New Questions! Now more new added Cisco 640-553 exam questions and answers are available at Flydumps In Flydumps new Cisco 640-553 vce or pdf braindump file, you can get all Cisco 640-553 new questions and answers.We guarantee the 100% pass rate.
QUESTION 46
Examine the following options, which access list will permit HTTP traffic sourced from host 10.1.129.100 port 3030 destined to host 192.168.1.10?
A. access-list 101 permit tcp 10.1.129.0 0.0.0.255 eq www 192.168.1.10 0.0.0.0 eq www
B. access-list 101 permit tcp 10.1.128.0 0.0.1.255 eq 3030 192.168.1.0 0.0.0.15 eq www
C. access-list 101 permit tcp host eq 80 10.1.0.0 0.0.255.255 eq 3030
D. access-list 101 permit tcp any eq 3030
Correct Answer: B QUESTION 47
Which one of the aaa accounting commands can be used to enable logging of both the start and stop records for user terminal sessions on the router?
A. aaa accounting connection start-stop tacacs+
B. aaa accounting network start-stop tacacs+
C. aaa accounting exec start-stop tacacs+
D. aaa accounting system start-stop tacacs+
Correct Answer: C QUESTION 48
Which statement best describes Cisco IOS Zone-Based Policy Firewall?
A. A router interface can belong to multiple zones.
B. The pass action works in only one direction.
C. Policy maps are used to classify traffic into different traffic classes, and class maps are used to assign action to the traffic classes.
D. A zone-pair is bidirectional because it specifies traffic flowing among the interfaces withing the zone-pair in both directions.
Correct Answer: B QUESTION 49
Match the features on the left with the protocol on the right. Click on the Select and Place button.
Select and Place:
Correct Answer: QUESTION 50
Which statement is correct regarding the aaa configuration based on the exhibit provided?
Router(config)#username admin privilege level 15 secret passwordRouter(config)#aaa new-modelRouter(config)#aaa authentication login default tacacs+Router(config)#aaa authentication login test tacacs+ localRouter(config)#line vty 0 4Router(config-line)#login authentication testRouter(config-line)#line con 0Router(config-line)#end
A. The authentication method list used by the console port is named test.
B. The authentication method list used by the vty ports is named test.
C. If the TACACS+ AAA server is not available, console access to the router can be authenticated using the local database.
D. If the TACACS+ AAA server is not available, no users will be able to establish a Telnet session with the router.
Correct Answer: B
QUESTION 51
Refer to the exhibit. Which statement is true regarding the partial output shown.
A. All traffic from network 10.0.0.0 will be permitted.
B. This ACL will prevent any host on the internet from spoofing the inside network address for packets coming into the router from the internet.
C. Access-list 101 will prevent address spoofing from interface E0.
D. All traffic destined for network 172.16.150.0 will be denied due to the implicit deny all.
Correct Answer: QUESTION 52
What will be disabled as a result of the no service password-recovery command?
A. password encryption service.
B. ROMMON
C. Changes to the config-register setting
D. The xmodem privilege EXEX mode command to recover the Cisco IOS image
Correct Answer: B QUESTION 53
Match the steps on the left to the correct IKE Phase on the right. Click on the Select and Place button.
Select and Place:
Correct Answer:
Exam B QUESTION 1
For the following items, which one can be used to authenticate the IPSec peers during IKE Phase 1?
A. XAUTH
B. Pre-shared-key
C. Integrity check value
D. Diffie-Hellman Nonce
Correct Answer: QUESTION 2
What should be enabled before any user views can be created during role-based CLI configuration?
A. username and passwords
B. secret password for the root user
C. aaa new-model command
D. multiple privilege levels
Correct Answer: C QUESTION 3
Which is the main difference between host-based and network-based intrusion prevention?
A. Network-based IPS is better suited for inspection of SSL and TLS encrypted data flows.
B. Host-based IPS can work in promiscuous mode or inline mode.
C. Network-based IPS can provide protection to desktops and servers without the need of installing specialized software on the end hosts and servers.
D. Host-based IPS deployment requires less planning than network based IPS
Correct Answer: QUESTION 4
What is the objective of Diffie-Hellman?
A. Used for asymmetric public key encryption.
B. Used between the initiator and the responder to establish a basic security policy.
C. Used to verify the identity of the peer.
D. Used to establish a symmetric shared key via a public key exchange process.
Correct Answer: D QUESTION 5
Which three statements about applying access control lists to a Cisco router are true? (Choose three.)
A. Place more specific ACL entries at the top of the ACL.
B. ACLs always search for the most specific entry before taking any filtering action.
C. Router-generated packets cannot be filtered by ACLs on the router.
D. Place generic ACL entries at the top of the ACL to filter general traffic and thereby reduce “noise” on the network.
E. If an access list is applied but is not configured, all traffic will pass.
Correct Answer: ACE QUESTION 6
Which feature is a potential security weakness of a traditional stateful firewall?
A. It cannot ensure each TCP connection follows a legimate TCP three-way handshake.
B. It cannot detect application-layer attacks.
C. It cannot support UDP flows.
D. The status of TCP sessions is retained in the state table after the session terminate.
Correct Answer: B
QUESTION 7
Which two protocols enable Cisco SDM to pull IPS alerts from a Cisco ISR router? (Choose two.)
A. FTP
B. HTTPS
C. TFTP
D. SSH
E. Syslog
F. SDEE
Correct Answer: BF
QUESTION 8
Which configuration aaa login authentication on Cisco routers, which two authentication methods should be used as the final method to ensure that the administrator can still log in to the router in case the external aaa server fails? (Choose two.)
A. krb5
B. local
C. enable
D. group RADIUS
E. group TACACS+
Correct Answer: CE
QUESTION 9
Based on the username global configuration mode command displayed in the exhibit. What does the option secret 5 indicate about the enable secret password?
Router#show run | include usernameUsername test secret 5 $1$GOGQBIL8TK77P0LWxvX4O0
A. It is encrypted using DH group 5.
B. It is hashed using SHA.
C. It is hashed using MD5.
D. It is encrypted using a proprietary Cisco encryption algorithm.
Correct Answer: C
QUESTION 10
What is the objective of Diffie-Hellman?
A. Used for assymetric public key encryption.
B. Used between the initiator and the responder to establish a basic security policy.
C. Used to verify the identity of the peer.
D. Used to establish a symmetric shared key via a public key exchange process.
Correct Answer: D QUESTION 11
A standard access control list has been configured on a router and applied to interface Serial 0 in an outbound direction. No ACL is applied to interface Serial 1 on the same router. What will happen when traffic being filtered by the access list does not match the configured ACL statements for Serial 0?
A. The source IP address is checked, and, if a match is not found, traffic is routed out interface Serial 1.
B. The resulting action is determined by the destination IP addresss.
C. The resulting action is determined by the destination IP address and port number.
D. The traffic is dropped.
Correct Answer: D
QUESTION 12
Which two functions are required for IPSec operation? (Choose two.)
A. Using AH protocols for encryption and authentication
B. Using SHA for encryption
C. Using Diffie-Hellman to establish a shared-secret key
D. Using PKI for pre-shared-key authentication
E. Using IKE to negotiate the SA
Correct Answer: CE
QUESTION 13
Which three statements are true regarding the IPSec protocol?
A. IPSec is a framework of open standards
B. IPSec is bound to specific encryption algorithms, such as 3DES and AES.
C. IPSec ensures data integrity by using checksums.
D. IPSec authenticates users and devices that can carry out communication independently.
E. IPSec uses digital certificates to guarantee confidentiality.
Correct Answer: ACD
Cisco 640-553 Interactive Testing Engine is an engine that can be downloaded and installed on your PC.This Cisco 640-553 engine is not only advanced and equipped with much more features, it is also not internet dependent, once installed. It enables you to see questions and answers in a simulated Cisco 640-553 exam environment. Working with Cisco 640-553 Interactive Testing Engine is like passing an actual Cisco 640-553 exam.