Good News!The Flydumps Cisco 642-511 exam questions and answers covers all the knowledge points of the real exam. With our Cisco 642-511 practice test, you will never worry about the exam.Recently the new version with all new updated Cisco 642-511 exam dumps can free download on the site Flydumps.com.Visit the site to get more exam information.

Exam A
QUESTION 1
What is the maximum number of simultaneous sessions that can be supported when doing encryption in hardware within the Cisco VPN Concentrator series of products?
A. 100
B. 1500
C. 5000
D. 10000
E. infinite
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation: The Cisco VPN 3000 Series Concentrator comes in a variety of models that can support small offices of 100 of fewer VPN connections to large enterprises of 10,000 or more simultaneous VPN connections. Redundant and nonredundant configuration are available to help ensure the high reliability of these devices. Reference: Cisco Press CCSP Cisco Secure VPN (Roland, Newcomb) p.30
QUESTION 2
Which of the following operating systems can run the software VPN client? Choose all that apply.
A. linux
B. mac
C. windows
D. solaris
Correct Answer: ABCD Section: (none) Explanation
Explanation/Reference:
Explanation:
There are VPN software clients available for Windows, Solaris, Linux, and Macintosh.

QUESTION 3
DRAG DROP Jason from the security department was given the assignment to match the Cisco VPN key with its description.

A.
B.
C.
D.
Correct Answer: Section: (none) Explanation
Explanation/Reference:

Explanation: The Diffie-Hellman (D-H) key agreement is a public key encryption method that provides a way for two IPSec peers to establish a shared secret key that only they know, although they communicating over an insecure channel. With D-H, each peer generates a public and private key pair. The private key generated by each peer is kept secret and never shared. The public key is calculated from the private key by each peer and is exchanged over the insecure channel. Each peer combines the other’s public key with its own private and computes the shared secret key number exchanged over the insecure channel. Reference: Cisco Secure Virtual Private Network (Ciscopress) page 18-20
QUESTION 4
Johnasked Kathy from the security department about authentication and encryption. John wants to know when both authentication and encryption are selected in the virtual IP address, which is performed first at the originating end. What was Kathy’s answer?
A. Encryption was Kathy’s answer
B. Tunnel was Kathy’s answer.
C. Transport was Kathy’s answer
D. Authentication was Kathy’s answer
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
When both encryption and authentication are selected, encryption is performed frist, before authentication.
One reason for this order of processing is that it facilitates rapid detection and rejection of replayed or
bogus packets by the receiving node. Reference: Cisco Secure Virtual Private Networks (Ciscopress) page

QUESTION 5
James the security administrator at Certkiller Inc. is working on encryption. He needs to know what type of keys does DES and 3DES require for encryption and decryption.
A. DES and 3DES require Elliptical curve keys for encryption and decryption
B. DES and 3DES require Exponentiation keys for encryption and decryption
C. DES and 3DES require Symmetrical keys for encryption and decryption
D. DES and 3DES require Asymmetrical keys for encryption and decryption
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation: des 3des Specifies the symmetric encryption algorithm used to protect user data transmitted between two IPSec peers. The default is 56-bit DES-CBC, which is less secure and faster than the alternative.
QUESTION 6
Which of the following are the types of keys RSA use for encryption and decryption?
A. exponentiation keys
B. symmetrical keys
C. asymmetrical keys
D. elliptical curve keys
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation: There are two types of cryptographic keys; public keys — sometimes called asymmetric key –and symmetric keys. RSA and Diffie-Hellman are common public key algorithms and RC4, DES and IDEA common symmetric key algorithms. You cannot directly compare public key lengths (for example RSA keys) with symmetric key lengths (DES, RC4); this is an important point which confuses many people
QUESTION 7
Which Cisco VPN feature will permit the sender to encrypt packets before transmitting them across a network?
A. The anti-replay feature
B. The data confidentially feature
C. The data integrity feature
D. The data original authentication feature
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
Data Confidentiality.The IPSec sender can encrypt packets before transmitting them across a network.

*
Data Integrity-The IPSec receiver can authenticate packets sent by the IPSec sender to ensure that the data has not been altered during transmission.

*
Data Origin Authentication-The IPSec receiver can authenticate the source of the IPSec packets sent. This service is dependent upon the data integrity service.

*
Anti-Replay-The IPSec receiver can detect and reject replayed packets. With IPSec, data
QUESTION 8
What AES encryption bits lengths can you use on your Concentrator ESP IPSEC VPN? Choose all that apply.
A. 56
B. 128
C. 192
D. 256
E. 1024
Correct Answer: BCD Section: (none) Explanation
Explanation/Reference:
Explanation:
Advanced Encryption Standard (AES) can be used in 128, 192, and 256 bit encryption lengths in ESP
when using IPSEC on your Concentrator.

QUESTION 9
Which of the following are ISAKMP hash protocols? Choose all that apply.
A. NAT
B. IKE
C. DES
D. SHA
E. MD5
Correct Answer: DE Section: (none) Explanation
Explanation/Reference:
Explanation:
You can use SHA and MD5 for HMAC authentication.

QUESTION 10
Which of the following can be IPSEC termination endpoints? Choose all that apply.
A. IOS Router
B. PIX Firewall
C. Concentrator
D. IDS Sensor
Correct Answer: ABC Section: (none) Explanation
Explanation/Reference:
Explanation:
These Cisco products can all terminate IPSEC, meaning they are actually involved in the IPSEC
encryption/decryption process, not just passing VPN encrypted traffic.

QUESTION 11
What size is the encryption key used in 3DES?
A. 128 bits
B. 168 bits
C. 128 bytes
D. 168 bytes
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
3DES uses a 56 bit key, 3 times, for an effective throughput of 168 bits encryption.

QUESTION 12
Which of the following has the lowest encryption bit length?
A. SHA
B. MD5
C. DES
D. AES
E. ESP
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
Data Encryption Standard (DES) uses only a 56 bit key to encrypt data, and is easily broken.

QUESTION 13
What is the key size of Diffie-Hellman group 2?
A. 128 bits
B. 256 bits
C. 512 bits
D. 1024 bits
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation: Diffie-Hellman is used to create a completely secure secret key, over a completely insecure link, using highly complex mathematical algorithms safe from brute force even if sniffers are on the line
QUESTION 14
What benefit does ESP have, that AH does not?
A. authentication
B. encryption
C. tunnel mode
D. md5 hash
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
Authentication Header does not have any way of
encrypting data, ESP does.

QUESTION 15
Using which of the following protocols with AH will cause packet failure?
A. AYT
B. VRRP
C. NAT
D. CDP
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
You cannot translate an IP address in AH authenticated packet because AH uses that field when
calculating authentication. This will cause then other end of the VPN tunnel to drop all packets because
they will not authenticate properly.

QUESTION 16
How big is the SPI field in an IPSEC header?
A. 2 bytes
B. 4 bytes
C. 8 bytes
D. 24 bytes
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
The Security Parameter Index (SPI) field identifies a Security Association between two IPSEC endpoints.
The field is 32 bits long (4 bytes).

QUESTION 17
Which of the following peer authentication methods scales the worst?
A. digital certificates
B. SCEP
C. preshared keys
D. encrypted nonces
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
A preshared key peer authentication method does not scale well because each key needs to be entered
manually at each peer participating in the VPN.

QUESTION 18
What is the protocol number that denotes AH is in use?
B. 51
C. 89
D. 123

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
The Authentication Header protocol is protocol number 51.

QUESTION 19
DRAG DROP
Jason the security administrator at Certkiller Inc. was given the assignment to match the following order.
In IPSec main mode, match the two-way exchange between the initiator and receiver with their
descriptions.
A.
B.
C.
D.
Correct Answer: Section: (none) Explanation
Explanation/Reference:

Explanation: Main ModeMain mode provides a way to establish the first phase of an IKE SA, which is then used to negotiate future communications. The first step, securing an IKE SA, occurs in three two-way exchanges between the sender and the receiver. In the first exchange, the sender and receiver agree on basic algorithms and hashes. In the second exchange, public keys are sent for a Diffie-Hellman exchange. Nonces (random numbers each party must sign and return to prove their identities) are then exchanged. In the third exchange, identities are verified, and each party is assured that the exchange has been completed. Reference: Reference: Cisco Secure Virtual Private Network (Ciscopress) page 27
QUESTION 20
James the security administrator for Certkiller Inc. is working with IKE. His job is to know what the three functions of IKE Phase 2 are. (Choose three)
A. IKE uses aggressive mode.
B. IKE can optionally performs an additional DH exchange.
C. IKE periodically renegotiates IPSec SAs to ensure security.
D. IKE Negotiates IPSec SA parameter protected by an existing IKE SA.
E. IKE verifies the other side’s identity.
F. IKE uses main mode.
Correct Answer: BCD Section: (none) Explanation
Explanation/Reference:
Explanation:
Step 2 Determine IPSec (IKE Phase Two) Policy

*
Negotiates IPSec SA parameters protected by an existing IKE SA

*
Establishes IPSec security associations

*
Periodically renegotiates IPSec SAa to ensure security

*
Optionally performs an additional Diffie-Hellman Reference: Cisco Secure Virtual Private Networks (Ciscopress) page 28
QUESTION 21
Jane is the security administrator at Certkiller Inc. and is working on understanding more about IPSec. Jane wants to know what IPSec does at the network layer?
A. IPSec at the network layer enables Cisco VPN.
B. IPSec at the network layer generates a private DH key.
C. IPSec at the network layer encrypts traffic between secure IPSec gateways.
D. IPSec at the network layer protects and authenticates IP packets between IPSec devices.
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
IPSec protects sensitive data that travels across unprotected networks. IPSec security services are
provided at the network layer, so you do not have to configure individual workstations, PCs, or
applications.

QUESTION 22
Which of the following functions are fulfilled by IPSec at the network layer?
A. enables Cisco VPN
B. generates a private DH key
C. encrypts traffic between secure IPSec gateways
D. protects and authenticates IP packets between IPSec devices
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation: Once the IPSec SAs have been established , secured traffic can be exchanged over the connection. IP packets across this IPSec tunnel are authenticated and/or encrypted, depending on the transform set selected. Reference: Cisco Press CCSP Cisco Secure VPN (Roland, Newcomb) p.371
QUESTION 23
What protocol number indicates ESP?
A. 50
B. 145
C. 429
D. 500
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
Encapsulating Security Payload uses protocol number 50.

QUESTION 24
What is the UDP port used for ISAKMP?
A. 50
B. 51
C. 500
D. 510
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
ISAKMP uses UDP port 500.

QUESTION 25
James the security administrator for Certkiller Inc. is working on VPNs. IF the VPN is owned and managed by the Certkiller Inc. corporate security, which product would he choose?
A. 2900
B. 3030
C. 3660
D. PIX Firewall 500
E. PIX Firewall 515
Correct Answer: E Section: (none) Explanation
Explanation/Reference:
Explanation:
A is clearly incorrect because the 2900 is a Catalyst Switch (Layer 2) and cannot offer any VPN

functionality. B and E are the only options available, and D just refers to the 500 PIX, when there are different flavors of the 500, like the retired 520, 501, 506E, 515E, 525 and 535.
QUESTION 26
James the security administrator for Certkiller Inc. is working on the Cisco VPN 3005. His job is to know the hardware and which feature is supported on the Cisco VPN 3005.
A. Cisco VPN 3005 supports up to 3 network ports.
B. Cisco VPN 3005 hardware is upgradeable.
C. Cisco VPN 3005 supports up to 100 sessions.
D. Cisco VPN 3005 64 MB of memory is standard.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation: Model 3005
*
Software-based encryption
*
Single power supply
*
Expansion capabilities:
—–Optional WAN interface module with dual T1/E1 ports All systems feature:
*
10/100Base-T Ethernet interfaces (autosensing) —–Model 3005: Two interfaces
—–Models 3015-3080: Three interfaces
*
Motorola(r) PowerPC CPU
*
SDRAM memory for normal operation
*
Nonvolatile memory for critical system parameters
*
Flash memory for file management

QUESTION 27
Jason the security administrator at Certkiller Inc. is working on the Cisco VPN Concentrator. His job is to know the Cisco VPN Concentrator series of products. He needs to know what is the maximum number of site-to-site tunnels supported.
A. 1500 site-to-site tunnels
B. 1000 site-to-site tunnels
C. 500 site-to-site tunnels
D. 100 site-to-site tunnels
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation: Cisco Cisco Cisco Cisco Cisco VPN VPN VPN VPN VPN 3005 3015 3030 3060 3080
100 100 500 1000 1000 Maximum LAN-to-LAN Sessions
QUESTION 28
James the security administrator at Certkiller Inc. is working on knowing the Cisco security products. He must choose what product fits best for Certkiller Inc. network. If the primary role of the VPN product is to perform remote access VPN with a few site-site connections, which product should James choose?
A. James will choose the PIX Firewall 515
B. James will choose the 2900
C. James will choose the 3030
D. James will choose the 3660
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation: PIX Firewall 515
1.
Supports IKE and IPsec VPN standards
2.
Ensures data privacy/integrity and strong authentication to remote networks and remote users over the
Internet
3.
Supports 56-bit DES, 168-bit 3DES, and up to 256-bit AES data encryption to ensure dataprivacy
This is the best answer. You would want to use a dedicated Firewall with VPN capabilities as the
secondary use.
Note: If security manages the VPN, the PIX Firewall may be the solution of choice.

QUESTION 29
How many connections can a Cisco VPN 3060 support simultaneously?
A. 100
B. 1000
C. 1500
D. 5000
E. none of the above

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
*
VPN 3030 is for medium- to large-sized organizations with bandwidth requirements from full T1/E1 through T3/E3 (50 Mbps max. performance) and up to 1500 simultaneous sessions; field-upgradeable to the Cisco VPN 3060

*
VPN 3060 is for large organizations, with high-performance, high-bandwidth requirements from fractional T3 through full T3/E3 or greater (100 Mbps max. performance) and up to 5000 simultaneous remote access sessions

*
Both have specialized SEP modules to perform hardware-based acceleration
QUESTION 30
What 3000 Series Concentrators are sold with unlimited VPN software client licenses? Choose all that apply.
A. 3015
B. 3030
C. 3060
D. 3080

Correct Answer: ABCD Section: (none) Explanation
Explanation/Reference:
Explanation: As long as you use the Cisco VPN client to connect to Cisco products, you can install it on an unlimited number of computers.
Reference: http://www.cisco.com/en/US/products/sw/secursw/ps2308/ products_user_guide_book09186a00800e6e04.html
QUESTION 31
Which of the following is not a 3000 series Concentrator?
A. 3005
B. 3015
C. 3030
D. 3050
E. 3080

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
The five 3000 series Concentrator models are the 3005, 3015, 3030, 3060, and the 3080.

QUESTION 32
Which of the following are NOT tabs under the 3000 series Concentrator Administration screen? Choose all that apply.
A. events
B. access rights
C. system reboot
D. encryption
E. logs
F. ping
G. software update

Correct Answer: ADE Section: (none) Explanation
Explanation/Reference:
Explanation:
There are 8 tabs under the Administration screen. They are Administer Sessions, Software Update,
System Reboot, Ping, Monitoring Refresh, Access Rights, File
Management, and Certificate Management.

QUESTION 33
Which of the following are Ethernet ports on a Concentrator? Choose all that apply.
A. Inside
B. Outside
C. Default
D. Internal
E. External
F. Public
G. Private
Correct Answer: EFG Section: (none) Explanation

Explanation/Reference:
Explanation:
The three 10/100 mb Ethernet ports on a 3000 series Concentrator are Public, Private, and External.

The Cisco 642-511 Questions & Answers covers all the knowledge points of the real exam. We update our product frequently so our customer can always have the latest version of Cisco 642-511.We provide our customers with the excellent 7×24 hours customer service. We have the most professional Cisco 642-511 expert team to back up our grate quality products.If you still cannot make your decision on purchasing our product, please try our Cisco 642-511 free pdf

100% Valid! Flydumps Cisco 642-511 exam questions and answers are tested and approved by Microsoft experts.Furthermore, we are constantly updating our Cisco 642-511 exam dumps,100% guarantee in quality and reliability.

Exam A
QUESTION 1
Which of the following are valid authentication options for the Hardware Client? (Choose two)
A. User Authentication
B. Unit Authentication
C. IP Address Authentication
D. Interactive Group Authentication
Correct Answer: AB Section: (none) Explanation
Explanation/Reference:
QUESTION 2
What is the default configuration of the Cisco VPN 3002 public interface?
A. DHCP server is enabled
B. DHCP client is enabled
C. static IP address of 192.168.10.1
D. no configuration
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
QUESTION 3
For network extension RRI, which IP address does the Cisco VPN Concentrator advertise?
A. Cisco VPN Client NIC IP address
B. Cisco VPN 3002 assigned IP address
C. Cisco VPN 3002 public interface IP address
D. Cisco VPN 3002 private interface network address
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
QUESTION 4
When configuring group attributes in the Cisco VPN Concentrator, which three parameters are configurable group attributes? Choose three.
A. access hours
B. idle timeout
C. connection priority
D. maximum connect time
E. access level
F. TACACS+ server IP address
Correct Answer: ABD Section: (none) Explanation
Explanation/Reference:
QUESTION 5
To troubleshoot SCEP enrollment, the administrator should scrutinize what event class in the event log?
A. IKE
B. IPSec
C. SCEP
D. Cert
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
QUESTION 6
For the Cisco VPN Concentrator, what are the two types of certificate enrollment? Choose two.
A. file-based enrollment process
B. SCEP
C. PKCS#15 enrollment process
D. automated enrollment process
E. out-of-band enrollment process
F. certified enrollment process
Correct Answer: AB Section: (none) Explanation
Explanation/Reference:
QUESTION 7
LAB A.

B.
C.
D.

Correct Answer: Section: (none) Explanation
Explanation/Reference:
Answer: Check certifyme eEngine, Download from Member Center
QUESTION 8
Which of the following predefined administrators allows the administrator all rights except SNMP access?
A. User
B. MIS
C. Config
D. ISP
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
QUESTION 9
In the GUI, what happens if you reboot without saving the configuration changes?
A. configuration changes are lost
B. configuration changes remain
C. system does not allow you to reboot without saving
D. system warns you that the configuration changes will be lost, do you still want to proceed
Correct Answer: A Section: (none) Explanation Explanation/Reference:

The Cisco 642-511 training is a vital way of becoming the best.This Cisco 642-511 certification has helped the candidates to enhance their capabilities by providing a great learning platform to them so that they can polish their skills.