CAM overflow attacks.
Reference:
http://www.cisco.com/en/US/products/hw/switches/ps5206/
products_configuration_guide_chapter09186a00801 c

QUESTION 58
SIMULATION
The following diagram displays a portion of the Certkiller network:
You work for the Certkiller .com, which has a server connected to their infrastructure through a switch named Houston. Although Certkiller .com uses VLANs for security, an attacker is trying to overflow the CAM table by sending out spoofed MAC addresses through a port on the same switch as the server. Your task is to configure the switch to protect the switch from a CAM table overflow attack. For purposes of this test, we will assume that the attacker is plugged into port Fa0/12. The topology is pictured in the exhibit. The enable password for the switch is Certkiller . The following passwords have been assigned to the Houston switch: Console passwords: california VTY lines 0-4 password: city Enable passwords: Certkiller Start the simulation by clicking on the host.
A.
B.
C.
D.

Correct Answer: Section: (none) Explanation
Explanation/Reference:
Explanation: Switch1(config)# interface fastethernet0/12 Switch1(config-if)# switchport mode access Switch1(config-if)# switchport port-security Switch1(config-if)# switchport port-security maximum 1 Switch1(config-if)# end Enabling and Configuring Port Security: Beginning in privileged EXEC mode, follow these steps to restrict input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port:

To ensure that only a single station’s MAC address is allowed on a given port, specify the value of the
“switchport port-security maximum” command to 1. This will safeguard against CAM overflow attacks.
Reference:
http://www.cisco.com/en/US/products/hw/switches/ps5206/
products_configuration_guide_chapter09186a00801 c

QUESTION 59
You want to increase the security of a newly installed switch. Which Cisco Catalyst IOS command is used to mitigate a MAC spoofing attack?
A. switch(config-if)# port-security mac-address 0000.ffff.aaaa
B. switch(config)# switchport port-security mac-address 0000.ffff.aaaa
C. switch(config-if)# switchport port-security mac-address 0000.ffff.aaaa
D. switch(config)# port-security mac-address 0000.ffff.aaaa
E. switch(config-if)# mac-address 0000.ffff.aaaa
F. switch(config)# security mac-address 0000.ffff.aaaa

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation: You can use the port security feature to restrict input to an interface by limiting and identifying MAC addresses of the workstations that are allowed to access the port. When you assign secure MAC addresses to a secure port, the port does not forward packets with source addresses outside the group of defined addresses. If you limit the number of secure MAC addresses to one and assign a single secure MAC address, the workstation attached to that port is assured the full bandwidth of the port. If a port is configured as a secure port and the maximum number of secure MAC addresses is reached, when the MAC address of a workstation attempting to access the port is different from any of the identified secure MAC addresses, a security violation occurs. If a workstation with a secure MAC that is address configured or learned on one secure port attempts to access another secure port, a violation is flagged. After you have set the maximum number of secure MAC addresses on a port, the secure addresses are included in an address table in one of these ways: You can configure all secure MAC addresses by using the switchport port-security mac-address mac_address interface configuration command. You can allow the port to dynamically configure secure MAC addresses with the MAC addresses of connected devices. You can configure a number of addresses and allow the rest to be dynamically configured. Reference: http://www.cisco.com/en/US/products/hw/switches/ps708/ products_configuration_guide_chapter09186a00800d a Note: there is no ability to use “copy running-config startup-config” or “write memory”, so each solution should use the “end” command in config mode to save the current configuration.
QUESTION 60
The security administrator for Certkiller Inc. is working on defending the network against SYN flooding attacks. Which of the following are tools to protect the network from TCP SYN attacks?
A. Route authentication
B. Encryption
C. ACLs
D. TCP intercept
E. None of the above.

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation: The TCP intercept feature implements software to protect TCP servers from TCP SYN-flooding attacks, which are a type of denial-of-service attack. A SYN-flooding attack occurs when a hacker floods a server with a barrage of requests for connection. Because these messages have unreachable return addresses, the connections cannot be established. The resulting volume of unresolved open connections eventually overwhelms the server and can cause it to deny service to valid requests, thereby preventing legitimate users from connecting to a web site, accessing e-mail, using FTP service, and so on. The TCP intercept feature helps prevent SYN-flooding attacks by intercepting and validating TCP connection requests. In intercept mode, the TCP intercept software intercepts TCP synchronization (SYN) packets from clients to servers that match an extended access list. The software establishes a connection with the client on behalf of the destination server, and if successful, establishes the connection with the server on behalf of the client and knits the two half-connections together transparently. Thus, connection attempts from unreachable hosts will never reach the server. The software continues to intercept and forward packets throughout the duration of the connection. The number of SYNs per second and the number of concurrent connections proxied depends on the platform, memory, processor, and other factors Reference: http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/
products_configuration_guide_chapter09186a00800 c
QUESTION 61
Which of the following IOS commands will you advise the Certkiller trainee technician to use when setting the timeout for router terminal line?
A. exec-timeout minute [seconds]
B. line-timeout minute [seconds]
C. timeout console minute [seconds]
D. exec-time minutes [seconds]

Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation: The exec timeout command prevents unauthorized users from misusing abandoned sessions (for instance if the network administrator went on vacation and left an enabled login session active on his desktop system). There is a trade-off here between security (shorter timeouts) and usability (longer timeouts). Check your local policies and operational needs to determine the best value. In most cases, this should be no more than 10 minutes. To configure the timeout values, perform the following steps: router(config)# line INSTANCE router(config-line)# exec-timeout $(EXEC_TIMEOUT) router(config-line)# exit Reference: http://www.cisco.com/warp/public/793/access_dial/comm_server.html
QUESTION 62
The Certkiller network is implementing IBNS. In a Cisco Identity-Based Networking Service (IBNS) implementation, the endpoint that is seeking network access is known as what?
A. Host
B. Authentication
C. PC
D. Authentication server
E. Client
F. Supplicant

Correct Answer: F Section: (none) Explanation
Explanation/Reference:
Explanation:
In IBNS, the supplicant is the end device that is seeking network access. The supplicant is a software
component on the user workstation that answers a challenge from the authenticator. Supplicant
functionality may also be implemented on network devices to authenticate to upstream devices.
Reference: Securing Networks with Cisco Routers and Switches (SNRS) Courseware Page 3-30.

QUESTION 63
A new IBNS system is being installed in the Certkiller network. The Cisco Identity-Based Networking Services (IBNS) solution is based on which two standard implementations? (Choose two.)
A. TACACS+
B. RADIUS
C. 802.11
D. 802.1x
E. 802.1q
F. IPSec

Correct Answer: BD Section: (none) Explanation
Explanation/Reference:
Explanation:
The Cisco IBNS solution is based on standard RADIUS and 802.1X implementations. It interoperates with
all IETF authentication servers that comply with these two standards. Cisco has enhanced the Cisco
Secure ACS to provide a tight integration across all Cisco switches.
Reference: Securing Networks with Cisco Routers and Switches (SNRS) Courseware Page 3-24.

QUESTION 64
You wish to configure 802.1X port control on your switch. Which three keywords are used with the dot1x port-control command? (Choose three.)
A. enable
B. force-authorized
C. force-unathorized
D. authorized
E. unauthorized
F. auto

Correct Answer: BCF Section: (none) Explanation
Explanation/Reference:
Explanation:
To enable manual control of the authorization state on a port, use the “dot1x port-control” command. To
return to the default setting, use the no form of this command. dot1x port-control {auto | force-authorized |
force-unauthorized} no dot1x port-control {auto | force-authorized | force-unauthorized} Syntax Description:
Reference: http://www.cisco.com/en/US/products/hw/switches/ps4324/ products_command_reference_chapter09186a00803
QUESTION 65
The Certkiller network has rolled out an 802.1X based system. In an 802.1x implementation, the authenticator acts as a gateway to which device?
A. Host
B. Authenticator
C. PC
D. Authentication server
E. Client
F. Supplicant

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
The table below outlines the definitions for the authentication server and the authenticator:
Reference: http://www.cisco.com/en/US/products/hw/switches/ps708/ products_configuration_guide_chapter09186a008020
QUESTION 66
The Certkiller network is using an 802.1X implementation. In an 802.1x implementation, the supplicant directly connects to, and obtains network access permission through which device?
A. Host
B. Authenticator
C. PC
D. Authentication server
E. Client
F. Supplicant

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation: In Identity Based Networking Services, the supplicant is the end device that is seeking network access. The supplicant is a software component on the user workstation that answers a challenge from the authenticator. The authenticator is the entity at one end of a point-to-point LAN segment that enforces host authentication. The authenticator is independent of the actual authentication method and functions only as a pass-through for the authentication exchange. It communicates with the host, submits the information from the host to the authentication server, and authorizes the host when instructed to do so by the authentication server. Reference: Securing Networks with Cisco Routers and Switches (SNRS) Courseware Page 3-30.
QUESTION 67
Which two are typical Layer 2 attacks? (Choose two.)
A. MAC spoofing
B. CAM table overflow
C. Route poisoning
D. DHCP Starvation
E. ARP Starvation
F. Spam
G. Worm Hole

Correct Answer: AB Section: (none) Explanation
Explanation/Reference:
Explanation: Layer 2 network attacks include all of the following: CAM Table Overflow VLAN Hopping Spanning-Tree Protocol Manipulation MAC Spoofing Attack Private VLAN Attacks DHCP Starvation Cisco Discovery Protocol VLAN Trunking Protocol IEEE 802.1x MAC Spoofing Attack MAC spoofing attacks involve the use of a known MAC address of another host to attempt to make the target switch forward frames destined for the remote host to the network attacker. By sending a single frame with the other host’s source Ethernet address, the network attacker overwrites the CAM table entry so that the switch forwards packets destined for the host to the network attacker. Until the host sends traffic it will not receive any traffic. When the host sends out traffic, the CAM table entry is rewritten once more so that it moves back to the original port. CAM Table Overflow: The CAM table in a switch contains information such as the MAC addresses available on a given physical port of a switch, as well as the associated VLAN parameters. When a Layer 2 switch receives a frame, the switch looks in the CAM table for the destination MAC address. If an entry exists for the MAC address in the CAM table, the switch forwards the frame to the port designated in the CAM table for that MAC address. If the MAC address does not exist in the CAM table, the switch forwards the frame out every port on the switch, effectively acting like a hub. If a response is seen, the switch updates the CAM table. Reference: http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/ networking_solutions_white_paper09186a00801
QUESTION 68
You want to increase the security levels at layer 2 within the Certkiller switched LAN. Which three are typical Layer 2 attack mitigation techniques? (Select three)
A. Switch security
B. Port security
C. ARP snooping
D. DHCP snooping
E. Port snooping
F. 802.1x authentication

Correct Answer: BDF Section: (none) Explanation
Explanation/Reference:
Explanation: Network Attack Mitigation: Use the port security commands to mitigate MAC-spoofing attacks. The port security command provides the capability to specify the MAC address of the system connected to a particular port. The command also provides the ability to specify an action to take if a port-security violation occurs. However, as with the CAM table-overflow attack mitigation, specifying a MAC address on every port is an unmanageable solution. Hold-down timers in the interface configuration menu can be used to mitigate ARP spoofing attacks by setting the length of time an entry will stay in the ARP cache. However, hold-down timers by themselves are insufficient. Modification of the ARP cache expiration time on all end systems would be required as well as static ARP entries. Even in a small network this approach does not scale well. One solution would be to use private VLANs to help mitigate these network attacks. Another solution that can be used to mitigate various ARP-based network exploits is the use of DHCP snooping along with Dynamic ARP Inspection (DAI). These Catalyst feature validate ARP packets in a network and permit the interception, logging, and discarding of ARP packets with invalid MAC address to IP address bindings. DHCP Snooping provides security by filtering trusted DHCP messages and then using these messages to build and maintain a DHCP snooping binding table. DHCP Snooping considers DHCP messages originating from any user facing port that is not a DHCP server port or an upling to a DHCP server as untrusted. From a DHCP Snooping perspective these untrusted, user-facing ports should not send DHCP server type responses such as DHCPOffer, DHCPAck, or DHCPNak. Untrusted DHCP messages are messages received from outside the network or firewall. The DHCP snooping binding table contains the MAC address, IP address, lease time, binding type, VLAN number, and interface information corresponding to the local untrusted interfaces of a switch; it does not contain information regarding hosts interconnected with a trusted interface. An untrusted interface is an interface configured to receive messages from outside the network or firewall. A trusted interface is an interface that is configured to receive only messages from within the network. The DHCP snooping binding table can contain both dynamic as well as static MAC address to IP address bindings. Another effective mitigation strategy is to deploy 802.1x on access switches and wireless access points to ensure that all access to the network infrastructure requires authentication. Consider deploying PEAP for use with wireless LANs. Reference: http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/ networking_solutions_white_paper09186a00801
QUESTION 69
The Certkiller security administrator is in charge of creating a security policy for the company. Which two statements about the creation of a security policy are true? (Choose two)
A. It helps Chief Information Officers determine the return on investment of network security at Certkiller Inc.
B. It defines how to track down and prosecute policy offenders at Certkiller Inc.
C. It helps determine which vendor security equipment or software is better than others.
D. It clears the general security framework so you can implement network security at Certkiller Inc.
E. It provides a process to audit existing network security at Certkiller Inc.
F. It defines which behavior is and is not allowed at Certkiller Inc.

Correct Answer: EF Section: (none) Explanation
Explanation/Reference:
Explanation:
Reasons to create a network security policy:

1.
Provides a process to audit existing network security

2.
Provides a general security framework for implementing network security

3.
Defines which behavior is and is not allowed

4.
Often helps determine which tools and procedures are needed for the organization

5.
Helps communicate consensus among a group of key decision-makers and defines responsibilities of users and administrators

6.
Defines a process for handling network security incidents

7.
Enables global security implementation and enforcement

8.
Creates a basis for legal action if necessary Reference: Managing Cisco Network Security, Cisco Press, page 43
QUESTION 70
The Certkiller routers have all been upgraded to a firewall feature set IOS. What are three main components of the Cisco IOS Firewall feature set? (Choose three)
A. Context-based Access Control
B. Port security
C. Authentication proxy
D. Authentication, authorization, and accounting
E. Intrusion Prevention System
F. Neighbor router authentication

Correct Answer: ACE Section: (none) Explanation
Explanation/Reference:
Explanation: The Cisco IOS firewall feature set contains the following features: Context-Based Access Control (CBAC)-CBAC creates temporary openings in access lists at firewall interfaces. These openings are created when specified traffic exits your internal network through the firewall. The openings allow returning traffic (that would normally be blocked) and additional data channels to enter your internal network back through the firewall. The traffic is allowed back through the firewall only if the traffic is part of the same session as the original traffic that triggered CBAC when exiting through the firewall. Cisco IOS Intrusion Prevention System (IPS)-The Cisco IOS IPS feature restructures the existing Cisco IOS Intrusion Detection System (IDS), allowing customers to choose to load the default, built-in signatures or to load a Signature Definition File (SDF) called attack-drop.sdf onto the router. The attack-drop.sdf file contains 118 high-fidelity Intrusion Prevention System (IPS) signatures, providing customers with the latest available detection of security threats. Cisco IOS Firewall Authentication Proxy-Authentication proxy provides dynamic, per-user authentication and authorization, authenticating users against industry standard TACACS+ and RADIUS authentication protocols. Per-user authentication and authorization of connections provide more robust protection against network attacks. Reference: http://www.cisco.com/en/US/products/ps5854/prod_configuration_guide09186a00802c9587.html

The Cisco 642-503 training is a vital way of becoming the best.This Cisco 642-503 certification has helped the candidates to enhance their capabilities by providing a great learning platform to them so that they can polish their skills.

Cisco 642-502 Certification Braindumps, Best Cisco 642-502 Study Guide Book For Download

Where To Download New Free Cisco 642-502 VCE Exam Dumps? As we all know that new Cisco 642-502 exam are difficult to pass, but if you get the valid Cisco 642-502 exam questions, you will pass the Cisco 642-502 exam easily. Nowdays, Flydumps has published the newest Cisco 642-502 exam dumps with free vce test software and pdf dumps, by training the Flydumps Cisco 642-502 questions, you will pass the exam easily!

QUESTION 45
Which ESP mode is used to provide end-to-end protection of message payloads between two hosts?
A. transport mode
B. encrypted mode
C. ESP mode
D. tunnel mode

Correct Answer: A Section: (none) Explanation
Explanation/Reference:
QUESTION 46
Which three statements about Cisco Secure ACS are true? (Choose three.)
A. NAS can access multiple Cisco Secure ACS for Windows servers.
B. Cisco Secure ACS for Windows servers can only log onto external servers.
C. The Cisco Secure ACS for Windows server supports only TACACS+.
D. Database replication is supported by the Cisco Secure ACS for Windows servers.
E. The service used for authentication and authorization on a Cisco Secure ACS for Windows server is called CSAdmin.
F. The Cisco Secure ACS for Windows servers uses the CSDBsynch service to manage the user and group accounts.

Correct Answer: ADF Section: (none) Explanation
Explanation/Reference:
QUESTION 47
After configuring multiple transform sets, where do you specify the transform sets?
A. ACL
B. ISAKMP policy
C. router interface
D. crypto map entry

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
QUESTION 48
Simulate question
This is the correct configuration:

Switch(config)#interface fastEthernet 0/12

Switch(config-if)#switchport port-security maximum 1 Switch(config)#copy run start

A.
B.
C.
D.

Correct Answer: Section: (none) Explanation
Explanation/Reference:
Answer: Check certifyme eEngine, Download from Member Center
QUESTION 49
What is the purpose of the ip ips sdf builtin command?
A. to load IPS on a router using the built-in signatures
B. to load IP on a router using the attack-drop signatures
C. to unload IPS built-in signatures
D. to delete the IPS built-in signatures
E. to load IPS on a router using the built-in micro-engine
F. to disable IPS on a router using the built-in micro-engine

Correct Answer: A Section: (none) Explanation
Explanation/Reference:
QUESTION 50
In a Cisco Identity-Based Networking Services (IBNS) implementation, the endpoint that is seeking network access is known as what?
A. host
B. authenticator
C. PC
D. authentication server
E. client
F. supplicant

Correct Answer: F Section: (none) Explanation
Explanation/Reference:
QUESTION 51
Select the two issues to consider when implementing IOS Firewall IDS. (Choose two.)
A. memory usage
B. number of DMZs
C. signature coverage
D. number of router interfaces
E. signature length

Correct Answer: AC Section: (none) Explanation
Explanation/Reference:
QUESTION 52
Which three are typical Layer 2 attack mitigation techniques? (Choose three.)
A. switch security
B. port security
C. ARP snooping
D. DHCP snooping
E. port snooping
F. 802.1x authentication

Correct Answer: BDF Section: (none) Explanation
Explanation/Reference:
QUESTION 53
Choose the correct command to enable local authentication for the HTTP interface.
A. router# ip http authentication enable
B. router# http authentication local
C. router(config)# ip http authentication enable
D. router(config)# ip http authentication local
E. router(config)# ip http authentication enable local
F. router(config)# ip http authentication local enable

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
QUESTION 54
CBAC intelligently filters TCP and UDP packets based on which protocol-session information?
A. network layer
B. transport layer
C. data-link
D. application layer
E. presentation layer
F. session layer

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
QUESTION 55
In an 802.1x implementation, the supplicant directly connects to, and obtains network access permission through, which device?
A. host
B. authenticator
C. PC
D. authentication server
E. client
F. supplicant

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
QUESTION 56
Refer to the exhibit. Given the output of the show ip ips configuration command, how many signatures are active?
A. 0
B. 50
C. 83
D. 100
E. 183
F. 1107
Correct Answer: E Section: (none) Explanation

Explanation/Reference:
QUESTION 57
Refer to the exhibit. Given the output of the show crypto ipsec client ezvpn command, what do you determine?

A. The default domain is cisco.
B. The socket is up and ready for data.
C. The remote router address is 10.0.2.39.
D. The tunnel is up and SAs have been established.
E. The tunnel is terminated at a remote router called VPNGATE1.
F. All hosts connecting through this router will have the address of 10.0.2.39.

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
QUESTION 58
Refer to the output of a sh ip auth-proxy cache command below. Which port is being used by the client?
R2#sh ip auth-proxy cache Authentication Proxy Cache Client Name aaauser, Client IP 10.0.2.12, Port 2636, timeout 5, Time Remaining 3, state ESTAB
A. 1645
B. 1646
C. 1812
D. 2636
E. 2640
F. 8080

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
QUESTION 59
Choose the two commands that are used to enable the router’s HTTP server for AAA. (Choose two.)
A. http server
B. ip http server
C. enable ip http server
D. http authentication aaa
E. http server authentication aaa
F. ip http authentication aaa

Correct Answer: BF Section: (none) Explanation
Explanation/Reference:
QUESTION 60
Which Easy VPN feature enables two IPSec peers to determine if the other is still “alive”?
A. Dead Peer Timeout
B. No Pulse Timer
C. Peer Death Monitor
D. Dead Peer Detection
E. Peer Heartbeat

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
QUESTION 61
Drag Drop question

A.
B.
C.
D.

Correct Answer: Section: (none) Explanation
Explanation/Reference:
Answer: Check certifyme eEngine, Download from Member Center
QUESTION 62
What is the default idle time of an enabled IOS Firewall authentication proxy?
A. 5 seconds
B. 60 seconds
C. 5 minutes
D. 60 minutes

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
QUESTION 63
In an 802.1x implementation, the authenticator acts as a gateway to which device?
A. host
B. authenticator
C. PC
D. authentication server
E. client
F. supplicant

Correct Answer: D Section: (none) Explanation
Explanation/Reference:

The Cisco 642-502 certification can make you a competent person.It may enable a technician to know about the Cisco 642-502 configurations,get information about the Cisco 642-502 data center products and hardware and knowledge about Cisco 642-502 united computing systems.

New Updated Cisco 642-545 Exam Questions And Answers

Flydumps Cisco 642-545 exam questions and answers in PDF are prepared by our expert, Moreover, they are based on the recommended syllabus covering all the Cisco 642-545 exam objectives.You will find them to be very helpful and precise in the subject matter since all the Cisco 642-545 exam content is regularly updated and has been checked for accuracy by our team of Microsoft expert professionals.

Exam A
QUESTION 1
The Cisco Security Monitoring, Analysis, and Response System (Cisco Security MARS) is an appliance-based, all-inclusive solution that provides unmatched insight and control of your existing security deployment. Which three items are correct with regard to Cisco Security MARS rules? (Choose three.)
A. There are three types of rules.
B. Rules can be deleted.
C. Rules can be created using a query.
D. Rules trigger incidents.

Correct Answer: ACD Section: (none) Explanation
Explanation/Reference:
QUESTION 2
Which three benefits are of deploying Cisco Security MARS appliances by use of the global and local controller architecture? (Choose three.)
A. A global controller can provide a summary of all local controllers information (network topologies, incidents, queries, and reports results).
B. A global controller can provide a central point for creating rules and queries, which are applied simultaneously to multiple local controllers.
C. A global controller can correlate events from multiple local controllers to perform global sessionizations.
D. Users can seamlessly navigate to any local controller from the global controller GUI.

Correct Answer: ABD Section: (none) Explanation
Explanation/Reference:
QUESTION 3
Which item is the best practice to follow while restoring archived data to a Cisco Security MARS appliance?
A. Use Secure FTP to protect the data transfer.
B. Use “mode 5” restore from the Cisco Security MARS CLI to provide enhanced security during the data transfer.
C. Choose Admin > System Maintenance > Data Archiving on the Cisco Security MARS GUI to perform the restore operations on line.
D. To avoid problems, restore only to an identical or higher-end Cisco Security MARS appliance.

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
QUESTION 4
A Cisco Security MARS appliance can’t access certain devices through the default gateway. Troubleshooting has determined that this is a Cisco Security MARS configuration issue. Which additional Cisco Security MARS configuration will be required to correct this issue?
A. Use the Cisco Security MARS GUI to configure multiple default gateways
B. Use the Cisco Security MARS GUI or CLI to configure multiple default gateways C. Use the Cisco Security MARS GUI or CLI to enable a dynamic routing protocol D. Use the Cisco Security MARS CLI to add a static route

Correct Answer: Section: (none) Explanation
Explanation/Reference:
QUESTION 5
Which two options are for handling false-positive events reported by the Cisco Security MARS appliance? (Choose two.)
A. mitigate at Layer 2
B. archive to NFS only
C. drop PassGuide.com-Make You Succeed To Pass IT Exams PassGuide 642-545
D. log to the database only

Correct Answer: CD Section: (none) Explanation
Explanation/Reference:
QUESTION 6
What is the reporting IP address of the device while adding a device to the Cisco Security MARS appliance?
A. The source IP address that sends syslog information to the Cisco Security MARS appliance
B. The pre-NAT IP address of the device
C. The IP address that Cisco Security MARS uses to access the device via SNMP
D. The IP address that Cisco Security MARS uses to access the device via Telnet or SSH

Correct Answer: A Section: (none) Explanation
Explanation/Reference:
QUESTION 7
Which statement best describes the case management feature of Cisco Security MARS?
A. It is used to conjunction with the Cisco Security MARS incident escalation feature for incident reporting
B. It is used to capture, combine and preserve user-selected Cisco Security MARS data within a specialized report
C. It is used to automatically collect and save information on incidents, sessions, queries and reports dynamically without user interventions
D. It is used to very quickly evaluate the state of the network

Correct Answer: B Section: (none) Explanation Explanation/Reference:
QUESTION 8
Which two configuration tasks are needed on the Cisco Security MARS for it to receive syslog messages relayed from a syslog relay server? (Choose two.)
A. Define the syslog relay collector.
B. Add the syslog relay server application to Cisco Security MARS as Generic Syslog Relay Any.
C. Define the syslog relay source list.
D. Add the reporting devices monitored by the syslog relay server to Cisco Security MARS.

Correct Answer: BD Section: (none) Explanation
Explanation/Reference:
QUESTION 9
Here is a question that you need to answer. You can click on the Question button to the left to view the question and click on the MARS GUI Screen button to the left to capture the MARS GUI screen in order to answer the question. While viewing the GUI screen capture, you can view the complete screen by use of the left/right scroll bar on the bottom of the GUI screen. Choose the correct answer from among the options. What actions will you take to configure the MARS appliance to send out an alert when the system rule fires according to the MARS GUI screen shown?

PassGuide.com-Make You Succeed To Pass IT Exams PassGuide 642-545
A. Click “Edit” to edit the “Operation” field of the rule, select the appropriate alert option(s), then apply.
B. Click on “None” in the “Action” field, select the appropriate alerts, then apply.
C. Click “Edit” to edit the “Reported User” field of the rule, select the appropriate alert option(s), then apply.
D. Click on “Active” in the “Status” field, select the appropriate alerts, then apply.

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
QUESTION 10
Which action enables the Cisco Security MARS appliance to ignore false-positive events by either dropping the events completely or by just logging them to the database?
A. Inactivating the rules
B. Creating system inspection rules using the drop operation
C. Deleting the false-positive events from the events management page
D. Creating drop rules

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
QUESTION 11
In order to enable the Cisco Security MARS appliance to perform mitigation, which two configuration options are correct? (Choose two.)
A. SNMP RW community string
B. A NetFlow device added in the Cisco Security MARS database
C. Telnet or SSH access type with SNMP RO community
D. SSL communications with the network devices

Correct Answer: AC Section: (none) Explanation
Explanation/Reference:
QUESTION 12
Which two alert actions can notify a user that a Cisco Security MARS rule has fired, and that an incident has been logged? (Choose two.)
A. syslog
B. Short Message Service
C. OPSEC-LEA (clear and encrypted)
D. XML notification

Correct Answer: BD Section: (none) Explanation
Explanation/Reference:
QUESTION 13
Which additional steps should you take after manually adding the BR-FW-1 device shown in the MARS GUI screen?
PassGuide.com-Make You Succeed To Pass IT Exams PassGuide 642-545 A. Click “Submit” to enable the device.

B. Click “Submit” to test access to the device, When access is successful. Click “Activate” to activate the device.
C. Click “Activate” to activate the device, then click “Submit” to save the device configuration.
D. Click “Discover” to initiate manual discovery. When discovery is completed, click “Submit”, then “Activate.”

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
QUESTION 14
Which of the following alert actions can be transmitted to a use as notification that a Cisco Security MARS rule has fired and that an incident has been logged? (Choose two.)
A. Syslog
B. OPSEC-LEA (Clear and encrypted)
C. Short Message Service
D. XML notification

Correct Answer: CD Section: (none) Explanation
Explanation/Reference:
QUESTION 15
Which three items are true with regard to the Cisco Security MARS syslog forwarding feature for relaying
the received syslog data to a syslog server? (Choose three.)
A. The configured collector is a designated host that receives a syslog message but the collector does not relay it to another host.
B. Cisco Security MARS can forward alert data to multiple collector IP addresses.
C. Syslog forwarding is disabled until you specify the collector and at least one source host.
D. The pnparser service should be running for the syslog forwarding feature to work. PassGuide.com-Make You Succeed To Pass IT Exams PassGuide 642-545

Correct Answer: ACD Section: (none) Explanation
Explanation/Reference:
QUESTION 16
Which incident type is pushed from a local controller to a global controller?
A. Incidents on the local controller triggered by predefined system rules
B. Any incidents on the local controller
C. Incidents on the local controller triggered by local rules
D. True positive incidents on the local controller

Correct Answer: A Section: (none) Explanation
Explanation/Reference:
QUESTION 17
Most SIM offerings are software based and designed to operate on standard hardware platforms; however, recently a wave of optimized appliances tuned for performance has entered the market. Which of the following options are the functions of SIMs?
A. Collect event data from reporting sources
B. Store data for analysis, reporting, and archiving
C. Correlate the data to show relationships
D. Present the data for analysis
E. Report on, alarm on, and/or notify about the data

Correct Answer: ABCDE Section: (none) Explanation
Explanation/Reference:
QUESTION 18
Which statement about the Cisco Security MARS maintenance procedure is true?
A. No new events can be logged when the Cisco Security MARS local database reaches its maximum storage capacity.
B. If the archive is generated with one release of software, then the restore has to be done with the same version of software.
C. Cisco Security MARS disk drives are not hot-swappable.
D. Cisco Security MARS audit logs can be exported to a centralized server for the consolidation and protection of the log data.

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
QUESTION 19
Study the exhibit carefully. Which icon can be chosen to generate the access rules information displayed toward the bottom of the screen?

PassGuide.com-Make You Succeed To Pass IT Exams PassGuide 642-545
A. Incident Vector icon
B. Security Manager Policy Table Lookup icon
C. ISR Device Manager Policy icon
D. Raw Events icon

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
QUESTION 20
Global Controller is a master unit that allows for global management of one or more Local Controllers. Is correct?
A. Correct
B. False

Correct Answer: A Section: (none) Explanation
Explanation/Reference:

Whenever Cisco candidates take a tour of sample questions of Cisco 642-545  exam they find their training to be matchless to great extent. Passing the Cisco 642-545 on your own can be a difficult task, but with Cisco 642-545  preparation products, many candidates who appeared online passed Cisco 642-545 easily.

New Questions-100% Valid New Updated Questions for Cisco 642-504 Download

Do not you know how to choose the Cisco 642-504 exam dumps? Being worried about the changed questions? Just try Flydumps new version Cisco 642-504 exam dumps. All the new questions and answers were added to the new dumps,visit Flydumps.com to free download Cisco 642-504 !

Exam A
QUESTION 1
Which two are technologies that secure the control plane of the Cisco router? (Choose two.)
A. Cisco IOS Flexible Packet Matching
B. uRPF
C. routing protocol authentication
D. CPPr
E. BPDU protection
F. role-based access control
Correct Answer: CD Section: (none) Explanation
Explanation/Reference:
QUESTION 2
What are the two category types associated with 5.x signature use in Cisco IOS IPS? (Choose two.)
A. basic
B. advanced
C. 128MB.sdf
D. 256MB.sdf
E. attack-drop
F. built-in
Correct Answer: AB Section: (none) Explanation
Explanation/Reference:
QUESTION 3
Refer to the exhibit.
Which optional AAA or RADIUS configuration command is used to support 802.1X guest VLAN
functionality?
A. aaa authentication dot1x default group radius
B. aaa authorization network default group radius
C. aaa accounting dot1x default start-stop group radius
D. aaa accounting system default start-stop group radius
E. radius-server host 10.1.1.1 auth-port 1812 acct-port 1813
Correct Answer: B Section: (none)
Explanation
Explanation/Reference:
QUESTION 4
Which is an advantage of implementing the Cisco IOS Firewall feature?
PassGuide.com-Make You Succeed To Pass IT Exams PassGuide 642-504
A. provides self-contained end-user authentication capabilities
B. integrates multiprotocol routing with security policy enforcement
C. acts primarily as a dedicated firewall device
D. is easily deployed and managed by the Cisco Adaptive Security Device Manager
E. provides data leakage protection capabilities
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
QUESTION 5
Which three statements correctly describe the GET VPN policy management? (Choose three.)
A. A central policy is defined at the ACS (AAA) server.
B. A local policy is defined on each group member.
C. A global policy is defined on the key server, and it is distributed to the group members.
D. The key server and group member policy must match.
E. The group member appends the global policy to its local policy.
Correct Answer: BCE Section: (none) Explanation
Explanation/Reference:
QUESTION 6
The CPU and Memory Threshold Notifications of the Network Foundation Protection feature protects which router plane?
A. control plane
B. management plane
C. data plane
D. network plane
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
QUESTION 7
In DMVPN, the NHRP process allows which requirement to be met?
A. dynamic physical interface IP address at the spoke routers
B. high-availability DMVPN designs
C. dynamic spoke-to-spoke on-demand tunnels
D. dynamic routing over the DMVPN
E. dual DMVPN hub designs

Correct Answer: A Section: (none) Explanation
Explanation/Reference:
QUESTION 8
Which is correct regarding the Management Plane Protection feature?
A. By default, Management Plane Protection is enabled on all interfaces.
B. Management Plane Protection provides for a default management interface.
C. Only SSH and SNMP management will be allowed on nondesignated management interfaces. PassGuide.com-Make You Succeed To Pass IT Exams PassGuide 642-504
D. All incoming packets through the management interface are dropped except for those from the allowed management protocols.
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
QUESTION 9
What are the two enrollment options when using the SDM Certificate Enrollment wizard? (Choose two.)
A. SCEP
B. LDAP
C. OCSP
D. Cut-and-Paste/Import from PC
Correct Answer: AD Section: (none) Explanation
Explanation/Reference:
QUESTION 10
Refer to the exhibit.
Which two configuration commands are used to apply an inspect policy map for traffic traversing from the
E0 or E1 interface to the S3 interface? (Choose two.)
A. zone-pair security test source Z1 destination Z2
B. interface E0
C. policy-map myfwpolicy class class-default inspect
D. ip inspect myfwpolicy out
E. ip inspect myfwpolicy in
F. service-policy type inspect myfwpolicy
Correct Answer: AF Section: (none) Explanation
Explanation/Reference:

The Cisco 642-504 certification can make you a competent person. It may enable a technician to know about the Cisco 642-504 configurations,get information about the Cisco 642-504 data center products and hardware and knowledge about Cisco 642-504 united computing systems.