Welcome to download the newest Pass4itsure 1z0-060 VCE dumps: http://www.pass4itsure.com/1z1-060.html
Flydumps presents the highest quality of Cisco 642-825 practice material which helps candidates to pass the Cisco 642-825 exams in the first attempt.The brain dumps are the latest,authenticated by expert and covering each and every aspect of Cisco 642-825 exam.
QUESTION 50
Which statement is true when ICMP echo and echo-reply are disabled on edge devices?
A. Pings are allowed only to specific devices.
B. Some network diagnostic data is lost.
C. CDP information is not exchanged.
D. Port scans can no longer be run.
E. OSPF routing needs the command ip ospf network non-broadcast enabled.
F. Wireless devices need to be physically connected to the edge device.
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
“Pass Any Exam. Any Time.” – www.actualtests.com 59 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
QUESTION 51
Which two statements about packet sniffers or packet sniffing are true? (Choose two.)
A. To reduce the risk of packet sniffing, strong authentication, such as one time passwords, should be used.
B. A packet sniffer requires the use of a network adapter card in nonpromiscuous mode to capture all network packets that are sent across a LAN.
C. Packet sniffers can only work in a switched Ethernet environment.
D. To reduce the risk of packet sniffing, cryptographic protocols such as Secure Shell Protocol (SSH) and Secure Sockets Layer (SSL) should be used.
E. To reduce the risk of packet sniffing, traffic rate limiting and RFC 2827 filtering should be used.
Correct Answer: AD Section: (none) Explanation
Explanation/Reference:
Explanation:
A packet sniffer is a software application that uses a network adapter card in promiscuous mode to capture
all network packets that are sent across a LAN. Packet sniffers can only work in the same collision domain. Promiscuous mode is a mode in which the network adapter card sends all packets received on the physical network wire to an application for processing. Plaintext is information sent across the network that is not encrypted. Some network applications distribute network packets in plaintext. Because the network packets are not encrypted, they can be processed and understood by any application that can pick them off the network and process them. A network protocol specifies the protocol operations and packet format. Because the specifications for network protocols, such as TCP/IP, are widely published, a third party can easily interpret the network packets and develop a packet sniffer. Numerous freeware and shareware packet sniffers are available that do not require the user to understand anything about the underlying Configuration management is an essential component of the network availability. Therefore, its security is of paramount importance. You should use secure management protocols when ActualTests.com configuring all network devices. Some management protocols, such as SSH and SSL, have been designed with security in mind and can be used in the management solution. Other protocols, such as Telnet and Simple Network Management Protocol version 2 (SNMPv2), must be made secure by protecting the data with IPsec. IPsec provides the encryption and authentication needed to combat an attacker who tries to compromise the data exchange. You should use access lists to further limit connectivity to the network devices and hosts. The access lists should permit management access, such as SSH or HTTPS, only from the legitimate management hosts.
QUESTION 52
What two proactive preventive actions are taken by an intrusion prevention system (IPS) when malicious traffic is detected? (Choose two.)
“Pass Any Exam. Any Time.” – www.actualtests.com 60 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
A. The IPS shuts down intermediary ports.
B. The IPS enables a dynamic access list.
C. The IPS denies malicious traffic.
D. The IPS sends an alert to the management station.
E. The IPS invokes SNMP-enabled controls.
Correct Answer: CD Section: (none) Explanation
Explanation/Reference:
Explanation:
Actions for Detected Signatures
Each individual signature or category of signatures selected to scan traffic for matching attacks can be
configured to take any combination of the following 5 actions when triggered:
1.
Send an alarm via syslog and/or generate/log SDEE (Secure Device Event Exchange) event
2.
Drop malicious packet
3.
Send TCP-Reset packets to both ends of the connection to terminate the session
4.
Deny all packets from the attacker (source address) temporarily
5.
Deny further packets belonging to the same TCP session (connection) from the attacker (source address). Reference: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/product_data_sheet0 900aecd803137cf.html
QUESTION 53
Why is the ping between the HQ router and the 192.168.1.193 interface on the Branch2 router failing?
ActualTests.com
“Pass Any Exam. Any Time.” – www.actualtests.com 61 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
ActualTests.com
“Pass Any Exam. Any Time.” – www.actualtests.com 62 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
ActualTests.com
“Pass Any Exam. Any Time.” – www.actualtests.com 63 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
ActualTests.com
“Pass Any Exam. Any Time.” – www.actualtests.com 64 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
ActualTests.com
“Pass Any Exam. Any Time.” – www.actualtests.com 65 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
ActualTests.com
“Pass Any Exam. Any Time.” – www.actualtests.com 66 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam ActualTests.com
“Pass Any Exam. Any Time.” – www.actualtests.com 67 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
ActualTests.com
“Pass Any Exam. Any Time.” – www.actualtests.com 68 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
ActualTests.com
A. The AS number for the EIGRP process on Branch2 should be 1 and not 11.
B. The tunnel numbers for the tunnel between the HQ router and the Branch2 router do not match.
C. The default route is missing from the Branch2 router. “Pass Any Exam. Any Time.” – www.actualtests.com 69 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
D. The tunnel source is incorrect on the Branch2 router. It should be serial 2/0.
E. When running EIGRP over GRE tunnels, you must manually configure the neighbor address using the eigrp neighbor ipaddress command.
Correct Answer: E Section: (none) Explanation
Explanation/Reference:
QUESTION 54
Which statement is true about the management protocols?
A. Syslog data is sent encrypted between the server and device.
B. NTP v.3 does not support a cryptographic authentication mechanism between peers.
C. SNMP v1/v2 can be compromised because the community string information for authentication is sent in clear text.
D. TFTP data is sent encrypted.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation: Unfortunately, SNMPv1 and SNMPv2 use a very weak authentication scheme that is based on a community string. The authentication amounts to a fixed password that is transmitted over the network without encryption. If you must use SNMPv2, be careful to choose obscure community strings (and do not use, for example, public or private). If at all possible, avoid use of the same community strings for all network devices. Use a different string or strings for each device, or at least for each area of the network. Do not make a read-only string the same as a read-write string. If possible, do periodic SNMPv2 polling with a read-only community string. Use read-write strings only for actual write operations.
ActualTests.com
QUESTION 55
Refer to the exhibit.
Routers C1 and C2 are customer routers. Routers RTA, RTB, RTC, and RTD are provider routers. The routers are operating with various IOS versions.
Which frame mode MPLS configuration statement is true?
“Pass Any Exam. Any Time.” – www.actualtests.com 70 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
A. Before MPLS is enabled, the ip cef command is only required on routers RTA andRTD .
B. After MPLS is enabled, the ip cef command is only required on routers RTA and RTD.
C. After MPLS is enabled, the ip cef command is only required on the Ethernet 0 interfaces of routers RTA and RTD.
D. Before MPLS is enabled, the ip cef command is only required on the Ethernet 0 interfaces of routers RTA and RTD.
E. Before MPLS is enabled, the ip cef command must be applied to all provider routers.
Correct Answer: E Section: (none) Explanation
Explanation/Reference:
Explanation:
Cisco Express Forwarding
Cisco Express Forwarding (CEF) is an advanced Layer 3 IP switching technology that enhances packet
forwarding.
CEF offers improved performance over fast switching by using less CPU for the switching process.
CEF is scalable and can be offloaded to the line cards using dCEF (distributed CEF) technology. CEF
offers consistency and stability in large networks. Because CEF uses a database of information called a
FIB (Forwarding Information Base), which is built from the routing table, it adjusts quickly to routing table
changes.
CEF can be deployed in any part of the network, but it is designed for large IP backbones running on
technology such as 12000, 7500, or 6500 series devices. CEF is also the basic switching method for
MPLS and must be enabled on all interfaces running ActualTests.com
MPLS. This must be done on all MPLS enabled routers.
Configuration:
Reference: Cisco Field Manual: Router Configuration by Dave CCIE #4594 Hucaby; Steve CCIE #6108
McQuerry, Cisco Press, page 385.
QUESTION 56
This item contains several questions that you must answer. You can view these questions by clicking on the Questions button to the left. Changing questions can be accomplished by clicking the numbers to the left of each question. In order to complete the questions, you will need to refer to the SDM and the topolgy, neither of which is currently visible.
To gain access to either the topology or the SDM, click on the button to left side of the screen that “Pass Any Exam. Any Time.” – www.actualtests.com 71 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
corresponds to the section you wish to access. When you have finished viewing the topology the SDM, you can return to your questions by clicking on the Questions button to the left.
ActualTests.com
“Pass Any Exam. Any Time.” – www.actualtests.com 72 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
ActualTests.com
“Pass Any Exam. Any Time.” – www.actualtests.com 73 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
ActualTests.com
Which defined peer IP address and local subnet belong to Crete? (Choose two.)
A. peer address 192.168.167.85 “Pass Any Exam. Any Time.” – www.actualtests.com 74 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
B. peer address 192.168.77.120
C. subnet 10.5.15.0/24
D. subnet 10.8.28.0/24
E. peer address 192.168.55.159
F. subnet 10.5.33.0/24
Correct Answer: CE Section: (none) Explanation
Explanation/Reference:
Explanation: :
After login the SDM headquarters, VPN->site-to-site VPN, find the configuration in view of Crete branch, and we can see the status (UP), the interface S0/0/0, the IPSEC policy (SDM_CMAP 1), peer (192.168.55.159), Transform sets (ESP-3DES-SHA), ipsec policy (1602), etc. The further step is to find the option of ipsec policies from VPN components. We can see the detailed information of 102. The ACL only allows 10.10.10.0/24 to access all the IP services of 10.5.15.0/24.
QUESTION 57
A site requires support for skinny and H.323 voice protocols. How is this configured on an IOS firewall using the SDM?
A. The Advanced Firewall wizard is executed and a custom Application Security policy is selected in place of the default Application Security policies.
B. The Application Security tab is used to modify the SDM_High policy to add voice support prior to the Firewall wizard being run.
C. The Basic Firewall wizard is executed and the High Security Application policy is selected.
D. The Application Security tab is used to create a policy with voice support before the Firewall ActualTests.com wizard is run.
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
Application Security tab is used to create a policy with voice support.
“Pass Any Exam. Any Time.” – www.actualtests.com 75
CertUniverse.Blogspot.Com
Cisco 642-825: Practice Exam
QUESTION 58
Which statement is true about a worm attack?
A. The worm executes arbitrary code and installs copies of itself in the memory of the infected computer.
B. Extremely large volumes of requests are sent over a network or over the Internet.
C. Data or commands are injected into an existing stream of data. That stream is passed between a client and server application.
D. Human interaction is required to facilitate the spread.
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
ActualTests.com Explanation: A worm executes arbitrary code and installs copies of itself in the memory of the infected computer. It can then infect other hosts from the infected computer. Like a virus, a worm is also a program that propagates itself. Unlike a virus, a worm can spread itself automatically over the network from one computer to the next. Worms are not clever or evil, they just take advantage of automatic file sending and receiving features found on many computers.
QUESTION 59
This item contains several questions that you must answer. You can view these questions by clicking on the Questions button to the left. Changing questions can be accomplished by clicking the numbers to the left of each question. In order to complete the questions, you will need to refer
“Pass Any Exam. Any Time.” – www.actualtests.com 76 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
to the SDM and the topolgy, neither of which is currently visible.
To gain access to either the topology or the SDM, click on the button to left side of the screen that corresponds to the section you wish to access. When you have finished viewing the topolgy or the SDM,
you can return to your questions by clicking on the Questions button to the left.
ActualTests.com
“Pass Any Exam. Any Time.” – www.actualtests.com 77 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
ActualTests.com “Pass Any Exam. Any Time.” – www.actualtests.com 78
CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
Off Shore Industries is a large worldwide sailing charter. The company has recently upgraded its Internet connectivity. As a recent addition to the network engineering team, you have been tasked ActualTests.com with documenting the active Firewall configurations on the Annapolis router using the Cisco Router and Security Device Manager (SDM) utility. Using the SDM output from Firewall and ACL Tasks under the Configure tab, answer the following questions:
Which two statements would specify a permissible incoming TCP packet on a trusted interface in this configuration? (Choose two.)
A. The destination address is specified within the inspection rule SDM_LOW.
B. The packet has a source address of 10.79.233.107
C. The packet has a source address of 172.16.81.108
D. The packet has a source address of 198.133.219.40
E. The destination address is not specified within the inspection rule SDM_LOW. “Pass Any Exam. Any Time.” – www.actualtests.com 79 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
Correct Answer: BD Section: (none) Explanation
Explanation/Reference:
Explanation: Because the interface is configured with CBAC firewall, when the data arrives at this interface, the router will first inspect the state table, if the table has the item corresponding to the data, then the router will forward the data according to the state table, if not, the router will use ACL to inspect the data. The secure interface ACL must permit data due to not creating the state table. So A and C are correct.
The direction of ACL100 is from F0/0 to S0/0/0, which allows all the access of source IP addresses except 172.16.81.108/30, 255.255.255.255, 127.0.0.0/8. So it might be the direction from inside to outside network. If TCP data packets are allowed, then it is impossible to match. So, the source address cannot be
172.16.81.108.
QUESTION 60
Which two active response capabilities can be configured on an intrusion detection system (IDS) in response to malicious traffic detection? (Choose two.)
A. the shutdown of ports on intermediary devices ActualTests.com
B. the invoking of SNMP-sourced controls
C. the transmission of a TCP reset to the offending end host
D. the initiation of dynamic access lists on the IDS to prevent further malicious traffic
E. the configuration of network devices to prevent malicious traffic from passing through
Correct Answer: CE Section: (none) Explanation
Explanation/Reference:
Explanation:
An action is the sensor’s response to an event. An action only happens if the event is not filtered. Possible
actions include TCP reset, block host, block connection, IP logging, and capturing the alert trigger packet.
“Pass Any Exam. Any Time.” – www.actualtests.com 80 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
QUESTION 61
Which statement about the aaa authentication enable default group radius enable command is true?
A. The command login authentication group will associate the AAA authentication to a specified interface.
B. If the group database is unavailable, the radius server will be used.
C. If the radius server returns a ‘failed’ message, the enable password will be used.
D. If the radius server returns an error, the enable password will be used.
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
The authentication login command in global configuration mode enables the AAA authentication process.
RouterA( Config)# aaa authentication login { default | list-name } group { group-name | radius | tacacs+ }
[ method2 [ method3 [ method4 ]]]
aaa authentication login Parameters
ActualTests.com
“Pass Any Exam. Any Time.” – www.actualtests.com 81 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
QUESTION 62
Which two Network Time Protocol (NTP) statements are true? (Choose two.)
A. NTP operates on IP networks using User Datagram Protocol (UDP) port 123.
B. The ntp server global configuration is used to configure the NTP master clock to which other peers synchronizethemselves.
C. NTP is enabled on all interfaces by default, and all interfaces receive NTP packets.
D. The show ntp status command displays detailed association information of all NTP peers.
E. A stratum 0 time server is required for NTP operation.
F. Whenever possible, configure NTP version 5 because it automatically provides authentication and encryption services.
Correct Answer: AC Section: (none) Explanation
Explanation/Reference:
Explanation:
A: To show the status of Network Time Protocol (NTP), use the show ntp status EXEC command.
The following is sample output from the show ntp status command: TK1# show ntp status
Clock is synchronized, stratum 4, reference is 192.168.13.57 nominal freq is 250.0000 Hz, actual freq is 249.9990 Hz, precision is 2**19 reference time is AFE2525E.70597B34 (00:10:22.438 PDT Mon Jul 5 1993 ) clock offset is 7.33 msec, root delay is 133.36 msec root dispersion is 126.28 msec, peer dispersion is 5.98 msec
C :NTP is a UDP -based service. NTP servers use well-known port 123 to talk to each other and to ActualTests.com NTP clients. NTP clients use random ports above 1023. The Network Time Protocol (NTP) is a protocol designed to time-synchronize a network of machines. NTP runs over UDP, which in turn runs over IP. NTP Version 3 is documented in RFC 1305. Incorrect Answers:
B: Higher level stratum clocks can be used and a stratum 0 device is not required
D: NTP services are disabled on all interfaces by default. NTP is enabled globally when any NTP commands are entered.
E: Which version of NTP should I use?Unfortunately the answer to this question is not quite easy: Currently there are version three and version four implementations of NTP available. The latest software release being worked on is NTPv4, but the official Internet standard is still NTPv3. Version 5 is not yet available.Reference: http://www.ntp.org/ntpfaq/NTP-s-def.htm#Q-DEF- WHICH-VERSION
“Pass Any Exam. Any Time.” – www.actualtests.com 82 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
F: The “NTP master” command is used to configure a device as the Master clock.
QUESTION 63
Refer to the exhibit.
What statement is true about the interface S1/0 on router R1?
A. IP label switching has been disabled on this interface.
B. Labeled packets can be sent over an interface.
C. MPLS Layer 2 negotiations have occurred.
D. None of the MPLS protocols have been configured on the interface.
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
Although tagging has been enabled on the interface, none of the MPLS protocols have been enabled and
tagging is not operational on this interface. Also, if the interface had any protocols configured, then you
would see that either LDP or TDP had been configured.
ActualTests.com
For example (TDP):
Router# show mpls interfaces detail
Interface Ethernet1/1/1:
IP labeling enabled (tdp)
LSP Tunnel labeling not enabled
MPLS operational
MPLS turbo vector
MTU = 1500
“Pass Any Exam. Any Time.” – www.actualtests.com 83
CertUniverse.Blogspot.Com
Cisco 642-825: Practice Exam
QUESTION 64
Refer to the exhibit. Which order correctly identifies the steps to provision a cable modem to connect to a headend as defined by the DOCSIS standard?
A. C, D, F, G, A, E, B
B. A, D, C, G, E, F, B
C. F, D, C, G, A, E, B
D. C, D, F, G, E, A, B
E. F, D, C, G, E, A, B
F. A, D, E, G, C, F, B
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
ActualTests.com
QUESTION 65
Which two actions will take place when One-Step Lockdown is implemented? (Choose two.)
A. Security passwords will be required to be a minimum of 8 characters.
B. CDP will be enabled.
C. Logging will be enabled.
D. A banner will be set.
E. Telnet settings will be disabled.
Correct Answer: CD Section: (none) Explanation
Explanation/Reference:
Explanation:
“Pass Any Exam. Any Time.” – www.actualtests.com 84 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
Cisco SDM is an intuitive, web-based device-management tool for Cisco IOS software-based routers. Cisco SDM simplifies router and security configuration through smart wizards, which help you to quickly and easily deploy, configure, and monitor a Cisco router without requiring knowledge of the CLI. Cisco SDM simplifies firewall and Cisco IOS software configuration without requiring expertise about security or Cisco IOS software. Cisco SDM contains a Security Audit wizard that provides a comprehensive router security audit. Cisco SDM uses security configurations recommended by Cisco Technical Assistance Center (TAC) and International Computer Security Association (ICSA) as its basis for comparisons and default settings. The Security Audit wizard assesses the vulnerability of the existing router and provides quick compliance to best-practice security policies.
SDM can implement almost all of the configurations that AutoSecure offers with the One-Step Lockdown feature.
QUESTION 66
Which two network attack statements are true? (Choose two.)
A. Access attacks can consist of password attacks, trust exploitation, port redirection, and man-in- the-middle attacks.
B. IP spoofing can be reduced through the use of policy-based routing.
C. DoS attacks can be reduced through the use of access control configuration, encryption, and RFC 2827 filtering.
D. IP spoofing exploits known vulnerabilities in authentication services, FTP services, and web services to gain entry to web accounts, confidential databases, and other sensitive information.
E. Access attacks can consist of UDP and TCP SYN flooding, ICMP echo-request floods, and ICMP directed broadcasts.
F. DoS attacks can consist of IP spoofing and DDoS attacks. ActualTests.com
Correct Answer: AF Section: (none) Explanation
Explanation/Reference:
Explanation: An attack against an enterprise network occurs in several stages. In the initial stages, the attacker may have only limited information about the target. One of the primary attacker objectives is to gather intelligence about the target vulnerabilities. The process of unauthorized collection of information about the network weaknesses is called a reconnaissance attack.
Access attacks exploit known vulnerabilities in authentication services, FTP services, and web services to gain entry to web accounts, confidential databases, and other sensitive information.
DoS attacks are one of the most publicized forms of attack, and are also among the most difficult to completely eliminate. They can employ various techniques, such as overwhelming network
“Pass Any Exam. Any Time.” – www.actualtests.com 85 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
resources, to render systems unavailable or reduce their functionality. A DoS attack on a server sends extremely large volumes of requests over a network or the Internet. These large volumes of requests cause the attacked server to dramatically slow down, resulting in the attacked server becoming unavailable for legitimate access and use. Distributed DoS attacks are the “next generation” of DoS attacks on the Internet. Victims of distributed DoS attacks experience packet flooding from many different sources (possibly spoofed IP source addresses) that overwhelm the network connectivity. In the past, the typical DoS attack involved a single attempt to flood a target host with packets. With distributed DoS tools, an attacker can conduct the same attack using thousands of systems.
QUESTION 67
What three features does Cisco Security Device Manager (SDM) offer? (Choose three.)
A. one-step router lockdown
B. single-step deployment of basic and advanced policy settings
C. security auditing capability based upon CERT recommendations
D. multi-layered defense against social engineering
E. single-step mitigation of Distributed Denial of Service (DDoS) attacks
F. smart wizards and advanced configuration support for NAC policy features
Correct Answer: ABF Section: (none) Explanation
Explanation/Reference:
Explanation: Some of the features and benefits of the Cisco SDM include: Integrated Security Configuration: When deploying a new router, Cisco SDM users can configure a Cisco IOS Software firewall quickly and using the best practices recommended by the International Computer Security Association (ICSA) and the Cisco Technical Assistance Center (TAC). An advanced firewall ActualTests.com wizard allows a single-step deployment of high, medium, or low application firewall policy settings. In addition, Cisco SDM users can perform one-step router lockdown for firewalls and one-step VPN for quick deployment of secure site-to-site connections. A recommended list of IPS signatures bundled with Cisco SDM allows quick deployment of worm, virus, and protocol exploit mitigation. The Cisco SDM Network Admission Control (NAC) wizard enables simple and fast integration of NAC and client security posture management into an existing network infrastructure. Reference: Cisco Router and Security Device Manager http://www.cisco.com/en/US/prod/collateral/routers/ps5318/product_data_sheet0900aecd800fd11 8.html
QUESTION 68
“Pass Any Exam. Any Time.” – www.actualtests.com 86 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam Refer to the exhibit. Which two statements are true based on the output of the show crypto isakmp sa command? (Choose two.)
A. QM_idle indicates an active IKE SA.
B. QM_idle indicates an inactive IPsec SA.
C. QM_idle indicates an active IPsec SA.
D. QM_idle indicates an inactive IKE SA.
E. All current security associations (SA) are displayed.
F. The settings of the current SAs are displayed.
Correct Answer: AE Section: (none) Explanation
Explanation/Reference:
Explanation:
To display all current Internet Key Exchange (IKE) security associations (SAs) at a peer, use the show
crypto isakmp sa command in EXEC mode.
When an Internet Security Association and Key Management Protocol (ISAKMP) SA exists , it will most
likely be in its quiescent state (QM_IDLE).
Reference:
http://www.cisco.com/en/US/docs/ios/12_3/security/command/reference/sec_r1g.html#wp1074075
QUESTION 69
Refer to the exhibit. Which two statements are true about the information that is shown from the Cisco VPN screens? (Choose two.)
ActualTests.com
A. Selecting Allow Local LAN Access on the connection entry on the right allows Local LAN Routes to be available on the Route Details on the left screen. “Pass Any Exam. Any Time.” – www.actualtests.com 87 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
B. The 10.10.32.32 network entry in the Route Details screen represents the IP address of the server end of the encrypted tunnel.
C. Selecting Enable Transparent Tunneling on the connection entry on the right allows Local LAN Routes to be available on the Route Details on the left screen.
D. The 10.10.32.32 network entry in the Route Details screen represents an IP address that will be accessed without traversing the VPN.
E. Selecting IPSec over TCP on the connection entry on the right allows Local LAN Routes to be available on the Route Details on the left screen.
Correct Answer: AD Section: (none) Explanation
Explanation/Reference:
Explanation: Transparent tunneling allows secure transmission between the VPN Client and a secure gateway through a router serving as a firewall, which may also be performing Network Address Translation (NAT) or Port Address Translation (PAT). Transparent tunneling encapsulates Protocol 50 (Encapsulating Security Payload, or ESP) traffic within UDP packets and can allow both Internet Security Association and Key Management Protocol (ISAKMP) and Protocol 50 to be encapsulated in TCP packets before they are sent through the NAT or PAT devices or firewalls. The most common application for transparent tunneling is behind a home router performing PAT.
ActualTests.com
QUESTION 70
What is preventing a successful ping between the HQ router and the 192.168.1.10 interface on the Branch3 router?
“Pass Any Exam. Any Time.” – www.actualtests.com 88 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
ActualTests.com “Pass Any Exam. Any Time.” – www.actualtests.com 89
CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
ActualTests.com
“Pass Any Exam. Any Time.” – www.actualtests.com 90 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
ActualTests.com
“Pass Any Exam. Any Time.” – www.actualtests.com 91 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
ActualTests.com
“Pass Any Exam. Any Time.” – www.actualtests.com 92 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
ActualTests.com
“Pass Any Exam. Any Time.” – www.actualtests.com 93 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
ActualTests.com
“Pass Any Exam. Any Time.” – www.actualtests.com 94 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
ActualTests.com
“Pass Any Exam. Any Time.” – www.actualtests.com 95 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
ActualTests.com
“Pass Any Exam. Any Time.” – www.actualtests.com 96 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
A. The tunnel interface numbers for the tunnel between the HQ router and the Branch3 router do not match.
B. The IP address on the tunnel interface for the Branch3 router has wrong IP mask. It should be
255.255.255.252.
C. The network statement under router EIGRP on the Branch3 router is incorrect. It should be network
192.168.2.0.0.0.0.255.
D. The default route is missing from the Branch3 router.
E. The tunnel source is incorrect on the Branch3 router. It should be serial 2/0.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
ActualTests.com
QUESTION 71
Refer to the exhibit, which shows a PPPoA diagram and partial SOHO77 configuration.
Which command needs to be applied to the SOHO77 to complete the configuration?
“Pass Any Exam. Any Time.” – www.actualtests.com 97 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
A. encapsulation aal5mux ppp dialer applied to the PVC
B. encapsulation aal5snap applied to the PVC.
C. encapsulation aal5ciscoppp applied to the ATM0 interface
D. encapsulation aal5mux ppp dialer applied to the ATM0 interface
E. encapsulation aal5ciscoppp applied to the PVC ActualTests.com
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation: Configuring the Dialer Interface Use these commands if you are using PPP encapsulation for the ATM PVC. Use the following table to configure the dialer interface, beginning in global configuration mode. Configuration Example The following example shows the dialer interface configuration. You do not need to input the commands marked “default.” These commands appear automatically in the configuration file generated when you use the show running-config command. ! interface atm0 pvc 1/40
“Pass Any Exam. Any Time.” – www.actualtests.com 98 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
encapsulation aal5mux ppp dialer dialer pool-member 1 ! interface dialer 0 ip address 200.200.100.1 255.255.255.0 encapsulation ppp dialer pool 1 !
Reference: http://www.cisco.com/en/US/docs/routers/access/800/820/software/configuration/guide/routconf.ht ml
QUESTION 72
What is required when configuring IOS Firewall using the CLI?
A. IOS IPS enabled on the untrusted interface
B. route-map to define the application inspection rules
C. NBAR enabled to perform protocol discovery and deep packet inspection
D. route-map to define the trusted outgoing traffic
E. an inbound extended ACL applied to the untrusted interface
Correct Answer: E Section: (none) Explanation
Explanation/Reference:
Explanation:
External Interface:
Here are some tips for your access lists when you will be configuring CBAC on an external interface:
ActualTests.com
If you have an outbound IP access list at the external interface, the access list can be a standard or extended access list. This outbound access list should permit traffic that you want to be inspected by CBAC. If traffic is not permitted, it will not be inspected by CBAC, but will be simply dropped.
The inbound IP access list at the external interface must be an extended access list. This inbound access list should deny traffic that you want to be inspected by CBAC. (CBAC will create temporary openings in this inbound access list as appropriate to permit only return traffic that is part of a valid, existing session.)
Reference: http://www.cisco.com/en/US/docs/ios/12_0t/12_0t5/feature/guide/iosfw2_2.html
“Pass Any Exam. Any Time.” – www.actualtests.com 99 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
QUESTION 73
Which three DSL technologies support an analog POTS channel and utilize the entire bandwidth of the copper to carry data? (Choose three.)
A. VDSL
B. IDSL
C. SDSL
D. ADSL
E. RADSL
Correct Answer: ADE Section: (none) Explanation
Explanation/Reference:
Explanation:
Asymmetric DSL Types : ADSL is most commonly deployed in the current broadband market where DSL is
offered. The following are the different flavors of DSL currently available: ? ADSL?The full-rate offering of ADSL, which can be configured to deliver from 1.5 to 8 Mbps downstream and 16 kbps to 1 Mbps upstream over a local loop up to 18,000 feet in length. ADSL enables voice and high-speed data to be sent simultaneously over the existing telephone line. ITU-T Recommendation G.992.1 and ANSI Standard T1.413-1998 specify full-rate ADSL. ? G.Lite ADSL?Known as splitterless ADSL, an ITU standard specifically developed to meet the “plug-and- play” requirements of the consumer market segment. G.Lite is a medium bandwidth version of ADSL that allows up to 1.5 Mbps downstream and up to 512 kbps upstream, and allows voice and data to coexist on the wire without the use of splitters. G.Lite is a globally standardized (ITU-T G.992.2) interoperable ADSL system. Typical telco implementations currently provide
1.5 Mbps downstream and 512 kbps upstream. ? RADSL (rate-adaptive DSL )? A nonstandard version of ADSL that automatically adjusts the connection speed to adjust for the quality of the telephone line. This allows RADSL to function over longer distances than ADSL. Note, however, that ActualTests.com standard ADSL also permits the ADSL modem to adapt speeds of data transfer. ? VDSL (very- high-bit-rate DSL )? Provides 13 to 55 Mbps, over distances up to 4500 feet on short loops, such as from fiber to the curb. In most cases, VDSL lines are served from neighborhood cabinets that link to a central office via optical fiber. VDSL can also be configured in symmetric mode. Cisco Long Reach Ethernet (LRE) is based on VDSL technologies. Symmetric DSL Types: Although SDSL methodologies are not as widespread as those in the ADSL offerings, they are just as viable as broadband technologies. SDSL is available in the following forms: ? SDSL (symmetric DSL)?Provides identical transfer rates, both downstream and upstream, ranging from as slow as 128 kbps to as fast as 2.32 Mbps. The most typical implementation is 768 kbps. SDSL is a rather general term that encompasses a number of varying vendor implementations providing variable rates of service over a single copper pair. SDSL has a distance limit of 21,000 feet. ? G.SHDSL (symmetric high-data-rate DSL )? An industry-standard SDSL offering. SHDSL equipment conforms to the ITU-T Recommendation G.991.2. G.SHDSL outperforms older SDSL versions
“Pass Any Exam. Any Time.” – www.actualtests.com 100 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
with a better loop reach (26,000 feet) and less crosstalk into other transmission systems in the same cable, and promises vendor interoperability. G.SHDSL systems operate in a range of transfer rates from 192 kbps to 2.3 Mbps. SHDSL is best suited to data-only applications that require higher upstream transfer rates than those typically available in DSL implementations. ? HDSL (high-data-rate DSL )? Created in the late 1980s, this technology is meant to deliver symmetric service at upstream and downstream transfer rates up to 768 kbps in each direction (for a total of 1.544 Mbps). It is available in 1.544 Mbps (T1) as described or 2.048 Mbps (E1) depending on the country in which it is deployed. This symmetric fixed-rate service does not allow for standard telephone service over the same copper pair. ? HDSL2 (second-generation HDSL)?Evolution of HDSL that allows 1.5 Mbps downstream and upstream transfer rates while still enabling the support of voice (Voice over IP), data, and video using either ATM or other technology over the same copper pair. HDSL2 does not provide standard POTS voice telephone service on the same wire pair. HDSL2 differs from HDSL in that HDSL2 uses one pair of wires to convey 1.5 Mbps, whereas ANSI HDSL uses two wire pairs. ? IDSL (ISDN DSL )? Supports downstream and upstream transfer rates of up to 144 kbps (two 64-kbps channels plus one 16- kbps D channel for signaling) using existing phone lines. IDSL supports a local loop length of 18,000 feet but can be augmented to 45,000 feet using repeaters. It is unique in that it has the ability to deliver services through a digital loop carrier (DLC), a remote device that is typically located in remote terminals placed in newer housing developments to simplify the distribution of wiring from the telco. IDSL differs from traditional ISDN in that it is an always-available service rather than a dialup service. It is , however, capable of using the same terminal adapter (TA) used in traditional ISDN installations. IDSL is a data-only service and does not support traditional voice services.
Reference: Cisco ISCW book (CCNP ISCW Official Exam Certification Guide), chapter 4, pages 87-88 ISBN-13: 978-1-58720-150-9 ISBN-10: 1-58720-150-x
QUESTION 74
ActualTests.com Refer to the exhibit. A network administrator wishes to mitigate network threats. Given that purpose, which two statements about the IOS firewall configuration that is revealed by the output are true? (Choose two.)
“Pass Any Exam. Any Time.” – www.actualtests.com 101 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
A. The command ip inspect FIREWALL_ACL out must be applied on interface FastEthernet 0/0.
B. The configuration excerpt is an example of a CBAC list.
C. The command ip access-group FIREWALL_ACL in must be applied on interface FastEthernet 0/1.
D. The command ip inspect FIREWALL_ACL out must be applied on interface FastEthernet 0/1.
E. The command ip access-group FIREWALL_ACL in must be applied on interface FastEthernet 0/0.
F. The configuration excerpt is an example of a reflexive ACL.
Correct Answer: BD Section: (none) Explanation
Explanation/Reference:
Explanation: The inspection rule consists of a series of statements, each listing a protocol and specifying the same inspection rule name. Inspection rules include options for controlling alert and audit trail messages, and for checking IP packet fragmentation ActualTests.com ip inspect name inspection-name protocol [ alert { on | off }] [ audit-trail { on | off }] [ timeout seconds ] After creating inspect rules you need to apply on the interface. Router( Config-if)#ip inspect inspect_rule { in | out}
QUESTION 75
Refer to the exhibit. Which configuration option would correctly configure router RTA to mitigate a range of threats?
“Pass Any Exam. Any Time.” – www.actualtests.com 102 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
A. RTA(config)# interface Fa0/1 RTA(config-if)# ip access-group 150 out
B. RTA(config)# line vty 0 4 RTA(config-line)# access-class 150 in
C. RTA(config)# line vty 0 4 RTA(config-line)# access-class 150 out
D. RTA(config)# interface Fa0/0 RTA(config-if)# ip access-group 150 out
E. RTA(config)# interface Fa0/0 RTA(config-if)# ip access-group 150 in
F. RTA(config)# interface Fa0/1 RTA(config-if)# ip access-group 150 in
Correct Answer: F Section: (none) Explanation
Explanation/Reference:
Explanation: In this example, you would want to prevent invalid hosts and networks from reaching the RTA router from the Internet, so the access list should be placed for incoming traffic (inbound) and applied to the interface used to connect to the ISP, which is Fa0/1 in this case. ActualTests.com
QUESTION 76
Refer to the exhibit. Which statement is true about the configuration of split tunnels using SDM?
“Pass Any Exam. Any Time.” – www.actualtests.com 103 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
A. Any protected subnets that are entered represent subnets at the VPN server site that will be accessed through the encrypted tunnel.
B. Any protected subnets that are entered represent subnets at the VPN server site that will be accessed without going through the encrypted tunnel.
C. Any protected subnets that are entered represent subnets at the end user’s site that will be accessed through the encrypted tunnel.
D. Any protected subnets that are entered represent subnets at the end user’s site that will be accessed without going through the encrypted tunnel. ActualTests.com
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
You should keep split tunneling disabled (default) to prevent any compromised client PC from becoming a
proxy between the Internet and the VPN.
If, however, split tunneling is required, you should complete one of the following two configuration options
on the Split Tunneling tab:
Step 1 Check the Enable Split Tunneling check box.
Step 2 Click the Enter the protected subnets radio button.
Step 3 Click Add to add a network .
Step 4 In the Add a Network window, define protected networks (all other destinations will be reachable by
bypassing the tunnel). Step 5 Click OK .
“Pass Any Exam. Any Time.” – www.actualtests.com 104 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
Alternatively, click the Select the Split tunneling ACL radio button to use an existing ACL or create a new ACL to configure split tunneling.
QUESTION 77
Which IPsec VPN backup technology statement is true?
A. The crypto isakmp keepalive command is used to configure stateless failover.
B. The crypto isakmp keepalive command is used to configure the Stateful Switchover (SSO) protocol.
C. Reverse Route Injection (RRI) is configured on at the remote site to inject the central site networks.
D. Each Hot Standby Routing Protocol (HSRP) standby group has two well-known MAC addresses and a virtual IP address. ActualTests.com
E. The reverse-route command should be applied directly to the outside interface.
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
Use the crypto isakmp keepalive command to enable the gateway to send DPD messages to the peer.
DPD is a keepalives scheme that allows the router to query the liveliness of its Internet Key Exchange
(IKE) peer.
Use the periodic keyword to configure your router so that DPD messages are “forced” at regular intervals.
This forced approach results in earlier detection of dead peers than with the on-demand approach. If you
do not configure the periodic option, the router defaults to the on-demand approach. DPD and IOS
keepalive features can be used in conjunction with multiple peers in the crypto map to allow for stateless
failover.
Reference:
“Pass Any Exam. Any Time.” – www.actualtests.com 105 CertUniverse.Blogspot.Com
Cisco 642-825: Practice Exam
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtdpmo.html#wp1057253
QUESTION 78
Refer to the exhibit. On the basis of the partial output that is displayed in the exhibit, which two statements are true? (Choose two.)
A. The ISP router initiated the connection to the CPE router.
B. The output is the result of the debug ppp negotiation command.
C. This is the CPE router.
D. This is the ISP router.
E. The output is the result of the debug ppp authentication command.
F. The output is the result of the debug pppoe events command.
Correct Answer: CE Section: (none) Explanation
Explanation/Reference:
Explanation:
Sample Debug Output
Following is sample output from the debug ppp authentication command:
ActualTests.com
Router 1
r1# ping 20.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.1.2, timeout is 2 seconds:
*Mar 1 20:06:27.179: %LINK-3-UPDOWN: Interface BRI0/0:1, changed state to up *Mar 1 20:06:27.183: %
ISDN-6-CONNECT:
Interface BRI0/0:1 is now connected to 5772222
*Mar 1 20:06:27.187: BR0/0:1 PPP: Treating connection as a callout *Mar 1 20:06:27.223: BR0/0:1 CHAP:
I CHALLENGE id 57 len 23 from “r2”
! — Received a CHAP challenge from other router (r2)
“Pass Any Exam. Any Time.” – www.actualtests.com 106 CertUniverse.Blogspot.Com
Cisco 642-825: Practice Exam
*Mar 1 20:06:27.223: BR0/0:1 CHAP: Using alternate hostname alias-r1
! — Using alternate hostname configured with
! — ppp chap hostname command
*Mar 1 20:06:27.223: BR0/0:1 CHAP: O RESPONSE id 57 Len 29 from “alias-r1”
! — Sending response from “alias-r1”
! — which is the alternate hostname for r1
*Mar 1 20:06:27.243: BR0/0:1 CHAP: I SUCCESS id 57 Len 4
! — Received CHAP authentication is successful
! — Note that r1 is not challenging r2
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 36/38/40 ms r1#
*Mar 1 20:06:28.243: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0/0:1, changed state to
up
r1#
*Mar 1 20:06:33.187: %ISDN-6-CONNECT: Interface BRI0/0:1 is now connected to 5772222 r2 Reference:
http://www.cisco.com/en/US/tech/tk713/tk507/technologies_configuration_example09186a008009 4333.shtml ActualTests.com
QUESTION 79
Refer to the exhibit. On the basis of the information that is provided, which statement is true?
“Pass Any Exam. Any Time.” – www.actualtests.com 107 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
A. A UDP session that started between 192.168.1.116 and 192.168.101.115 caused dynamic ACL entries
to be created.
B. A TCP session that started between 192.168.1.116 and 192.168.101.115 caused dynamic ACL entries to be created.
C. The IOS firewall has allowed an HTTP session between two devices.
D. Telnet is the only protocol allowed through this IOS firewall configuration.
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
We can see that a TCP port 23 packet (telnet) sourced from 192.168.1.116 to 192.168.101.115 triggered
this dynamic access list.
The following is sample output from the show ip inspect session detail command, which shows that an
outgoing ACL and an inbound ACL (dynamic ACLs) have been created to allow return traffic:
Router# show ip inspect session detail
Established Sessions
ActualTests.com
Session 80E87274 (192.168.1.116:32956 )= >(192.168.101.115:23) tcp SIS_OPEN Created 00:00:08 ,
Last heard 00:00:04
Bytes sent (initiator :responder ) [140:298] acl created 2 Outgoing access-list 102 applied to interface
FastEthernet0/0 Inbound access-list 101 applied to interface FastEthernet0/1
Router#show access-lists
Extended IP access list 101
permit tcp host 192.168.101.115 eq telnet host 192.168.1.116 eq 32956 (27 matches) deny udp any any
deny tcp any any
permit ip any any
“Pass Any Exam. Any Time.” – www.actualtests.com 108 CertUniverse.Blogspot.Com
Cisco 642-825: Practice Exam
Extended IP access list 102
permit tcp host 192.168.101.115 eq telnet host 192.168.1.116 eq 32956 (27 matches) deny udp any any
deny tcp any any
permit ip any any
Note: This example, found at the link below, is identical to the example in the question. Reference: http://
www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt_aclby.html
QUESTION 80
This item contains several questions that you must answer. You can view these questions by clicking on the Questions button to the left. Changing questions can be accomplished by clicking the numbers to the left of each question. In order to complete the questions, you will need to refer to the SDM and the topolgy, neither of which is currently visible.
To gain access to either the topology or the SDM, click on the button to left side of the screen that corresponds to the section you wish to access. When you have finished viewing the topology or the SDM, you can return to your questions by clicking on the Questions button to the left.
ActualTests.com
“Pass Any Exam. Any Time.” – www.actualtests.com 109 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
ActualTests.com
“Pass Any Exam. Any Time.” – www.actualtests.com 110 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
ActualTests.com
“Pass Any Exam. Any Time.” – www.actualtests.com 111 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
Off Shore Industries is a large worldwide sailing charter. The company has recently upgraded its Internet connectivity. As a recent addition to the network engineering team, you have been tasked with documenting the active Firewall configurations on the Annapolis router using the Cisco Router and Security Device Manager (SDM) utility. Using the SDM output from Firewall and ACL Tasks under the Configure tab, answer the following questions:
Which statement is true?
A. FastEthernet 0/0 is a trusted interface and Serial 0/0/0 is an untrusted interface.
B. FastEthernet 0/0 is an untrusted interface and Serial 0/0/0 is a trusted interface.
C. Both FastEthernet 0/0 and Serial 0/0/0 are untrusted interfaces.
D. Both FastEthermet 0/0 and Serial 0/0/0 are trusted interface.
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
:- An untrusted interface (connecting to the Internet) is an interface that is configured to receive messages
from outside of the network or firewall. A trusted interface is one that is configured to receive only
messages from within the network.
The direction of ACL100 is from F0/0 to S0/0/0 , which allows all the access of source IP ActualTests.com addresses except 172.16.81.108/0.0.0.3, 255.255.255.255, 127.0.0.0/8. So it might be the direction from inside to outside network. The direction of ACL101 is from S0/0/0 to F0/0 , which only allows the echo-reply/icmp, time-exceede, unreachable services of the destination address of 172.16.81.108, denies
0.0.0.0 / 8, 10.0.0.0/8, 127.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/ 4, and 240.0.0.0/ 4, as well as adds log to any access. So it might be the direction from outside to inside network. Therefore, F0/0 is used to connect the inside network and S0/0/0 is used to connect the outside network.
QUESTION 81
Which three statements about IOS Firewall configurations are true? (Choose three.)
“Pass Any Exam. Any Time.” – www.actualtests.com 112 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
A. The ACL applied in the inbound direction on the unsecured interface should be an extended ACL.
B. For temporary openings to be created dynamically by Cisco IOS Firewall, the access-list for the returning traffic must be a standard ACL.
C. For temporary openings to be created dynamically by Cisco IOS Firewall, the IP inspection rule must be applied to the secured interface.
D. The IP inspection rule can be applied in the inbound direction on the secured interface.
E. The IP inspection rule can be applied in the outbound direction on the unsecured interface.
F. The ACL applied in the outbound direction on the unsecured interface should be an extended ACL.
Correct Answer: ADE Section: (none) Explanation
Explanation/Reference:
Explanation: You must decide whether to configure Cisco IOS Firewall on an internal or external router interface. If you configure the firewall in two directions, you should configure the inspection in one direction first, using the appropriate internal and external interface designations. When you configure the inspection in the other direction, the interface designations will be swapped. Follow these general rules when evaluating your IP ACLs at the firewall: Start with a basic configuration. A basic initial configuration allows all network traffic to flow from protected networks to unprotected networks, while it blocks network traffic from any unprotected networks. Permit traffic that should be inspected by the Cisco IOS Firewall. For example, if Telnet will be inspected by the firewall, then Telnet traffic should be permitted on all ACLs that apply to the initial Telnet flow. Use extended ACLs to filter traffic entering the router from the unprotected networks. For temporary openings to be created dynamically by Cisco IOS Firewall, the access control list (ACL) for the returning traffic must be an extended ACL. Deny any inbound traffic (incoming on external interface) from a source address matching an address on the protected network. This is known as antispoofing protection, because it prevents ActualTests.com traffic from an unprotected network from assuming the identity of a device on the protected network. Deny broadcast messages with a source address of 255.255.255.255. This entry helps to prevent broadcast attacks. By default, the last entry in an ACL is an implicit denial of all IP traffic not specifically allowed by other entries in the ACL. Optionally, you can add an entry to the ACL denying IP traffic with any source or destination address, thus making the denial rule explicit. This is especially useful if you want to log information about the denied packets.
QUESTION 82
“Pass Any Exam. Any Time.” – www.actualtests.com 113 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
Refer to the exhibit. In the SDM Site-to-Site VPN wizard, what are three requirements that are accessed by the Add button? (Choose three.)
A. keyed-hash message authentication code
B. IPsec proposal priority
C. IPsec authentication method
D. IKE lifetime
E. Diffie-Hellman group
F. bits that are used in AES encryption method
Correct Answer: ADE Section: (none) Explanation
Explanation/Reference:
QUESTION 83
What are two principles to follow when configuring ACLs with IOS Firewall? (Choose two.) ActualTests.com
A. Prevent traffic that will be inspected by IOS Firewall from leaving the network through the firewall.
B. Permit broadcast messages with a source address of 255.255.255.255.
C. Configure an ACL to deny traffic from the protected networks to the unprotected networks.
D. Allow traffic that will be inspected by IOS Firewall to leave the network through the firewall.
E. Configure extended ACLs to prevent IOS Firewall return traffic from entering the network through the firewall.
Correct Answer: DE Section: (none) Explanation
Explanation/Reference:
Explanation: Configuring IP Access Lists at the Interface For CBAC to work properly, you need to make sure that you have IP access lists configured
“Pass Any Exam. Any Time.” – www.actualtests.com 114 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
appropriately at the interface.
Follow these three general rules when evaluating your IP access lists at the firewall:
Start with a basic configuration.
If you try to configure access lists without a good understanding of how access lists work, you might inadvertently introduce security risks to the firewall and to the protected network. You should be sure you understand what access lists do before you configure your firewall.
A basic initial configuration allows all network traffic to flow from the protected networks to the unprotected networks, while blocking network traffic from any unprotected networks.
Permit CBAC traffic to leave the network through the firewall.
All access lists that evaluate traffic leaving the protected network should permit traffic that will be inspected by CBAC. For example, if Telnet will be inspected by CBAC, then Telnet traffic should be permitted on all access lists that apply to traffic leaving the network.
Use extended access lists to deny CBAC return traffic entering the network through the firewall.
For temporary openings to be created in an access list, the access list must be an extended access list. So wherever you have access lists that will be applied to returning traffic, you must use extended access lists. The access lists should deny CBAC return traffic because CBAC will open up temporary holes in the access lists. (You want traffic to be normally blocked when it enters your network.)
Reference: Cisco IOS Firewall Context-Based Access Control http://www.cisco.com/en/US/docs/ ios/12_0t/12_0t5/feature/guide/iosfw2_2.html ActualTests.com
QUESTION 84
Which two network attack statements are true? (Choose two.)
A. Access attacks can consist of UDP and TCP SYN flooding, ICMP echo-request floods, and ICMP directed broadcasts.
B. IP spoofing can be reduced through the use of policy-based routing.
C. DoS attacks can be reduced through the use of access control configuration, encryption, and RFC 2827 filtering.
D. DoS attacks can consist of IP spoofing and DDoS attacks.
E. IP spoofing exploits known vulnerabilities in authentication services, FTP services, and web services to gain entry to web accounts, confidential databases, and other sensitive information. “Pass Any Exam. Any Time.” – www.actualtests.com 115 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
F. Access attacks can consist of password attacks, trust exploitation, port redirection, and man-in- the-middle attacks.
Correct Answer: DF Section: (none) Explanation
Explanation/Reference:
Explanation: An attack against an enterprise network occurs in several stages. In the initial stages, the attacker may have only limited information about the target. One of the primary attacker objectives is to gather intelligence about the target vulnerabilities. The process of unauthorized collection of information about the network weaknesses is called a reconnaissance attack.
Access attacks exploit known vulnerabilities in authentication services, FTP services, and web services to gain entry to web accounts, confidential databases, and other sensitive information.
DoS attacks are one of the most publicized forms of attack, and are also among the most difficult to completely eliminate. They can employ various techniques, such as overwhelming network resources, to render systems unavailable or reduce their functionality. A DoS attack on a server sends extremely large volumes of requests over a network or the Internet. These large volumes of requests cause the attacked server to dramatically slow down, resulting in the attacked server becoming unavailable for legitimate access and use. Distributed DoS attacks are the “next generation” of DoS attacks on the Internet. Victims of distributed DoS attacks experience packet flooding from many different sources (possibly spoofed IP source addresses) that overwhelm the network connectivity. In the past, the typical DoS attack involved a single attempt to flood a target host with packets. With distributed DoS tools, an attacker can conduct the same attack using thousands of systems.
QUESTION 85
Refer to the exhibit.
ActualTests.com
On the basis of the information that is provided, which two statements are true? (Choose two.)
“Pass Any Exam. Any Time.” – www.actualtests.com 116 CertUniverse.Blogspot.Com
Cisco 642-825: Practice Exam
A. The Edit IPS window is currently in Global Settings view.
B. The Edit IPS window is currently in IPS Policies view.
C. To enable an IPS policy on an interface, click on the interface and deselect Disable.
D. The Edit IPS window is currently in Signatures view.
E. Right-clicking on an interface will display a shortcut menu with options to edit an action or to set severity levels.
F. An IPS policy can be edited by choosing the Edit button.
Correct Answer: BF Section: (none) Explanation
Explanation/Reference:
Explanation: Edit IPS: IPS Policies This window displays the Cisco IOS IPS status of all router interfaces, and allows you to enable and disable Cisco IOS IPS on interfaces. Enable Button Click to enable Cisco IOS IPS on the specified interface. You can specify the traffic directions to which Cisco IOS IPS is to be applied, and the ACLs used to define the type of traffic you want to ActualTests.com examine. Edit Button Click to edit the Cisco IOS IPS characteristics applied to the specified interface.
Reference: http://www.cisco.com/en/US/docs/routers/access/cisco_router_and_security_device_manager/25/ software/user/guide/IPS.html#wp1052734
QUESTION 86
Refer to the exhibit. Which two statements about the SDF Locations window of the IPS Rule wizard are true? (Choose two.)
“Pass Any Exam. Any Time.” – www.actualtests.com 117 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
A. The Use Built-In Signatures (as backup) check box is selected by default.
B. If all specified SDF locations fail to load, the signature file that is named default.sdf will be loaded.
C. The name of the built-in signature file is default.sdf.
D. The Autosave feature automatically saves the SDF alarms if the router crashes.
E. The Autosave feature is automatically enabled for the default built-in signature file.
F. An HTTP SDF file location can be specified by clicking the Add button.
Correct Answer: AF Section: (none) Explanation
Explanation/Reference:
Explanation: Create IPS: SDF Location: Cisco IOS IPS examines traffic by comparing it against signatures contained in a signature ActualTests.com definition file (SDF). The SDF can be located in router flash memory or on a remote system that the router can reach. You can specify multiple SDF locations so that if the router is not able to contact the first location, it can attempt to contact other locations until it obtains an SDF. Use the Add , Delete , Move Up , and Move Down buttons to add, remove, and order a list of SDF locations that the router can attempt to contact to obtain an SDF. The router starts at the first entry, and works down the list until it obtains an SDF. CiscoIOS images that support Cisco IOS IPS contain built-in signatures. If you check the box at the bottom of the window, the router will use the built-in signatures only if it cannot obtain an SDF from any location in the list. The engine options are:
“Pass Any Exam. Any Time.” – www.actualtests.com 118 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
Fail Closed- By default, while the CiscoIOS compiles a new signature for a particular engine, it allows packets to pass through without scanning for the corresponding engine. When enabled, this option makes the CiscoIOS drop packets during the compilation process.
Use Built-in Signatures (as backup)-If Cisco IOS IPS does not find signatures or fails to load them from the
specified locations, it can use the CiscoIOS built-in signatures to enable Cisco IOS IPS.
This option is enabled by default.
Deny Action on IPS Interface- We recommend this when the router is performing load balancing. When
enabled, this option causes Cisco IOS IPS to enable ACLs on Cisco IOS IPS interfaces instead of enabling
them on the interfaces from which attack traffic came.
Reference:
http://www.cisco.com/en/US/docs/routers/access/cisco_router_and_security_device_manager/25/
software/user/guide/IPS.html
QUESTION 87
Which statement describes the Authentication Proxy feature?
A. All traffic is permitted from the inbound to the outbound interface upon successful authentication of the user.
B. The proxy server capabilities of the IOS Firewall are enabled upon successful authentication of the user.
C. Prior to responding to a proxy ARP, the router will prompt the user for a login andpassword which are authenticated based on the configured AAA policy.
D. A specific access profile is retrieved from a TACACS+ or RADIUS server and applied to an IOS Firewall based on user provided credentials. ActualTests.com
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
The authentication proxy feature allows a Cisco IOS router to intercept an HTTP or HTTPS session and
prompt the user for authentication. The authentication is typically offloaded to an authentication,
authorization, and accounting (AAA) server. In addition to just accepting or denying the connection, the
router can download an authorization profile from the AAA server and apply that profile as an ACL to its
interface. The profile includes information about the services that are accessible to the connecting user.
Consequently all other traffic will be denied.
QUESTION 88
“Pass Any Exam. Any Time.” – www.actualtests.com 119 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
Which statement is true about a worm attack?
A. Data or commands are injected into an existing stream of data. That stream is passed between a client and server application.
B. The worm executes arbitrary code and installs copies of itself in the memory of the infected computer.
C. Human interaction is required to facilitate the spread.
D. Extremely large volumes of requests are sent over a network or over the Internet.
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation: A worm executes arbitrary code and installs copies of itself in the memory of the infected computer. It can then infect other hosts from the infected computer. Like a virus, a worm is also a program that propagates itself. Unlike a virus, a worm can spread itself automatically over the network from one computer to the next. Worms are not clever or evil, they just take advantage of automatic file sending and receiving features found on many computers.
QUESTION 89
Refer to the exhibit. Which statement is true about the partial MPLS configuration that is shown?
ActualTests.com
A. The route-target both 100:2 command changes a VPNv4 route toa IPv4 route.
B. The route-target import 100:1 command sets import route-targets routes specified by the route map.
C. The route-target both 100:2 command sets import and export route-targets for vrf2.
D. The route-target import 100:1 command sets import route-targets for vrf2 that override the other route-target configuration.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
The route-target command creates lists of import and export route target extended communities for the
specified VRF. Enter the command one time for each target community. Learned routes that carry a
specific route-target extended community are imported into all VRFs configured with that extended
community as an import route target. Routes learned from a VRF site (for example,
“Pass Any Exam. Any Time.” – www.actualtests.com 120 CertUniverse.Blogspot.Com
Cisco 642-825: Practice Exam
by Border Gateway Protocol (BGP), Routing Information Protocol (RIP), or static route configuration)
contain export route targets for extended communities configured for the VRF added as route attributes to
control the VRFs into which the route is imported. The route target specifies a target VPN extended
community. Like a route-distinguisher, an extended community is composed of either an autonomous
system number and an arbitrary number or an IP address and an arbitrary number. You can enter the
numbers in either of these formats:
route-target :
To create a route-target extended community for a Virtual Private Network (VPN) routing and forwarding
(VRF) instance, use the route-target command in VRF configuration submode. route-target { import |
export | both } route-target-ext-community
Syntax Description Examples: The following example shows how to configure route-target extended community attributes for a VRF in IPv4. The result of the command sequence is that VRF named vrf1 has two export extended communities (1000:1 and 1000:2) and two import extended communities (1000:1 and 10.27.0.130:200): Router( config)# ip vrf vrf1 Router( config-vrf)# route-target both 1000:1 Router( config-vrf)# route-target export 1000:2 Router( config-vrf)# route-target import 10.27.0.130:200
Reference: http://www.cisco.com/en/US/docs/ios/mpls/command/reference/mp_m4.html#wp1025916
QUESTION 90
ActualTests.com
Which statement is true about the SDM Basic Firewall wizard?
A. The wizard permits the creation of a custom application security policy.
B. The wizard configures one outside interface and one or more inside interfaces.
C. The wizard applies predefined rules to protect the private and DMZ networks.
D. The wizard can configure multiple DMZ interfaces for outside users.
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
With SDM the Basic Firewall Configuration wizard applies default access rules to both inside and outside
interfaces, applies default inspection rules to the outside interface, and enables IP unicast reverse-path
forwarding on the outside interface.
“Pass Any Exam. Any Time.” – www.actualtests.com 121 CertUniverse.Blogspot.Com
Cisco 642-825: Practice Exam
The Advanced Firewall Configuration wizard applies default or custom access rules, as well as default or
custom inspection rules, to inside, outside, and DMZ interfaces. Furthermore, the Advanced Firewall
Configuration wizard enables IP unicast reverse-path forwarding on the outside
QUESTION 91
How can virus and Trojan horse attacks be mitigated?
A. Disable port scan.
B. Use antivirus software.
C. Implement RFC 2827 filtering.
D. Deny echo replies on all edge routes.
E. Enable trust levels.
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation: The most common blunder people make when the topic of a computer virus arises is to refer to a worm or Trojan horse as a virus. While the words Trojan, worm and virus are often used interchangeably, they are not the same. Viruses, worms and Trojan Horses are all malicious programs that can cause damage to your computer, but there are differences among the three, and knowing those differences can help you to better protect your computer from their often damaging effects.
A computer virus attaches itself to a program or file so it can spread from one computer to another, leaving infections as it travels. Much like human viruses, computer viruses can range in severity: Some viruses cause only mildly annoying effects while others can damage your hardware, software or files. Almost all viruses are attached to an executable file, which means the virus may exist on your computer but it cannot infect your computer unless you run or open the malicious program. It is important to note that a virus cannot be spread without a human action, ActualTests.com (such as running an infected program) to keep it going. People continue the spread of a computer virus, mostly unknowingly, by sharing infecting files or sending e-mails with viruses as attachments in the e-mail. A worm is similar to a virus by its design, and is considered to be a sub-class of a virus. Worms spread from computer to computer, but unlike a virus, it has the capability to travel without any help from a person. A Trojan Horse is full of as much trickery as the mythological Trojan Horse it was named after. The Trojan Horse , at first glance will appear to be useful software but will actually do damage once installed or run on your computer. Those on the receiving end of a Trojan Horse are usually tricked into opening them because they appear to be receiving legitimate software or files from a legitimate source. When a Trojan is activated on your computer, the results can vary. Some Trojans are designed to be more annoying than malicious (like changing your desktop, adding silly active desktop icons) or they can cause serious damage by deleting files and destroying
“Pass Any Exam. Any Time.” – www.actualtests.com 122 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
information on your system. Trojans are also known to create a backdoor on your computer that gives malicious users access to your system, possibly allowing confidential or personal information to be compromised. Unlike viruses and worms, The first steps to protecting your computer are to ensure your operating system (OS) is up-to-date. This is essential if you are running a Microsoft Windows OS. Secondly, you should have anti-virus software installed on your system and ensure you download updates frequently to ensure your software has the latest fixes for new viruses, worms, and Trojan horses. Reference: http://www.webopedia.com/ DidYouKnow/Internet/2004/virus.asp
QUESTION 92
Which two statements about packet sniffers or packet sniffing are true? (Choose two.)
A. To reduce the risk of packet sniffing, strong authentication, such as one time passwords, should be used.
B. A packet sniffer requires the use of a network adapter card in nonpromiscuous mode to capture all network packets that are sent across a LAN.
C. To reduce the risk of packet sniffing, traffic rate limiting and RFC 2827 filtering should be used.
D. To reduce the risk of packet sniffing, cryptographic protocols such as Secure Shell Protocol (SSH) and Secure Sockets Layer (SSL) should be used.
E. Packet sniffers can only work in a switched Ethernet environment.
Correct Answer: AD Section: (none) Explanation
Explanation/Reference:
Explanation: A packet sniffer is a software application that uses a network adapter card in promiscuous mode to capture all network packets that are sent across a LAN. Packet sniffers can only work in the same collision domain. Promiscuous mode is a mode in which the network adapter card sends all packets received on the physical network wire to an application for processing. Plaintext is ActualTests.com information sent across the network that is not encrypted. Some network applications distribute network packets in plaintext. Because the network packets are not encrypted, they can be processed and understood by any application that can pick them off the network and process them. A network protocol specifies the protocol operations and packet format. Because the specifications for network protocols, such as TCP/IP, are widely published, a third party can easily interpret the network packets and develop a packet sniffer. Numerous freeware and shareware packet sniffers are available that do not require the user to understand anything about the underlying Configuration management is an essential component of the network availability. Therefore, its security is of paramount importance. You should use secure management protocols when configuring all network devices. Some management protocols, such as SSH and SSL, have been designed with security in mind and can be used in the management solution. Other protocols, such as Telnet and Simple Network Management Protocol version 2 (SNMPv2), must be made
“Pass Any Exam. Any Time.” – www.actualtests.com 123 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
secure by protecting the data with IPsec. IPsec provides the encryption and authentication needed to combat an attacker who tries to compromise the data exchange. You should use access lists to further limit connectivity to the network devices and hosts. The access lists should permit management access, such as SSH or HTTPS, only from the legitimate management hosts.
QUESTION 93
Refer to the exhibit. What is one of the objectives accomplished by the default startup configuration file created by the SDM?
ActualTests.com
A. encrypts all HTTP traffic to prevent man-in-the-middle attacks
B. requires access authentication by a TACACS+ server
C. prevents the router from ever being used as an HTTP server
D. blocks both Telnet and SSH
E. enables local logging to support the log monitoring function
Correct Answer: E Section: (none) Explanation
Explanation/Reference:
Explanation: By default, there are three privilege levels on the router. privilege level 1 = non-privileged (prompt is router> ), the default level for logging in privilege level 15 = privileged (prompt is router# ), the level after going into enable mode privilege level 0 = seldom used, but includes 5 commands: disable , enable , exit , help , and
“Pass Any Exam. Any Time.” – www.actualtests.com 124 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
logout Levels 2-14 are not used in a default configuration, but commands that are normally at level 15 can be moved down to one of those levels and commands that are normally at level 1 can be moved up to one of those levels. Obviously, this security model involves some administration on the router Example: Privilege level 15 : Defines the privilege level Login local : Method of Login
QUESTION 94
Refer to the exhibit.
Which statement about the authentication process is true?
A. The LIST1 list will disable authentication on the console port.
B. All login requests will be authenticated using the group tacacs+ method.
C. All login requests will be authenticated using the local database method.
D. Because no method list is specified, the LIST1 list will not authenticate anyone on the console port. ActualTests.com
E. The default login authentication will automatically be applied to all login connections.
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation: The answer is “The LIST1 list will disable authentication on the console port” because there are no authentication methods defined for the list “LIST1”. The keyword ‘none’ indicates this. The ‘LIST1’ is being used for logging on to the console using the ‘login authentication LIST1’ command. And the ‘none’ method is being used for LIST1 meaning you are telling the router not to use any authentication method.
“Pass Any Exam. Any Time.” – www.actualtests.com 125 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
QUESTION 95
Refer to the exhibit. Which two statements about the Network Time Protocol (NTP) are true? (Choose two.)
A. To enable NTP, the ntp master command must be configured on routers RTA and RTB.
B. The preferred time source located at 130.207.244.240 will be used for synchronization regardless of the other time sources.
C. Only NTP time requests are allowed from the host with IP address 10.1.1.1.
D. To enable authentication, the ntp authenticate command is required on routers RTA and RTB.
E. Router RTA will adjust for eastern daylight savings time.
Correct Answer: DE Section: (none) Explanation
Explanation/Reference:
Explanation: ActualTests.com NTP Options NTP on Cisco routers support additional options that may be useful for synchronization, keeping the router from being overwhelmed by NTP requests, and disabling NTP on only specific interfaces.
Authentication For additional security, you can configure your NTP servers and clients to use authentication. Cisco routers support only MD5 authentication for NTP. To enable a router to do NTP authentication: Enable NTP authentication with the ntp authenticate command. Define an NTP authentication key with the ntp authentication-key command. A unique number identifies each NTP key. This number is the first argument to the ntp authentication-key command.
“Pass Any Exam. Any Time.” – www.actualtests.com 126 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
Use the ntp trusted-key command to tell the router which keys are valid for authentication. The ntp trusted-key command’s only argument is the number of the key defined in the previous step.
Access Lists Once a router is synchronized to an NTP time source, it automatically acts as an NTP for any client that requests synchronization or informational control queries. Many network administrators leave their routers open to NTP requests from the Internet. The problem with this is that Murphy (of Murphy’s law) guarantees that the day you say “There is no harm in letting people get time information off the routers, so I won’t bother restricting access” is the same day a new security vulnerability in NTP will be discovered. Also, if your routers get listed as public timeservers on the Web, you can get overwhelmed with public time synchronization requests. Finally, with a sophisticated attack, an attacker could use NTP informational queries to discover the timeservers to which your router is synchronized, and then through an attack such as DNS cache poisoning, redirect your router to a system under his control. Manipulating the time on your routers this way could make it difficult to identify when incidents truly happened and could also be used to confuse any time-based security measures you have in place. NTP allows you to configure ACLs to restrict access to the NTP services on the router. These ACLs can be configured to restrict access based on IP and the following four restrictions: peer Allows time synchronization requests and control queries and allows the router to synchronize itself to remote systems that pass the ACL serve Allows time synchronization requests and control queries, but does not allow the router to synchronize itself to remote systems that pass the ACL serve- only Allows only time synchronization requests from systems that pass the ACL query- only Allows only NTP control queries from systems that pass the ACL The two ACLs generally used to restrict access for security reasons are the peer and serve-only ActualTests.com options–for example, if you are using the hierarchical model with the core routers RouterOne and RouterTwo providing NTP services for the rest of the routers in your network. First, configure RouterOne : To use three external NTP servers with the ntp server command. To peer with RouterTwo with the ntp peer command. To peer only with RouterTwo . Assuming RouterTwo ‘s IP is 135.26.2.1, you: Configure an ACL to restrict access only to RouterTwo . Configure NTP to use the ACL with the ntp access-group peer command. To provide time services only to internal systems. For this example, assume your internal network is 135.26.x.x . Configure an ACL to restrict access to internal systems: Configure NTP to use the ACL with the ntp access-group serve-only command: RouterOne#config terminal
“Pass Any Exam. Any Time.” – www.actualtests.com 127 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
Enter configuration commands, one per line. End with CNTL/Z. RouterOne( config)#ntp server 128.250.36.2 RouterOne( config)#ntp server 140.79.17.101 RouterOne( config)#ntp server 138.194.21.154 RouterOne( config)#ntp peer RouterTwo RouterOne( config)#access-list 20 permit 135.26.2.1 0.0.0.0 RouterOne( config)#access-list 20 deny any RouterOne( config)#ntp access-group peer 20 RouterOne( config)#access-list 21 permit 135.26.0.0 0.0.255.255 RouterOne( config)#access-list 21 deny any RouterOne( config)#ntp access-group serve-only 21 RouterOne( config)#^Z
RouterTwo would be configured the same way with references to RouterTwo replaced by RouterOne. For optimal redundancy, you should have RouterTwo configured to use different public NTP servers than RouterOne.
QUESTION 96
Refer to the exhibit. MPLS has been configured on all routers in the domain. In order for R2 and R3 to forward frames between them with label headers, what additional configuration will be required on devices that are attached to the LAN segment?
ActualTests.com
A. No additional configuration is required. Interface MTU size will be automatically adjusted to accommodate the larger size frames.
B. Increase the maximum MTU requirements on all router interfaces that are attached to the LAN segment.
C. Decrease the maximum MTU requirements on all router interfaces that are attached to the LAN segment.
D. No additional configuration is required. Frames with larger MTU size will be automatically fragmented and forwarded on all LAN segments. “Pass Any Exam. Any Time.” – www.actualtests.com 128 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation: The interface MTU command in Cisco IOS specifies how big a Layer 3 packet can be without having to fragment it when sending it on a data link. For the Ethernet encapsulation, for example, MTU is by default set to 1500. However, when n labels are added, n * 4 bytes are added to an already maximum sized IP packet of 1500 bytes. This would lead to the need to fragment the packet. You need to increase the MTU of Ethernet interfaces by either increasing the MTU of the interface itself or by using the “mpls mtu” command. Cisco IOS has the mpls mtu command that lets you specify how big a labeled packet can be on a data link. If, for example, you know that all packets that are sent on the link have a maximum of two labels and the MTU is 1500 bytes, you can set the MPLS MTU to 1508 (1500 + 2 * 4). Thus, all labeled packets of size 1508 bytes (labels included) can be sent on the link without fragmenting them. The default MPLS MTU value of a link equals the MTU value. Reference: “MPLS Fundamentals” by Luc De Ghein. http://www.ciscopress.com/articles/article.asp?p=680824&seqNum=5
Flydumps.com will provide you with the most updates material to prepare for the tests all the Cisco 642-825 torrent are available at the site. Studying with dumps makes it much easier to pass the certification. Number of networking downloads including the Cisco 642-825 download are available on the website. Various websites offering such information have information in various formats you can easily download the format that is suitable for you it can be in Cisco 642-825 Testing Engine or in html.
Pass4itsure 1z1-060 dumps with PDF + Premium VCE + VCE Simulator: https://www.pass4itsure.com/1z0-060.html