You are on page 1of 68

www.CareerCert.

info
Testinside

Exam : Cisco 640-553

Title : IINS Implementing Cisco f o


IOS Network Security
i- n
r t
e
r C
e e
a r
- C
w
Version : V6.11

w
w
Testinside - help you pass any IT exam!
www.CareerCert.info
Testinside

Important Note, Please Read Carefully


Other TestInside products
All TestInside IT Exam Products

Our products of Offline Testing Engine


f o
Use the offline Testing engine product to practice the questions in an exam environment.

Build a foundation of knowledge which will be useful also after passing the exam.
i- n
TestInside Testing Engine

r t
Latest Version

e
We are constantly reviewing our products. New material is added and old material is revised. Free

r C
updates are available for 90 days after the purchase. You should check your member zone at TestInside

and update 3-4 days before the scheduled exam date.

Here is the procedure to get the latest version:

1.Go to http://www.TestInside.com

e e
2. Log in the User Center

a r
3.The latest versions of all purchased products are downloadable from here. Just click the links.

Feedback

- C
If you spot a possible improvement then please let us know. We always interested in improving product

quality.

w
Feedback should be send to sales(at)TestInside.com. You should include the following: Exam number,

w
version, page number, question number, and your login Account.

w
Our experts will answer your mail promptly.

Explanations
This product does not include explanations at the moment. If you are interested in providing explanations

for this exam, please contact sales(at)TestInside.com.

TestInside Help You Pass Any IT Exam http://www.TestInside.com


www.CareerCert.info
Testinside
1. What are two characteristics of the SDM Security Audit wizard? (Choose two.)

A. displays a screen with Fix-it check boxes to let you choose which potential security-related configuration

changes to implement

B. has two modes of operationinteractive and non-interactive

C. automatically enables Cisco IOS firewall and Cisco IOS IPS to secure the router

D. uses interactive dialogs and prompts to implement role-based CLI

f o
i- n
E. requires users to first identify which router interfaces connect to the inside network and which connect to

the outside network

Answer: AE

r t
e
2. Which of these correctly matches the CLI command(s) to the equivalent SDM wizard that performs

similar configuration functions?

r C
A. Cisco Common Classification Policy Language configuration commands and the SDM Site-to-Site VPN

wizard

e e
B. auto secure exec command and the SDM One-Step Lockdown wizard

C. setup exec command and the SDM Security Audit wizard

a r
D. class-maps, policy-maps, and service-policy configuration commands and the SDM IPS wizard

E. aaa configuration commands and the SDM Basic Firewall wizard

C
Answer: B

-
3. Refer to the exhibit. What does the option secret 5 in the username global configuration mode command

w
indicate about the enable secret password?

w
w
A. It is hashed using SHA.

B. It is encrypted using DH group 5.

C. It is hashed using MD5.

D. It is encrypted via the service password-encryption command.

TestInside Help You Pass Any IT Exam http://www.TestInside.com


www.CareerCert.info
Testinside
E. It is hashed using a proprietary Cisco hashing algorithm.

F. It is encrypted using a proprietary Cisco encryption algorithm.

Answer: C

4. What will be disabled as a result of the no service password-recovery command?

A. changes to the config-register setting

f o
B. ROMMON

C. password encryption service


i- n
D. aaa new-model global configuration command

E. the xmodem privilege EXEC mode command to recover the Cisco IOS image

r t
Answer: B

e
r C
5. Refer to the exhibit. Which statement is correct based on the show login command output shown?

e e
a r
- C
w
w
w
A. When the router goes into quiet mode, any host is permitted to access the router via Telnet, SSH, and

TestInside Help You Pass Any IT Exam http://www.TestInside.com


www.CareerCert.info
Testinside
HTTP, since the quiet-mode access list has not been configured.

B. The login block-for command is configured to block login hosts for 93 seconds.

C. All logins from any sources are blocked for another 193 seconds.

D. Three or more login requests have failed within the last 100 seconds.

Answer: D

f o
i- n
6. What does level 5 in the following enable secret global configuration mode command indicate?

router#enable secret level 5 password

A. The enable secret password is hashed using MD5.

B. The enable secret password is hashed using SHA.

r t
e
C. The enable secret password is encrypted using Cisco proprietary level 5 encryption.

D. Set the enable secret command to privilege level 5.

r C
E. The enable secret password is for accessing exec privilege level 5.

Answer: E

e e
7. During role-based CLI configuration, what must be enabled before any user views can be created?

A. multiple privilege levels

B. usernames and passwords

a r
C
C. aaa new-model command

-
D. secret password for the root user

E. HTTP and/or HTTPS server

Answer: C

w
w
8. What is a result of securing the Cisco IOS image using the Cisco IOS image resilience feature?

w
A. The show version command will not show the Cisco IOS image file location.

B. The Cisco IOS image file will not be visible in the output from the show flash command.

C. When the router boots up, the Cisco IOS image will be loaded from a secured FTP location.

D. The running Cisco IOS image will be encrypted and then automatically backed up to the NVRAM.

E. The running Cisco IOS image will be encrypted and then automatically backed up to a TFTP server.

Answer: B

TestInside Help You Pass Any IT Exam http://www.TestInside.com


www.CareerCert.info
Testinside

9. What are three common examples of AAA implementation on Cisco routers? (Choose three.)

A. authenticating remote users who are accessing the corporate LAN through IPSec VPN connections

B. authenticating administrator access to the router console port, auxiliary port, and vty ports

C. implementing PKI to authenticate and authorize IPsec VPN peers using digital certificates

D. tracking Cisco Netflow accounting statistics

f o
E. securing the router by locking down all unused services

F. performing router commands authorization using TACACS+


i- n
Answer: ABF

r t
e
10. Refer to the exhibit. Which statement about the aaa configurations is true?

r C
e e
a r
A. The authentication method list used by the console port is named test.

B. The authentication method list used by the vty port is named test.

router.

- C
C. If the TACACS+ AAA server is not available, no users will be able to establish a Telnet session with the

D. If the TACACS+ AAA server is not available, console access to the router can be authenticated using the

local database.

w
w
E. The local database is checked first when authenticating console and vty access to the router.

Answer: B

w
11. Which aaa accounting command is used to enable logging of both the start and stop records for user

terminal sessions on the router?

A. aaa accounting network start-stop tacacs+

B. aaa accounting system start-stop tacacs+

C. aaa accounting exec start-stop tacacs+

TestInside Help You Pass Any IT Exam http://www.TestInside.com


www.CareerCert.info
Testinside
D. aaa accounting connection start-stop tacacs+

E. aaa accounting commands 15 start-stop tacacs+

Answer: C

192.168.1.10?

f o
12. Which access list will permit HTTP traffic sourced from host 10.1.129.100 port 3030 destined to host

A. access-list 101 permit tcp any eq 3030

B. access-list 101 permit tcp 10.1.128.0 0.0.1.255 eq 3030 192.168.1.0 0.0.0.15 eq www
i- n
r
D. access-list 101 permit tcp host 192.168.1.10 eq 80 10.1.0.0 0.0.255.255 eq 3030
t
C. access-list 101 permit tcp 10.1.129.0 0.0.0.255 eq www 192.168.1.10 0.0.0.0 eq www

e
E. access-list 101 permit tcp 192.168.1.10 0.0.0.0 eq 80 10.1.0.0 0.0.255.255

F. access-list 101 permit ip host 10.1.129.100 eq 3030 host 192.168.1.100 eq 80

Answer: B

r C
Select 4 response(s).

e e
13. Which four methods are used by hackers? (Choose four.)

A. footprint analysis attack

B. privilege escalation attack

a r
C
C. buffer Unicode attack

-
D. front door attacks

E. social engineering attack

w
F. Trojan horse attack

Answer: ABEF

w
w
14. Which characteristic is the foundation of Cisco Self-Defending Network technology?

A. secure connectivity

B. threat control and containment

C. policy management

D. secure network platform

Answer: D

TestInside Help You Pass Any IT Exam http://www.TestInside.com


www.CareerCert.info
Testinside

15. Which location is recommended for extended or extended named ACLs?

A. an intermediate location to filter as much traffic as possible

B. a location as close to the destination traffic as possible

is allowed

f o
C. when using the established keyword, a location close to the destination point to ensure that return traffic

D. a location as close to the source traffic as possible

Answer: D
i- n
r t
16. You have configured a standard access control list on a router and applied it to interface Serial 0 in an

e
outbound direction. No ACL is applied to Interface Serial 1 on the same router. What happens when traffic

being filtered by the access list does not match the configured ACL statements for Serial 0?

r C
A. The resulting action is determined by the destination IP address.

B. The resulting action is determined by the destination IP address and port number.

D. The traffic is dropped.

e e
C. The source IP address is checked, and, if a match is not found, traffic is routed out interface Serial 1.

Answer: D

a r
C
17. Which statement is true about configuring access control lists to control Telnet traffic destined to the

-
router itself?

A. The ACL is applied to the Telnet port with the ip access-group command.

w
B. The ACL should be applied to all vty lines in the in direction to prevent an unwanted user from connecting

to an unsecured port.

w
C. The ACL applied to the vty lines has no in or out option like ACL being applied to an interface.

w
D. The ACL must be applied to each vty line individually.

Answer: B

18. Refer to the exhibit and partial configuration. Which statement is true?

TestInside Help You Pass Any IT Exam http://www.TestInside.com


www.CareerCert.info
Testinside

f o
i- n
r t
e
r C
e
A. All traffic destined for network 172.16.150.0 will be denied due to the implicit deny all.

e
B. All traffic from network 10.0.0.0 will be permitted.

r
C. Access-list 101 will prevent address spoofing from interface E0.

D. This is a misconfigured ACL resulting in traffic not being allowed into the router in interface S0.

a
E. This ACL will prevent any host on the Internet from spoofing the inside network address as the source

Answer: C

- C
address for packets coming into the router from the Internet.

w
19. Refer to the exhibit. You are the network security administrator responsible for router security. Your

w
network uses internal IP addressing according to RFC 1918 specifications. From the default rules shown,

which access control list would prevent IP address spoofing of these internal networks?

w
TestInside Help You Pass Any IT Exam http://www.TestInside.com
www.CareerCert.info
Testinside

f o
i- n
r t
e
C
A. SDM_Default_196

B. SDM_Default_197

C. SDM_Default_198

e r
e
D. SDM_Default_199

r
Answer: C

a
20. Which three statements about applying access control lists to a Cisco router are true? (Choose three.)

- C
A. Place more specific ACL entries at the top of the ACL.

B. Place generic ACL entries at the top of the ACL to filter general traffic and thereby reduce "noise" on the

network.

w
C. Router-generated packets cannot be filtered by ACLs on the router.

w
D. ACLs always search for the most specific entry before taking any filtering action.

E. If an access list is applied but is not configured, all traffic will pass.

w
F. You can assign multiple access lists per interface, regardless of direction or protocol.

Answer: ACE

21. Which statement is true when you have generated RSA keys on your Cisco router to prepare for secure

device management?

A. You must then zeroize the keys to reset secure shell before configuring other parameters.

TestInside Help You Pass Any IT Exam http://www.TestInside.com


www.CareerCert.info
Testinside
B. The SSH protocol is automatically enabled.

C. You must then specify the general-purpose key size used for authentication with the crypto key generate

rsa general-keys modulus command.

D. All vty ports are automatically enabled for SSH to provide secure management.

Answer: B

f o
22. Which consideration is important when implementing Syslogging in your network?

A. Use SSH to access your Syslog information.


i- n
r t
B. Enable the highest level of Syslogging available to ensure you log all possible event messages.

C. Log all messages to the system buffer so that they can be displayed when accessing the router.

e
D. Syncronize clocks on the network with a protocol such as Network Time Protocol.

Answer: D

r C
23. Refer to the exhibit. You are a network manager for your organization. You are looking at your Syslog

e
server reports. Based on the Syslog message shown, which two statements are true? (Choose two.)

e
a r
A. Service timestamps have been globally enabled.

B. This is a normal system-generated information message and does not require further investigation.

- C
C. This message is unimportant and can be ignored.

D. This message is a level 5 notification message.

Answer: AD

w
w
24. You suspect an attacker in your network has configured a rogue layer 2 device to intercept traffic from

multiple VLANS, thereby allowing the attacker to capture potentially sensitive data. Which two methods will

w
help to mitigate this type of activity? (Choose two.)

A. Turn off all trunk ports and manually configure each VLAN as required on each port

B. Disable DTP on ports that require trunking

C. Secure the native VLAN, VLAN 1 with encryption

D. Set the native VLAN on the trunk ports to an unused VLAN

E. Place unused active ports in an unused VLAN

TestInside Help You Pass Any IT Exam http://www.TestInside.com


www.CareerCert.info
Testinside
Answer: BD

25. Which statement is true about asymmetric encryption algorithms?

A. They use the same key for encryption and decryption of data.

B. They use the same key for decryption but different keys for encryption of data.

C. They use different keys for encryption and decryption of data.

f o
D. They use different keys for decryption but the same key for encryption of data.

Answer: C
i- n
26. Which three statements about SSL-based VPNs are true? (Choose three.)

r t
A. Asymmetric algorithms are used for authentication and key exchange.

e
B. SSL VPNs and IPsec VPNs cannot be configured concurrently on the same router.

C. Symmetric algorithms are used for bulk encryption.

D. The authentication process uses hashing technologies.


r C
e e
E. SSL VPNs require special-purpose client software to be installed on the client machine.

F. You can also use the application programming interface to extensively modify the SSL client software for

use in special applications.

Answer: ACD

a r
- C
27. What is the purpose of Diffie-Hellman?

A. used between the initiator and the responder to establish a basic security policy

w
B. used to verify the identity of the peer

C. used for asymmetric public key encryption

w
D. used to establish a symmetric shared key via a public key exchange process

w
Answer: D

28. Which three statements about the IPsec protocol are true? (Choose 3.)

A. IPsec is a framework of open standards.

B. IPsec is bound to specific encryption algorithms, such as 3DES and AES.

C. IPsec ensures data integrity by using checksums.

TestInside Help You Pass Any IT Exam http://www.TestInside.com


www.CareerCert.info
Testinside
D. IPsec authenticates users and devices that can carry out communication independently.

E. IPsec is implemented at Layer 4 of the OSI model.

F. IPsec uses digital certificates to guarantee confidentiality.

Answer: ACD

f o
29. Which kind of table do most firewalls use today to keep track of the connections through the firewall?

A. dynamic ACL

B. reflexive ACL
i- n
C. netflow

D. queuing

r t
E. state

F. express forwarding
e
Answer: E

r C
A. A router interface can belong to multiple zones.

e e
30. Which statement about Cisco IOS Zone-Based Policy Firewall is true?

a r
B. The pass action works in only one direction.

C. Router management interfaces must be manually assigned to the self zone.

C
D. A zone-pair is bidirectional because it specifies traffic flowing among the interfaces within the zone-pair

-
in both directions.

E. Policy maps are used to classify traffic into different traffic classes, and class maps are used to assign

w
action to the traffic classes.

F. Service policies are applied in the interface configuration mode.

Answer: B

w
w
31. When configuring Cisco IOS Zone-Based Policy Firewall, what are the three actions that can be applied

to a traffic class? (Choose three.)

A. Pass

B. Police

C. Inspect

TestInside Help You Pass Any IT Exam http://www.TestInside.com


www.CareerCert.info
Testinside
D. Drop

E. Queue

F. Shape

Answer: ACD

f o
32. With Cisco IOS Zone-Based Policy Firewall, by default, which three types of traffic are permitted by the

router when some of the router interfaces are assigned to a zone? (Choose three.)

i- n
A. traffic flowing between a zone member interface and any interface that is not a zone member

B. traffic flowing to and from the router interfaces (the self zone)

C. traffic flowing among the interfaces that are members of the same zone

r t
D. traffic flowing among the interfaces that are not assigned to any zone

e
E. traffic flowing between a zone member interface and another interface that belongs in a different zone

r C
F. traffic flowing to the zone member interface that is returned traffic

Answer: BCD

e e
33. With Cisco IOS Zone-Based Policy Firewall, where is the inspection policy applied?

A. to the zone

B. to the zone-pair

a r
C
C. to the interface

-
D. to the global service policy

Answer: B

w
34. Refer to the exhibit. Based on the show policy-map type inspect zone-pair session command output

w
shown, what can be determined about this Cisco IOS zone based firewall policy?

w
TestInside Help You Pass Any IT Exam http://www.TestInside.com
www.CareerCert.info
Testinside

f o
i- n
r t
e
r C
e e
a r
A. All packets will be dropped since the class-default traffic class is matching all traffic.

B. This is an inbound policy (applied to traffic sourced from the less secured zone destined to the more

C
secured zone).

-
C. This is an outbound policy (applied to traffic sourced from the more secured zone destined to the less

secured zone).

w
D. Stateful packet inspection will be applied only to HTTP packets that also match ACL 110.

E. All non-HTTP traffic will be permitted to pass as long as it matches ACL 110.

w
F. All non-HTTP traffic will be inspected.

w
Answer: D

35. Which two protocols enable Cisco SDM to pull IPS alerts from a Cisco ISR router? (Choose two.)

A. Syslog

B. SDEE

C. FTP

TestInside Help You Pass Any IT Exam http://www.TestInside.com


www.CareerCert.info
Testinside
D. TFTP

E. SSH

F. HTTPS

Answer: BF

36. Which statement about Cisco IOS IPS on Cisco IOS Release 12.4(11)T and later is true?

f o
A. uses Cisco IPS 5.x signature format

B. requires the Basic or Advanced Signature Definition File


i- n
C. supports both inline and promiscuous mode

D. requires IEV for monitoring Cisco IPS alerts

r t
e
E. uses the built-in signatures that come with the Cisco IOS image as backup

F. supports SDEE, SYSLOG, and SNMP for sending Cisco IPS alerts

Answer: A

r C
authorization are true? (Choose two.)

e e
37. Which two statements about configuring the Cisco ACS server to perform router command

protocol.

a r
A. When adding the router as an AAA client on the Cisco ACS server, choose the TACACS+ (Cisco IOS)

C
B. Configure the Cisco ACS server to forward authentication of users to an external user databases, like

-
Windows Database.

C. In the ACS User Group setup screen, use the Shell Command Authorization Set options to configure

w
which commands and command arguments to permit or deny.

D. From the ACS Interface Configuration screen, select RADIUS (Cisco IOS/PIX 6.0), and then enable the

w
Shell (exec) option on the RADIUS Services screen.

w
Answer: AC

38. When configuring role-based CLI on a Cisco router, which step is performed first?

A. Log in to the router as the root user.

B. Create a parser view called "root view."

C. Enable role-based CLI globally on the router using the privileged EXEC mode Cisco IOS command.

TestInside Help You Pass Any IT Exam http://www.TestInside.com


www.CareerCert.info
Testinside
D. Enable the root view on the router.

E. Enable AAA authentication and authorization using the local database.

F. Create a root local user in the local database.

Answer: D

f
39. Which Cisco IOS command is used to verify that either the Cisco IOS image, the configuration files, or o
both have been properly backed up and secured?

A. show archive
i- n
B. show secure bootset

C. show flash

r t
D. show file systems

E. dir
e
F. dir archive

Answer: B
r C
e e
40. What does the secure boot-config global configuration accomplish?

A. enables Cisco IOS image resilience

a r
B. backs up the Cisco IOS image from flash to a TFTP server

C
C. takes a snapshot of the router running configuration and securely archives it in persistent storage

-
D. backs up the router running configuration to a TFTP server

E. stores a secured copy of the Cisco IOS image in its persistent storage

Answer: C

w
w
41. When configuring AAA login authentication on Cisco routers, which two authentication methods should

w
be used as the final method to ensure that the administrator can still log in to the router in case the external

AAA server fails? (Choose two.)

A. group RADIUS

B. group TACACS+

C. local

D. krb5

TestInside Help You Pass Any IT Exam http://www.TestInside.com


www.CareerCert.info
Testinside
E. enable

F. if-authenticated

Answer: CE

maximum of allowed MAC addresses value is exceeded?

f o
42. When port security is enabled on a Cisco Catalyst switch, what is the default action when the configured

A. The port is shut down.

i-
B. The port remains enabled, but bandwidth is throttled until old MAC addresses are aged out.
n
D. The port's violation mode is set to restrict.

r t
C. The MAC address table is cleared and the new MAC address is entered into the table.

Answer: A

e
r C
43. When using a stateful firewall, which information is stored in the stateful session flow table?

A. the outbound and inbound access rules (ACL entries)

e e
B. the source and destination IP addresses, port numbers, TCP sequencing information, and additional

flags for each TCP or UDP connection associated with a particular session

C. all TCP and UDP header information only

a r
D. all TCP SYN packets and the associated return ACK packets only

C
E. the inside private IP address and the translated inside global IP address

-
Answer: B

w
44. Which characteristic is a potential security weakness of a traditional stateful firewall?

A. It cannot support UDP flows.

w
B. It cannot detect application-layer attacks.

w
C. It cannot ensure each TCP connection follows a legitimate TCP three-way handshake.

D. It works only in promiscuous mode.

E. The status of TCP sessions is retained in the state table after the sessions terminate.

F. It has low performance due to the use of syn-cookies.

Answer: B

TestInside Help You Pass Any IT Exam http://www.TestInside.com


www.CareerCert.info
Testinside
45. What is the key difference between host-based and network-based intrusion prevention?

A. Network-based IPS is better suited for inspection of SSL and TLS encrypted data flows.

B. Network-based IPS provides better protection against OS kernel-level attacks against hosts and servers.

C. Network-based IPS can provide protection to desktops and servers without the need of installing

specialized software on the end hosts and servers.

D. Host-based IPS can work in promiscuous mode or inline mode.

f o
E. Host-based IPS is more scalable then network-based IPS.

F. Host-based IPS deployment requires less planning than network-based IPS.


i- n
Answer: C

r t
e
46. What is the primary type of intrusion prevention technology used by the Cisco IPS security appliances?

A. profile-based

B. rule-based

C. signature-based
r C
D. protocol analysis-based

E. netflow anomaly-based

e e
Answer: C

a r
C
47. Which two functions are required for IPsec operation? (Choose two.)

-
A. using SHA for encryption

B. using PKI for pre-shared-key authentication

w
C. using IKE to negotiate the SA

D. using AH protocols for encryption and authentication

w
E. using Diffie-Hellman to establish a shared-secret key

w
Answer: CE

48. What does the MD5 algorithm do?

A. takes a message less than 2^64 bits as input and produces a 160-bit message digest

B. takes a variable-length message and produces a 168-bit message digest

C. takes a variable-length message and produces a 128-bit message digest

TestInside Help You Pass Any IT Exam http://www.TestInside.com


www.CareerCert.info
Testinside
D. takes a fixed-length message and produces a 128-bit message digest

Answer: C

49. Which of these is the strongest symmetrical encryption algorithm?

A. DES

B. 3DES

f o
C. AES

D. RSA
i- n
E. SHA

F. Diffie-Hellman

r t
Answer: C

e
r C
50. Which of these can be used to authenticate the IPsec peers during IKE Phase 1?

A. Diffie-Hellman Nonce

B. pre-shared key

C. XAUTH

e e
D. integrity check value

E. ACS

a r
C
F. AH

-
Answer: B

w
51. Refer to the exhibit. Based on the VPN connection shown, which statement is true?

w
w
A. Traffic that matches access list 103 will be protected.

B. This VPN configuration will not work because the tunnel IP and peer IP are the same.

TestInside Help You Pass Any IT Exam http://www.TestInside.com


www.CareerCert.info
Testinside
C. The tunnel is down as result of being a static rule. It should be configured as a Dynamic IPsec policy.

D. The tunnel is down because the transform set needs to include the Authentication Header parameter.

Answer: A

52. For the following attempts, which one is to ensure that no one employee becomes a pervasive security

threat, that data can be recovered from backups, and that information system changes do not

f o
compromise a system's security?

A. Disaster recovery
i- n
B. Strategic security planning

C. Implementation security

r t
D. Operations security

Answer: D
e
r C
53. Which algorithm was the first to be found suitable for both digital signing and encryption?

A. SHA-1

B. MD5

e e
C. HMAC

D. RSA

a r
C
Answer: D

-
54. Observe the following options carefully, which two attacks focus on RSA? (Choose all that apply.)

A. DDoS attack

B. BPA attack
w
w
C. Adaptive chosen ciphertext attack

w
D. Man-in-the-middle attack

Answer: BC

55. Before a Diffie-Hellman exchange may begin, the two parties involved must agree on what?

A. Two nonsecret keys

B. Two secret numbers

TestInside Help You Pass Any IT Exam http://www.TestInside.com


www.CareerCert.info
Testinside
C. Two secret keys

D. Two nonsecret numbers

Answer: D

56. Which item is the correct matching relationships associated with IKE Phase?

f o
i- n
r t
e
A. IKE Phase 1 - TIS1 and TIS2

IKE Phase 2 - TIS3, TIS4 and TIS5

r C
B. IKE Phase 1 - TIS1 and TIS4

IKE Phase 2 - TIS2, TIS3 and TIS5

e e
C. IKE Phase 1 - TIS2 and TIS3

IKE Phase 2 - TIS1, TIS4 and TIS5

D. IKE Phase 1 - TIS2 and TIS4


a r
Answer: B
- C
IKE Phase 2 - TIS1, TIS3 and TIS5

w
57. Which three are distinctions between asymmetric and symmetric algorithms? (Choose all that apply.)

w
A. Asymmetric algorithms are based on more complex mathematical computations.

B. Only symmetric algorithms have a key exchange technology built in.

w
C. Only asymmetric algorithms have a key exchange technology built in.

D. Asymmetric algorithms are used quite often as key exchange protocols for symmetric algorithms.

Answer: ACD

58. Which statement is true about a certificate authority (CA)?

A. A trusted third party responsible for signing the private keys of entities in a PKIbased system

TestInside Help You Pass Any IT Exam http://www.TestInside.com


www.CareerCert.info
Testinside
B. A trusted third party responsible for signing the public keys of entities in a PKIbased system

C. An entity responsible for registering the private key encryption used in a PKI

D. An agency responsible for granting and revoking public-private key pairs

Answer: B

59. Which Public Key Cryptographic Standards (PKCS) defines the syntax for encrypted messages and

f o
messages with digital signatures?

A. PKCS #12
i- n
B. PKCS #10

C. PKCS #8

r t
D. PKCS #7

Answer: D
e
r C
60. For the following items, which one acts as a VPN termination device and is located at a primary network

location?

A. Headend VPN device

e e
B. Tunnel

C. Broadband service

a r
C
D. VPN access device

-
Answer: A

61. Instructions

w
To access the Cisco Router and Security Device Manager(SDM) utility click on the console host icon that is

w
connected to a ISR router.

w
You can click on the grey buttons below to view the different windows.

Each of the windows can be minimized by clicking on the [-].You can also reposition a window by dragging it

by the title bar.

The "Tab" key and most commands that use the "Control"or "Escape" keys are not supported and are not

necessary to complete this simulation.

Which two options correctly identify the associated interface with the correct security zone? (Choose two.)

TestInside Help You Pass Any IT Exam http://www.TestInside.com


www.CareerCert.info
Testinside

f o
i- n
r t
e
r C
e e
a r
- C
w
w
w
A. FastEthernet0/1 is associated to the "out-zone" zone.

TestInside Help You Pass Any IT Exam http://www.TestInside.com


www.CareerCert.info
Testinside
B. FastEthernet0/0 is associated to the "in-zone" zone.

C. FastEthernet0/0 and 0/1 are associated to the "self" zone.

D. FastEthernet0/0 and 0/1 are associated to the "in-zone" zone.

E. FastEthernet0/0 and 0/1 are associated to the "out-zone" zone.

F. FastEthernet0/0 and 0/1 are not associated to any zone.

Answer: AB

f o
62. Instructions
i- n
connected to a ISR router.

r t
To access the Cisco Router and Security Device Manager(SDM) utility click on the console host icon that is

You can click on the grey buttons below to view the different windows.

e
Each of the windows can be minimized by clicking on the [-].You can also reposition a window by dragging it

by the title bar.

r C
The "Tab" key and most commands that use the "Control"or "Escape" keys are not supported and are not

necessary to complete this simulation.

e e
Which statements is correct regarding the "sdm-permit" policy map?

a r
- C
w
w
w
TestInside Help You Pass Any IT Exam http://www.TestInside.com
www.CareerCert.info
Testinside

f o
i- n
r t
e
r C
e e
a r
- C
w
w
w
A. Traffic not matched by any of the class maps within that policy map will be inspected

B. Traffic matching the "sdm-access" traffic class will be inspected.

TestInside Help You Pass Any IT Exam http://www.TestInside.com


www.CareerCert.info
Testinside
C. Traffic matching the "SDM_CA_SERVER" traffic class will be dropped.

D. That policy map is applied to traffic sourced from the "self" zone and destined to the "out-zone" zone.

Answer: C

63. Which three options are network evaluation techniques? (Choose three.)

A. Scanning a network for active IP addresses and open ports on those IP addresses

f o
B. Using password-cracking utilities

C. Performing end-user training on the use of antispyware software


i- n
D. Performing virus scans

Answer: ABD

r t
e
64. The information of Cisco Router and Security Device Manager(SDM) is shown below:

r C
Which three protocols are matched by the "sdm-cls-insp-traffic" class map? (Choose three)

e e
a r
- C
w
w
w
TestInside Help You Pass Any IT Exam http://www.TestInside.com
www.CareerCert.info
Testinside

f o
i- n
r t
e
r C
e e
a r
- C
w
w
w
TestInside Help You Pass Any IT Exam http://www.TestInside.com
www.CareerCert.info
Testinside
A. sql-net

B. pop3

C. 12tp

D. ftp

Answer: ABD

f o
65. The information of Cisco Router and Security Device Manager(SDM) is shown below:

i- n
Within the "sdm-permit" policy map, what is the action assigned to the traffic class "class-default"?

r t
e
r C
e e
a r
- C
w
w
w
TestInside Help You Pass Any IT Exam http://www.TestInside.com
www.CareerCert.info
Testinside

f o
i- n
r t
e
r C
e e
a r
- C
w
w
w
TestInside Help You Pass Any IT Exam http://www.TestInside.com
www.CareerCert.info
Testinside
A. inspect

B. pass

C. drop

D. police

Answer: C

f o
66. The information of Cisco Router and Security Device Manager(SDM) is shown below:

Which poicy map is associated to the "sdm-zp-in-out" security zone pair?


i- n
r t
e
r C
e e
a r
- C
w
w
w
TestInside Help You Pass Any IT Exam http://www.TestInside.com
www.CareerCert.info
Testinside

f o
i- n
r t
e
r C
e e
a r
- C
w
w
w
TestInside Help You Pass Any IT Exam http://www.TestInside.com
www.CareerCert.info
Testinside
A. sdm-permit-icmpreply

B. sdm-permit

C. sdm-inspect

D. sdm-insp-traffic

Answer: B

f o
67. The information of Cisco Router and Security Device Manager(SDM) is shown below:

i- n
Within the "sdm-inspect" policy map, what is the action assigned to the traffic class "sdm-invalid-src", and

which traffic is matched by the traffic class "sdm-invlid-src" ? (Choose two.)

r t
e
r C
e e
a r
- C
w
w
w
TestInside Help You Pass Any IT Exam http://www.TestInside.com
www.CareerCert.info
Testinside

f o
i- n
r t
e
r C
e e
a r
- C
w
w
w
TestInside Help You Pass Any IT Exam http://www.TestInside.com
www.CareerCert.info
Testinside
A. traffic matched by ACL 105

B. traffic matched by the nested "sdm-cls-insp-traffic" class map

C. inspect/log

D. traffic matched by ACL 104

Answer: AB

f o
i- n
68. Which one is the most important based on the following common elements of a network design?

A. Business needs

B. Best practices

C. Risk analysis

r t
D. Security policy

Answer: A
e
r C
69. Examine the following items, which one offers a variety of security solutions, including firewall, IPS,

A. Cisco 4200 series IPS appliance

e e
VPN, antispyware, antivirus, and antiphishing features?

C. Cisco IOS router

a r
B. Cisco ASA 5500 series security appliance

C
D. Cisco PIX 500 series security appliance

-
Answer: B

w
70. The enable secret password appears as an MD5 hash in a router's configuration file, whereas the

enable password is not hashed (or encrypted, if the password-encryption service is not enabled).

w
What is the reason that Cisco still support the use of both enable secret and enable passwords in a router's

w
configuration?

A. The enable password is used for IKE Phase I, whereas the enable secret password is used for IKE

Phase II.

B. The enable password is considered to be a router's public key, whereas the enable secret password is

considered to be a router's private key.

C. Because the enable secret password is a hash, it cannot be decrypted. Therefore, the enable password

TestInside Help You Pass Any IT Exam http://www.TestInside.com


www.CareerCert.info
Testinside
is used to match the password that was entered, and the enable secret is used to verify

that the enable password has not been modified since the hash was generated.

D. The enable password is present for backward compatibility.

Answer: D

71. Which classes does the U.S. government place classified data into? (Choose three.)

f o
A. SBU

B. Confidential
i- n
C. Secret

D. Top-secret

r t
Answer: BCD

e
72. How does CLI view differ from a privilege level?

r C
A. A CLI view supports only commands configured for that specific view, whereas a privilege level supports

e e
commands available to that level and all the lower levels.

B. A CLI view supports only monitoring commands, whereas a privilege level allows a user to make

changes to an IOS configuration.

a r
C. A CLI view and a privilege level perform the same function. However, a CLI view is used on a Catalyst

C
switch, whereas a privilege level is used on an IOS router.

-
D. A CLI view can function without a AAA configuration, whereas a privilege level requires AAA to be

configured.

Answer: A

w
w
73. When configuring Cisco IOS login enhancements for virtual connections, what is the "quiet period"?

w
A. A period of time when no one is attempting to log in

B. The period of time in which virtual logins are blocked as security services fully initialize

C. The period of time in which virtual login attempts are blocked, following repeated failed login attempts

D. The period of time between successive login attempts

Answer: C

TestInside Help You Pass Any IT Exam http://www.TestInside.com


www.CareerCert.info
Testinside
74. Which three statements are valid SDM configuration wizards? (Choose three.)

A. Security Audit

B. VPN

C. STP

D. NAT

Answer: ABD

f o
75. How do you define the authentication method that will be used with AAA?
i- n
A. With a method list

B. With the method command

r t
C. With the method aaa command

D. With a method statement


e
Answer: A

r C
e e
76. What is the objective of the aaa authentication login console-in local command?

A. It specifies the login authorization method list named console-in using the local RADIUS

username-password database.

a r
B. It specifies the login authorization method list named console-in using the local username-password

C
database on the router.

-
C. It specifies the login authentication method list named console-in using the local user database on the

router.

w
D. It specifies the login authentication list named console-in using the local username- password database

on the router.

Answer: C

w
w
77. Which one of the following commands can be used to enable AAA authentication to determine if a user

can access the privilege command level?

A. aaa authentication enable default local

B. aaa authentication enable level

C. aaa authentication enable method default

TestInside Help You Pass Any IT Exam http://www.TestInside.com


www.CareerCert.info
Testinside
D. aaa authentication enable default

Answer: D

78. Please choose the correct matching relationships between the cryptography algorithms and the type of

algorithm.

f o
i- n
r t
e
A. Symmetric - TIS1, TIS2 and TIS3

r C
e
Asymmetric - TIS4, TIS5 and TIS6

e
B. Symmetric - TIS1, TIS4 and TIS5

r
Asymmetric - TIS2, TIS3 and TIS6

C. Symmetric - TIS2,TIS4 and TIS5

Asymmetric - TIS1, TIS3 and TIS6

a
- C
D. Symmetric - TIS2, TIS5 and TIS6

Asymmetric - TIS1, TIS3 and TIS4

Answer: B

w
w
79. Which two ports are used with RADIUS authentication and authorization?(Choose two.)

A. TCP port 2002

w
B. UDP port 2000

C. UDP port 1645

D. UDP port 1812

Answer: CD

80. For the following items, which management topology keeps management traffic isolated from

TestInside Help You Pass Any IT Exam http://www.TestInside.com


www.CareerCert.info
Testinside
production traffic?

A. OOB

B. SAFE

C. MARS

D. OTP

Answer: A

f o
i- n
81. Information about a managed device??s resources and activity is defined by a series of objects. What

defines the structure of these management objects?

A. FIB

r t
B. LDAP

C. CEF
e
D. MIB

Answer: D
r C
e e
82. When configuring SSH, which is the Cisco minimum recommended modulus value?

A. 2048 bits

B. 256 bits

a r
C
C. 1024 bits

-
D. 512 bits

Answer: C

w
83. When using the Cisco SDM Quick Setup Siteto-Site VPN wizard, which three parameters do you

w
configure? (Choose three.)

w
A. Interface for the VPN connection

B. IP address for the remote peer

C. Transform set for the IPsec tunnel

D. Source interface where encrypted traffic originates

Answer: ABD

TestInside Help You Pass Any IT Exam http://www.TestInside.com


www.CareerCert.info
Testinside
84. If you click the Configure button along the top of Cisco SDM??s graphical interface,which Tasks button

permits you to configure such features as SSH, NTP, SNMP, and syslog?

A. Additional Tasks

B. Security Audit

C. Intrusion Prevention

D. Interfaces and Connections

f o
Answer: A

i- n
A. Creating a back door

r t
85. Which method is of gaining access to a system that bypasses normal security measures?

B. Starting a Smurf attack

C. Conducting social engineering


e
D. Launching a DoS attack

Answer: A
r C
e e
86. Examine the following options , which Spanning Tree Protocol (STP) protection mechanism disables a

A. PortFast

a r
switch port if the port receives a Bridge Protocol Data Unit (BPDU)?

C
B. BPDU Guard

-
C. UplinkFast

D. Root Guard

Answer: B

w
w
87. If a switch is working in the fail-open mode, what will happen when the switch's CAM table fills to

w
capacity and a new frame arrives?

A. The switch sends a NACK segment to the frame's source MAC address.

B. A copy of the frame is forwarded out all switch ports other than the port the frame was received on.

C. The frame is dropped.

D. The frame is transmitted on the native VLAN.

Answer: B

TestInside Help You Pass Any IT Exam http://www.TestInside.com


www.CareerCert.info
Testinside

88. Which type of MAC address is dynamically learned by a switch port and then added to the switch's

running configuration?

A. Pervasive secure MAC address

B. Static secure MAC address

C. Sticky secure MAC address

f o
D. Dynamic secure MAC address

Answer: C
i- n
89. Which are the best practices for attack mitigations?

r t
e
r C
e e
A. TIS1, TIS2, TIS3 and TIS5

a r
B. TIS2, TIS5, TIS6 and TIS8

-
C. TIS2, TIS5, TIS6 and TIS7

D. TIS2, TIS3, TIS6 and TIS8


C
w
E. TIS3, TIS4, TIS6 and TIS7

w
Answer: B

w
90. In an IEEE 802.1x deployment, between which two devices EAPOL messages typically are sent?

A. Between the RADIUS server and the authenticator

B. Between the authenticator and the authentication server

C. Between the supplicant and the authentication server

D. Between the supplicant and the authenticator

Answer: D

TestInside Help You Pass Any IT Exam http://www.TestInside.com


www.CareerCert.info
Testinside

91. Which item is the great majority of software vulnerabilities that have been discovered?

A. Stack vulnerabilities

B. Software overflows

C. Heap overflows

D. Buffer overflows

f o
Answer: D

i- n
A. Firmware-level virus detection

r t
92. What will be enabled by the scanning technology-The Dynamic Vector Streaming (DVS)?

B. Layer 4 virus detection

C. Signature-based spyware filtering


e
D. Signature-based virus filtering

Answer: C
r C
e e
93. What Cisco Security Agent Interceptor is in charge of intercepting all read/write requests to the rc files in

UNIX?

A. Network interceptor

a r
C
B. Configuration interceptor

-
C. Execution space interceptor

D. File system interceptor

Answer: B

w
w
94. Which name is of the e-mail traffic monitoring service that underlies that architecture of IronPort?

w
A. IronPort M-Series

B. E-Base

C. TrafMon

D. SenderBase

Answer: D

TestInside Help You Pass Any IT Exam http://www.TestInside.com


www.CareerCert.info
Testinside
95. Which statement is not a reason for an organization to incorporate a SAN in its enterprise

infrastructure?

A. To increase the performance of long-distance replication, backup, and recovery

B. To decrease the threat of viruses and worm attacks against data storage devices

C. To decrease both capital and operating expenses associated with data storage

D. To meet changing business priorities, applications, and revenue growth

f o
Answer: B

i- n
device?

r t
96. Which protocol will use a LUN as a way to differentiate the individual disk drives that comprise a target

A. iSCSI

B. ATA
e
C. SCSI

D. HBA
r C
Answer: C

e e
a r
97. Which statement is true about a Smurf attack?

A. It sends ping requests to a subnet, requesting that devices on that subnet send ping replies to a target

C
system.

-
B. It intercepts the third step in a TCP three-way handshake to hijack a session.

C. It uses Trojan horse applications to create a distributed collection of "zombie" computers, which can be

w
used to launch a coordinated DDoS attack.

D. It sends ping requests in segments of an invalid size.

Answer: A

w
w
98. For the following statements, which one is perceived as a drawback of implementing Fibre Channel

Authentication Protocol (FCAP)?

A. It is restricted in size to only three segments.

B. It requires the implementation of IKE.

C. It relies on an underlying Public Key Infrastructure (PKI).

TestInside Help You Pass Any IT Exam http://www.TestInside.com


www.CareerCert.info
Testinside
D. It requires the use of netBT as the network protocol.

Answer: C

99. Which two primary port authentication protocols are used with VSANs? (Choose two.)

A. ESP

B. CHAP

f o
C. DHCHAP

D. SPAP
i- n
Answer: BC

r t
e
100. Which VoIP components can permit or deny a call attempt on the basis of a network's available

bandwidth?

A. MCU

B. Gatekeeper
r C
C. Application server

D. Gateway

e e
Answer: B

a r
C
101. Which statement is true about vishing?

-
A. Influencing users to forward a call to a toll number (for example, a long distance or international number)

B. Influencing users to provide personal information over the phone

w
C. Using an inside facilitator to intentionally forward a call to a toll number (for example, a long distance or

international number)

w
D. Influencing users to provide personal information over a web page

w
Answer: B

102. You work as a network engineer, do you know an IPsec tunnel is negotiated within the protection of

which type of tunnel?

A. GRE tunnel

B. L2TP tunnel

TestInside Help You Pass Any IT Exam http://www.TestInside.com


www.CareerCert.info
Testinside
C. L2F tunnel

D. ISAKMP tunnel

Answer: D

103. Which type of firewall is needed to open appropriate UDP ports required for RTP streams?

A. Proxy firewall

f o
B. Packet filtering firewall

C. Stateful firewall
i- n
D. Stateless firewall

Answer: C

r t
e
104. Please choose the correct description about Cisco Self-Defending Network characteristics.

r C
e e
A. INTEGRATED - TIS1

COLLABORATIVE - TIS2

a r
C
ADAPTIVE - TIS3

-
B. INTEGRATED - TIS2

COLLABORATIVE - TIS1

ADAPTIVE - TIS3

C. INTEGRATED - TIS2
w
w
COLLABORATIVE - TIS3

w
ADAPTIVE - TIS1

D. INTEGRATED - TIS3

COLLABORATIVE - TIS2

ADAPTIVE - TIS1

Answer: B

TestInside Help You Pass Any IT Exam http://www.TestInside.com


www.CareerCert.info
Testinside
105. Which statement best describes the relationships between AAA function and TACACS+, RADIUS

based on the exhibit shown?

f o
A. TACACS+ - TIS1 and TIS3
i- n
RADIUS - TIS2 and TIS4

B. TACACS+ - TIS2 and TIS4


r t
RADIUS - TIS1 and TIS3

e
C
C. TACACS+ - TIS1 and TIS4

RADIUS - TIS2 and TIS3

D. TACACS+ - TIS2 and TSS3

e r
e
RADIUS - TIS1 and TIS4

r
Answer: B

a
106. Which two statements are correct regarding a Cisco IP phone??s web access feature? (Choose two.)

A. It is enabled by default.

B. It uses HTTPS.

- C
C. It can provide IP address information about other servers in the network.

w
D. It requires login credentials, based on the UCM user database.

w
Answer: AC

w
107. Which option ensures that data is not modified in transit?

A. Authentication

B. Integrity

C. Authorization

D. Confidentiality

Answer: B

TestInside Help You Pass Any IT Exam http://www.TestInside.com


www.CareerCert.info
Testinside

108. What is a static packet-filtering firewall used for ?

A. It analyzes network traffic at the network and transport protocol layers.

B. It validates the fact that a packet is either a connection request or a data packet belonging to a

connection.

C. It keeps track of the actual communication process through the use of a state table.

f o
i- n
D. It evaluates network packets for valid data at the application layer before allowing connections.

Answer: A

r t
109. Which firewall best practices can help mitigate worm and other automated attacks?

A. Restrict access to firewalls

B. Segment security zones


e
C. Use logs and alerts

D. Set connection limits


r C
Answer: D

e e
a r
110. Which statement best describes the Turbo ACL feature? (Choose all that apply.)

A. The Turbo ACL feature processes ACLs into lookup tables for greater efficiency.

C
B. The Turbo ACL feature leads to increased latency, because the time it takes to match the packet is

-
variable.

C. The Turbo ACL feature leads to reduced latency, because the time it takes to match the packet is fixed

and consistent.

w
D. Turbo ACLs increase the CPU load by matching the packet to a predetermined list.

Answer: AC

w
w
111. Which two actions can be configured to allow traffic to traverse an interface when zone-based security

is being employed? (Choose two.)

A. Flow

B. Inspect

C. Pass

TestInside Help You Pass Any IT Exam http://www.TestInside.com


www.CareerCert.info
Testinside
D. Allow

Answer: BC

112. Which three items are Cisco best-practice recommendations for securing a network? (Choose three.)

A. Deploy HIPS software on all end-user workstations.

B. Routinely apply patches to operating systems and applications.

f o
C. Disable unneeded services and ports on hosts.

D. Require strong passwords, and enable password expiration.


i- n
Answer: BCD

r t
e
113. Which key method is used to detect and prevent attacks by use of IDS and/or IPS technologies?

A. Signature-based detection

B. Anomaly-based detection

C. Honey pot detection


r C
D. Policy-based detection

Answer: A

e e
a r
114. Based on the following items, which two types of interfaces are found on all network-based IPS

C
sensors? (Choose two.)

-
A. Loopback interface

B. Monitoring interface

w
C. Command and control interface

D. Management interface

Answer: BC

w
w
115. With which three tasks does the IPS Policies Wizard help you? (Choose three.)

A. Selecting the interface to which the IPS rule will be applied

B. Selecting the direction of traffic that will be inspected

C. Selecting the inspection policy that will be applied to the interface

D. Selecting the Signature Definition File (SDF) that the router will use

TestInside Help You Pass Any IT Exam http://www.TestInside.com


www.CareerCert.info
Testinside
Answer: ABD

116. Examine the following options ,when editing global IPS settings, which one determines if the

IOS-based IPS feature will drop or permit traffic for a particular IPS signature engine while a new

signature for that engine is being compiled?

A. Enable Engine Fail Closed

f o
B. Enable Fail Opened

C. Enable Signature Default


i- n
D. Enable Default IOS Signature

Answer: A

r t
e
117. Regarding constructing a good encryption algorithm, what does creating an avalanche effect indicate?

r C
A. Changing only a few bits of a plain-text message causes the ciphertext to be completely different.

B. Changing only a few bits of a ciphertext message causes the plain text to be completely different.

e e
C. Altering the key length causes the plain text to be completely different.

D. Altering the key length causes the ciphertext to be completely different.

Answer: A

a r
C
118. With the increasing development of network, various network attacks appear. Which statement

-
best describes the relationships between the attack method and the result?

w
w
w
A. Ping Sweep - TIS1 and TIS3

Port Scan - TIS2, TIS4 and TIS5

B. Ping Sweep - TIS2 and TIS4

Port Scan - TIS1, TIS3 and TIS5

TestInside Help You Pass Any IT Exam http://www.TestInside.com


www.CareerCert.info
Testinside
C. Ping Sweep - TIS1 and TIS5

Port Scan - TIS2, TIS3 and TIS4

D. Ping Sweep - TIS2 and TIS3

Port Scan - TIS1, TIS4 and TIS5

Answer: B

f o
119. Stream ciphers run on which of the following?

i-
A. Individual blocks, one at a time, with the transformations varying during the encryption
n
C. Fixed-length groups of digits called blocks

r t
B. Individual digits, one at a time, with the transformations varying during the encryption

D. Fixed-length groups of bits called blocks

Answer: B
e
120. Which description is true about ECB mode?
r C
e e
A. ECB mode uses the same 64-bit key to serially encrypt each 56-bit plain-text block.

B. In ECB mode, each 56-bit plain-text block is exclusive ORed (XORed) bitwise with the previous

ciphertext block.

a r
C. ECB mode uses the same 56-bit key to serially encrypt each 64-bit plain-text block.

C
D. In ECB mode, each 64-bit plain-text block is exclusive ORed (XORed) bitwise with the previous

-
ciphertext block.

Answer: C

w
121. In a brute-force attack, what percentage of the keyspace must an attacker generally search through

w
until he or she finds the key that decrypts the data?

w
A. Roughly 66 percent

B. Roughly 10 percent

C. Roughly 75 percent

D. Roughly 50 percent

Answer: D

TestInside Help You Pass Any IT Exam http://www.TestInside.com


www.CareerCert.info
Testinside
122. Which example is of a function intended for cryptographic hashing?

A. SHA-135

B. MD65

C. XR12

D. MD5

Answer: D

f o
i- n
123. Which one of the following items may be added to a password stored in MD5 to make it more secure?

A. Rainbow table

B. Cryptotext

r t
C. Ciphertext

D. Salt
e
Answer: D

r C
e
124. Drag three proper statements about the IPsec protocol on the above to the list on the below.

e
a r
- C
w
w
w
TestInside Help You Pass Any IT Exam http://www.TestInside.com
www.CareerCert.info
Testinside

f o
i- n
r t
e
r C
e e
Answer:

a r
- C
w
w
w
TestInside Help You Pass Any IT Exam http://www.TestInside.com
www.CareerCert.info
Testinside

f o
i- n
r t
e
r C
e e
125. LAB

a r
C
Click here to input the answer.

-
Switch1>enable

Switch1#config t

w
Switch1(config)#interface fa0/12

Switch1(config-if)#switchport mode access

w
Switch1(config-if)#switchport port-security maximum 2

w
Switch1(config-if)#switchport port-security violation shutdown

Switch1(config-if)#no shut

Switch1(config-if)#end

Switch1#copy run start

Answer:

TestInside Help You Pass Any IT Exam http://www.TestInside.com


www.CareerCert.info
Testinside

f o
i- n
r t
e
r C
e e
a r
- C
w
w
w
TestInside Help You Pass Any IT Exam http://www.TestInside.com
www.CareerCert.info
Testinside

126.

f o
i- n
r t
e
r C
e e
a r
- C
w
w
w
TestInside Help You Pass Any IT Exam http://www.TestInside.com
www.CareerCert.info
Testinside
Answer:

f o
i- n
r t
e
127.

r C
e e
a r
- C
w
w
w
TestInside Help You Pass Any IT Exam http://www.TestInside.com
www.CareerCert.info
Testinside

f o
i- n
r t
e
r C
e e
a r
- C
w
w
w
TestInside Help You Pass Any IT Exam http://www.TestInside.com
www.CareerCert.info
Testinside
Answer:

f o
i- n
r t
e
128.

r C
e e
a r
- C
w
w
w
TestInside Help You Pass Any IT Exam http://www.TestInside.com
www.CareerCert.info
Testinside

f o
i- n
r t
e
r C
e e
a r
- C
w
w
w
TestInside Help You Pass Any IT Exam http://www.TestInside.com
www.CareerCert.info
Testinside
Answer:

f o
i- n
r t
e
129.

r C
e e
a r
- C
w
w
w
TestInside Help You Pass Any IT Exam http://www.TestInside.com
www.CareerCert.info
Testinside

f o
i- n
r t
e
r C
e e
a r
- C
w
w
w
TestInside Help You Pass Any IT Exam http://www.TestInside.com
www.CareerCert.info
Testinside
Answer:

f o
i- n
r t
e
130. On the basis of the description of SSL-based VPN, place the correct descriptions in the proper

locations.

r C
e e
a r
- C
w
w
w
Answer:

TestInside Help You Pass Any IT Exam http://www.TestInside.com


www.CareerCert.info
Testinside

f o
i- n
r t
e
r C
e e
descriptions in the proper locations.

a r
131. Which three common examples are of AAA implementation on Cisco routers? Please place the correct

- C
w
w
w
TestInside Help You Pass Any IT Exam http://www.TestInside.com
www.CareerCert.info
Testinside

f o
i- n
r t
e
r C
e e
Answer:

a r
- C
w
w
w
TestInside Help You Pass Any IT Exam http://www.TestInside.com
www.CareerCert.info
Testinside

f o
i- n
r t
e
r C
e e
a r
132. Drag two characteristics of the SDM Security Audit wizard on the above to the list on the below.

- C
w
w
w
TestInside Help You Pass Any IT Exam http://www.TestInside.com
www.CareerCert.info
Testinside
Answer:

f o
i- n
r t
e
r C
e e
133. On the basis of the Cisco IOS Zone-Based Policy Firewall, by default, which three types of traffic are

a r
permitted by the router when some interfaces of the routers are assigned to a zone?

Drag three proper characterizations on the above to the list on the below.

- C
w
w
w
TestInside Help You Pass Any IT Exam http://www.TestInside.com
www.CareerCert.info
Testinside

f o
i- n
r t
e
r C
Answer:

e e
a r
- C
w
w
w
TestInside Help You Pass Any IT Exam http://www.TestInside.com
www.CareerCert.info

Testinside

o
Testinside.com was founded in 2006. The safer,easier way to help you pass any IT

f
Certification exams . We provide high quality IT Certification exams practice
questions and answers(Q&A). Especially Adobe, Apple, Citrix, Comptia, EMC, HP,

n
Juniper, LPI, Nortel, Oracle, SUN, Vmware and so on. And help you pass any IT

i-
Certification exams at the first try.

You can reach us at any of the email addresses listed below.

English Customer: Sales(at)TestInside.Com


r t
TaiWan&HK Customer:
Chinese Customer:
Salestw(at)TestInside.Com
Salescn(at)TestInside.com
e
r C
e e
a r
- C
w
w
English Version http://www.testinside.com
Chinese (Traditional) http:// www.testinside.net
Chinese (Simplified) http:// www.testinside.cn

You might also like