Welcome to download the newest Pass4itsure c2010-503 PDF dumps: http://www.pass4itsure.com/c2010-503.html
Cisco 642-825 is just about the most desired and well-known It all accreditation companies or accreditation corporations, but it presents this is wide range of top quality and special accreditation exams. Cisco 642-825 is an extremely reliable including a incredibly valid accreditation. FLYDUMPS qualified experts to bring up to date FLYDUMPS PRF exam sample questions cost accreditation education elements often to take care of precision and top quality. We’re presenting modified and appropriate FLYDUMPS PRF exam sample questions having reasons and PRF test to hundreds of productive review applicants at this point.
QUESTION 97
Refer to the exhibit.
Router RTA is unable to establish an ADSL connection with its provider. What action can be taken to correct this problem?
ActualTests.com
“Pass Any Exam. Any Time.” – www.actualtests.com 129 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
A. On the Dialer0 interface, enter the ip address negotiated command.
B. On the Dialer0 interface, change the MTU value to 1500 by using the ip mtu 1500 command.
C. On the Dialer0 interface, change the pool number to 0 by using the dialer pool 0command.
D. On the Ethernet 0/1 interface, change the pool number to 0 by using the pppoe-client dial-pool- number 0 command.
E. On the Ethernet 0/1 interface, enter the ip address negotiated command. ActualTests.com
F. On the Dialer0 interface, add the pppoe enable command.
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
QUESTION 98
Refer to the exhibit, which shows a PPPoA diagram and partial SOHO77 configuration. Which command needs to be applied to the SOHO77 to complete the configuration?
“Pass Any Exam. Any Time.” – www.actualtests.com 130 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
A. encapsulation aal5ciscoppp applied to the ATM0 interface
B. encapsulation aal5mux ppp dialer applied to the PVC
C. encapsulation aal5ciscoppp applied to the PVC
D. encapsulation aal5snap applied to the PVC.
E. encapsulation aal5mux ppp dialer applied to the ATM0 interface ActualTests.com
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation: Configuring the Dialer Interface Use these commands if you are using PPP encapsulation for the ATM PVC. Use the following table to configure the dialer interface, beginning in global configuration mode. Configuration Example The following example shows the dialer interface configuration. You do not need to input the commands marked “default.” These commands appear automatically in the configuration file generated when you use the show running-config command. ! interface atm0 pvc 1/40
“Pass Any Exam. Any Time.” – www.actualtests.com 131 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
encapsulation aal5mux ppp dialer dialer pool-member 1 ! interface dialer 0 ip address 200.200.100.1 255.255.255.0 encapsulation ppp dialer pool 1 !
Reference: http://www.cisco.com/en/US/docs/routers/access/800/820/software/configuration/guide/routconf.ht ml
QUESTION 99
Refer to the exhibit.
Which statement describes the results of clicking the OK button in the Security Device Manager (SDM) Add a Signature Location window?
ActualTests.com
A. If Cisco IOS IPS fails to load the 256MB.sdf, it will load the built-in signatures provided the Built- in Signatures (as backup) check box is checked.
B. SDM will respond with an error that indicates that no such file exists. “Pass Any Exam. Any Time.” – www.actualtests.com 132 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
C. SDM will respond with a message asking for the URL that points to the 256MB.sdf file.
D. Cisco IOS IPS will choose to load the 256MB.sdf and then also add the Cisco IOS built-in signatures.
E. Cisco IOS IPS will choose to load the 256MB.sdf only if the Built-in Signatures (as backup) check box is unchecked.
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
The engine options are:
Fail Closed- By default, while the CiscoIOS compiles a new signature for a particular engine, it allows packets to pass through without scanning for the corresponding engine. When enabled, this option makes the CiscoIOS drop packets during the compilation process.
Use Built-in Signatures (as backup)-If Cisco IOS IPS does not find signatures or fails to load them from the
specified locations, it can use the CiscoIOS built-in signatures to enable Cisco IOS IPS.
This option is enabled by default.
Deny Action on IPS Interface- We recommend this when the router is performing load balancing. When enabled, this option causes Cisco IOS IPS to enable ACLs on Cisco IOS IPS interfaces instead of enabling them on the interfaces from which attack traffic came.
Reference: http://www.cisco.com/en/US/docs/routers/access/cisco_router_and_security_device_manager/25/ software/user/guide/IPS.html
ActualTests.com
QUESTION 100
Refer to the exhibit. All routers participate in the MPLS domain. An IGP propagates the routing information for network 10.10.10.0/24 from R5 to R1. However, router R3 summarizes the routing information to 10.10.0.0/16. How will the routes be propagated through the MPLS domain?
“Pass Any Exam. Any Time.” – www.actualtests.com 133 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
A. R3, using LDP, will advertise labels for both networks, and the information will be propagated throughout the MPLS domain.
B. R3 will label the 10.10.10.0/24 network using a pop label which will be propagatedthrough the rest of the MPLS domain. R3 will label the summary route and forward to R2 where the network will be dropped.
C. None of the networks will be labeled and propagated through the MPLS domain because aggregation breaks the MPLS domain.
D. R3 will label the summary route using a pop label. The route will then be propagated through the rest of the MPLS domain. R3 will label the 10.10.10.0/24 network and forward to R2 where the network will be dropped.
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation: A label represents a forwarding equivalence class, but it does not represent a particular path through the network. In general, the path through the network continues to be chosen by the existing Layer 3 routing algorithms such as OSPF, Enhanced IGRP, and BGP. That is, at each hop when a label is looked up, the next hop chosen is determined by the dynamic routing algorithm.
QUESTION 101
What is a reason for implementing MPLS in a network?
A. Reduces routing table lookup since only the MPLS core routers perform routing table lookups.
B. MPLS reduces the required number of BGP-enabled devices in the core.
C. MPLS eliminates the need of an IGP in the core.
D. MPLS eliminates the need for fully meshed connections between BGP enabled devices. ActualTests.com
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
In a traditional ISP network (before MPLS) all routers needed to be BGP enabled as illustrated below:
“Pass Any Exam. Any Time.” – www.actualtests.com 134 CertUniverse.Blogspot.Com
Cisco 642-825: Practice Exam
With MPLS, only the PE routers need to run BGP, and the core P routers simply switch traffic based on labels and do not need to run BGP.
ActualTests.com
QUESTION 102
“Pass Any Exam. Any Time.” – www.actualtests.com 135 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
What is preventing the 192.168.1.150 network from showing up in the HQ router’s routing table?
ActualTests.com
“Pass Any Exam. Any Time.” – www.actualtests.com 136 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam ActualTests.com “Pass Any Exam. Any Time.” – www.actualtests.com 137 CertUniverse.Blogspot.Com
Cisco 642-825: Practice Exam ActualTests.com “Pass Any Exam. Any Time.” – www.actualtests.com 138 CertUniverse.Blogspot.Com
Cisco 642-825: Practice Exam ActualTests.com “Pass Any Exam. Any Time.” – www.actualtests.com 139 CertUniverse.Blogspot.Com
Cisco 642-825: Practice Exam ActualTests.com “Pass Any Exam. Any Time.” – www.actualtests.com 140 CertUniverse.Blogspot.Com
Cisco 642-825: Practice Exam ActualTests.com “Pass Any Exam. Any Time.” – www.actualtests.com 141 CertUniverse.Blogspot.Com
Cisco 642-825: Practice Exam ActualTests.com “Pass Any Exam. Any Time.” – www.actualtests.com 142 CertUniverse.Blogspot.Com
Cisco 642-825: Practice Exam ActualTests.com
“Pass Any Exam. Any Time.” – www.actualtests.com 143 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
A. The IP address on the E0/0 interface for the Branch4 router has the wrong IP mask. It should be
255.255.255.252
B. The default route is missing from the Branch4 router.
C. The network statement under router EIGRP on the Branch4 router is incorrect. It should be network
192.168.1.0.0.0.255.
D. When running EIGRP over GRE tunnels, you must manually configure the neighbor address using the eigrp neighbor ipaddress command.
E. The IP address on the tunnel interface on Branch4 is incorrect. It should be 192.168.1.12
255.255.255.252.
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
ActualTests.com
QUESTION 103
Which two statements about the transmission of signals over a cable network are true? (Choose two.)
A. Downstream and upstream signals operate in the same frequency ranges.
B. Upstream signals travel from the subscriber to the cable operator and use frequencies in the range of 5 to 42 MHz.
C. Upstream signals travel from the subscriber to the cable operator and use frequencies in the range of 50 to 860 MHz.
D. Downstream signals travel from the cable operator to the subscriber and use frequencies in the range of 50 to 860 MHz. “Pass Any Exam. Any Time.” – www.actualtests.com 144 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
E. Downstream signals travel from the cable operator to the subscriber and use frequencies in the range of 5 to 42 MHz.
Correct Answer: BD Section: (none) Explanation
Explanation/Reference:
Explanation: The cable television industry defines the television spectrum only in the downstream path. The upstream path is not subject to a frequency plan. The frequencies can be monitored and upstream signals placed into “clean” areas free from interference and noise from other signals. Typically the range of 5 to 15 MHz tends to be noisy and difficult or impossible to utilize. The cable network is able to transmit upstream and downstream simultaneously. For downstream signals, those directed toward subscribers, the frequency range includes 50 to 860 MHz. Alternately, upstream signals, those directed away from subscribers, utilize the range of 5 to 42 MHz. The downstream range has been subdivided into smaller channels as defined by a standardized frequency plan. This plan places a “guard band” between the ranges for upstream and downstream transmissions. This is required due to the cutoff characteristics of high-pass and low-pass filters. Such filters are needed to ensure that there is no signal leakage into other frequency spectrums.
Reference: Page 61 of CCNP ISCW Official Exam Certification guide, Cisco Press,(Library of Congress Catalog Card Number 2004117845 ISBN-13: 978-1-58720-150-9 ISBN-10: 1-58720-150-x)
QUESTION 104
Which three MPLS statements are true? (Choose three.)
A. The two major components of MPLS include the control plane and the data plane.
B. OSPF, EIGRP, IS-IS, RIP, and BGP can be used in the control plane.
C. Frame-mode MPLS inserts a 32-bit label between the Layer 3 and Layer 4 headers. ActualTests.com
D. The control plane is responsible for forwarding packets.
E. MPLS is designed for use with frame-based Layer 2 encapsulation protocols such as Frame Relay, but is not supported by ATM because of ATM fixed-length cells.
F. Cisco Express Forwarding (CEF) must be enabled as a prerequisite to running MPLS on a Cisco router.
Correct Answer: ABF Section: (none) Explanation
Explanation/Reference:
Explanation:
To support multiple protocols, MPLS divides the classic router architecture into two major components:
Control plane: Control plane takes care of the routing information exchange and the label exchange
between adjacent devices.
Data plane: Data plane takes care of forwarding based on either destination addresses or labels;
“Pass Any Exam. Any Time.” – www.actualtests.com 145 CertUniverse.Blogspot.Com
Cisco 642-825: Practice Exam
this is also known as the forwarding plane.
A large number of different routing protocols, such as Open Shortest Path First (OSPF), Interior Gateway
Routing Protocol (IGRP), Enhanced Interior Gateway Routing Protocol (EIGRP), Intermediate System-to-
Intermediate System (IS-IS), Routing Information Protocol (RIP), and BGP, can be used in the control
plane. The control plane also requires protocols, such as the label exchange protocols: MPLS Label
Distribution Protocol (LDP) or BGP (used by MPLS VPN). Resource Reservation Protocol (RSVP) is used
by MPLS Traffic Engineering to reserve resources (bandwidth) in the network. The data plane, however, is
a simple label-based forwarding engine that is independent of the type of routing protocol or label
exchange protocol. The Label Forwarding Information Base (LFIB) table is used to store the label
information that the forwarding engine uses to forward packets. The LFIB table is populated by the label
exchange protocol used (LDP, BGP, or RSVP).
QUESTION 105
Which three IPsec VPN statements are true? (Choose three.)
A. IPsec uses the Encapsulating Security Protocol (ESP) or the Authentication Header (AH) protocol for exchanging keys.
B. Main mode is the method used for the IKE phase two security association negotiations.
C. Quick mode is the method used for the IKE phase one security association negotiations.
D. To establish IKE SA, main mode utilizes six packets while aggressive mode utilizes only three packets.
E. IKE uses the Diffie-Hellman algorithm to generate symmetrical keys to be used by IPsec peers.
F. IKE keepalives are unidirectional and sent every ten seconds.
Correct Answer: DEF Section: (none) Explanation
Explanation/Reference:
Explanation: ActualTests.com IPSec is the choice for secure corporate VPNs. IPSec is a framework of open standards that provides data confidentiality, data integrity, and data authentication between participating peers. IPSec provides these security services using Internet Key Exchange (IKE) to handle negotiation of protocols and algorithms based on local policy and to generate the encryption and authentication keys to be used by IPSec IPSec is the main option featured in this topic for securing enterprise VPNs. Unfortunately, IPSec supports only IP unicast traffic. If IP-unicast packets are being tunneled, then a single encapsulation provided by IPSec is sufficient and much less complicated to configure and troubleshoot.
QUESTION 106
“Pass Any Exam. Any Time.” – www.actualtests.com 146 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
Which statement about an IPS is true?
A. The IPS is in the traffic path.
B. When malicious traffic is detected, the IPS will only send an alert to a management station.
C. Only one active interface is required.
D. Full benefit of an IPS will not be realized unless deployed in conjunctionwith an IDS.
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation: A Cisco sensor can operate in either promiscuous or inline mode. Figure1-1 shows how you can deploy a combination of sensors operating in both inline (IPS) and promiscuous (IDS) modes to protect your network. As you can see from the diagram, an IPS sensor lies within the data path, while an IDS does not. Figure1-1 Comprehensive Deployment Solutions ActualTests.com
Reference: Installing Cisco Intrusion Prevention System Appliances and Modules 6.0 http:// www.cisco.com/en/US/docs/security/ips/6.0/installation/guide/hwIntro.html
QUESTION 107
Refer to the exhibit.
When editing the Invalid DHCP Packet signature using security device manager (SDM), which
“Pass Any Exam. Any Time.” – www.actualtests.com 147 CertUniverse.Blogspot.Com
Cisco 642-825: Practice Exam
additional severity levels can be chosen? (Choose three.)
A. debug
B. low
C. high
D. urgent
E. informational
F. warning
Correct Answer: BCE Section: (none) Explanation
Explanation/Reference:
Explanation:
The signature list can be filtered using the selection controls.
ActualTests.com
“Pass Any Exam. Any Time.” – www.actualtests.com 148 CertUniverse.Blogspot.Com
Cisco 642-825: Practice Exam
Reference: http://www.cisco.com/en/US/docs/routers/access/cisco_router_and_security_device_manager/25/ software/user/guide/IPS.html
QUESTION 108
Refer to the exhibit. Which three tasks can be configured using the IPS Policies wizard via the ActualTests.com Cisco Security Device Manager(SDM)? (Choose three.)
“Pass Any Exam. Any Time.” – www.actualtests.com 149 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
A. the selection of the interface to apply the IPS rule
B. the configuration of an IP address and the enabling of the interface
C. the creation of the signature definitionfile (SDF) to be used by the router
D. the location of the signature definitionfile (SDF) to be used by the router
E. the selection of the encapsulation on the WAN interfaces
F. the selection of the traffic flow direction that should be inspected by the IPS rules
Correct Answer: ADF Section: (none) Explanation
Explanation/Reference:
Explanation:
Cisco SDM lets you control the application of Cisco IOS IPS on interfaces, import and edit signature
definition files (SDF) from Cisco.com, and configure the action that Cisco IOS IPS is to take if a threat is
detected.
Create IPS
In this window you can launch the IPS Rule wizard.
The IPS Rule wizard prompts you for the following information:
The interface on which to apply the rule
The traffic on which to apply Cisco IOS IPS (inbound, outbound, or both)
The location of the signature definition file (SDF) Reference: http://www.cisco.com/en/US/docs/routers/access/cisco_router_and_security_device_manager/25/ software/user/guide/IPS.html#wp1111585
ActualTests.com
QUESTION 109
Refer to the exhibit. What information can be derived from the SDM firewall configuration that is shown?
“Pass Any Exam. Any Time.” – www.actualtests.com 150 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
A. Access-list 101 was configured for the trusted interface, and access-list 100 was configured for the untrusted interface.
B. Access-list 100 was configured for the trusted interface, and access-list 101 was configured for the untrusted interface.
C. Access-list 100 was configured for the inbound direction, and access-list 101 was configured for the outbound direction on the trusted interface.
D. Access-list 100 was configured for the inbound direction, and access-list 101 was configured for the outbound direction on the untrusted interface.
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation: CBAC creates temporary openings in access lists at firewall interfaces. These openings are created when specified traffic exits your internal network through the firewall. The openings allow ActualTests.com returning traffic (that would normally be blocked) and additional data channels to enter your internal network back through the firewall. The traffic is allowed back through the firewall only if it is part of the same session as the original traffic that triggered CBAC when exiting through the firewall. In , the inbound access lists at S0 and S1 are configured to block Telnet traffic, and there is no outbound access list configured at E0. When the connection request for User1’s Telnet session passes through the firewall, CBAC creates a temporary opening in the inbound access list at S0 to permit returning Telnet traffic for User1’s Telnet session. (If the same access list is applied to both S0 and S1, the same opening would appear at both interfaces.) If necessary, CBAC would also have created a similar opening in an outbound access list at E0 to permit return traffic. Figure1
“Pass Any Exam. Any Time.” – www.actualtests.com 151 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
CBAC Opens Temporary Holes in Firewall Access Lists
Remote Office to ISP Configuration Example: This example describes one possible Cisco IOS Firewall configuration for a remote office router connected to an Internet service provider (ISP). In this configuration, the site security policy allows hosts on the local network to initiate traffic to the ISP while traffic inbound to the router from the ISP is blocked at the ISDN interface. Specific ICMP control message traffic is permitted through the firewall. No mail or Web services are available from the local network. illustrates this example. Figure4 Remote Office to ISP Sample Configuration
ActualTests.com
The firewall has two interfaces:
An Ethernet interface connects to the internal protected network (inside) Interface Ethernet0 has no ACL applied to it, meaning that all traffic initiated on the LAN is allowed access to the ISP. In this configuration example, Network Address Translation (NAT) is not turned on, and the addresses on interface Ethernet0 are reserved IP addresses. In a production environment, addresses on Ethernet0 either must be registered network addresses, or you must turn on NAT to hide these inside addresses from being visible on the Internet.
An ISDN Basic Rate Interface (BRI) connects the router to the ISP (outside). In this example, a dialer profile is used to control the BRI interface. This means that the ACL and CBAC inspection rules are applied at the dialer interface, not directly at the physical ISDN (BRI) interface using a
“Pass Any Exam. Any Time.” – www.actualtests.com 152 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
dialer map. !————————————–
!General Cisco IOS Firewall Guidelines !————————————–!The following global configuration entries illustrate good security practices. enable secret 5 <elided> no ip source-route no cdp run ! !——————————–!Create the CBAC inspection rule !——————————-!Create the CBAC inspection rule STOP to allow inspection of the protocol traffic !specified by the rule. ip inspect name STOP tcp ip inspect name STOP ftp ip inspect name STOP smtp ip inspect name STOP h323 ip inspect name STOP rcmd ! !———————————!Create Access Control List 105 !———————————!ACL 105 denies all IP protocol traffic except for specific ICMP control traffic. !This means that only the return traffic for protocols defined in the !inspection rule and the specified ICMP traffic is allowed access through the !interface where this rule is applied. ! !Deny broadcast messages with a source address of 255.255.255.255; this helps to ActualTests.com !prevent broadcast attacks. access-list 105 deny ip host 255.255.255.255 any ! !Add anti-spoofing protection by denying traffic with a source address matching a host !on the Ethernet interface. acl 105 deny ip 192.168.1.0 0.0.0.255 any ! !ICMP traffic is not inspected by CBAC. To control the type of ICMP traffic at the !interface, add static access list entries. This example has the following ICMP !requirements: outgoing ping commands require echo-reply messages to come back, !outgoing traceroute commands require time-exceeded messages to come back, path MTU !discovery requires “too-big” messages to come back, and incoming traceroute !messages must be allowed. Additionally, permit all “unreachable” messages to come
“Pass Any Exam. Any Time.” – www.actualtests.com 153 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
!back; that is, if a router cannot forward or deliver a datagram, it sends an ICMP !unreachable !message back to the source and drops the datagram. access-list 105 permit icmp any any echo-reply access-list 105 permit icmp any 192.168.1.0 0.0.0.255 time-exceeded access-list 105 permit icmp any
192.168.1.0 0.0.0.255 packet-too-big access-list 105 permit icmp any 192.168.1.0 0.0.0.255 traceroute access-list 105 permit icmp any 192.168.1.0 0.0.0.255 unreachable ! !Final deny for explicitness. This entry is not required but helps complete the access !list picture. By default, the final entry in any access list is an implicit deny of IP !protocol traffic. This ensures that the firewall blocks any traffic not explicitly !permitted by the access list. access-list 105 deny ip any any
Reference: Cisco IOS Firewall Context-Based Access Controlhttp://www.cisco.com/en/US/docs/ios/12_0t/12_0t5/feature/guide/iosfw2_2.html#wp11774
QUESTION 110
What are three objectives that the no ip inspect command achieves? (Choose three.)
A. removes all associated static ACLs
B. deletes all existing sessions
C. resets all global timeouts and thresholds to the defaults
D. denies HTTP and Java applets to the inside interface but permits this traffic to the DMZ E. removes the entire CBAC configuration
F. turns off the automatic audit feature in SDM ActualTests.com
Correct Answer: BCE Section: (none) Explanation
Explanation/Reference:
Explanation: The inspection rule consists of a series of statements, each listing a protocol and specifying the same inspection rule name. Inspection rules include options for controlling alert and audit trail messages, and for checking IP packet fragmentation. Use the “ip inspect name” command in global configuration mode to define a set of inspection rules. Use the no form of this command to remove the inspection rule for a protocol, or to remove the entire set of inspection rules.
QUESTION 111
What is a recommended practice for secure configuration management?
“Pass Any Exam. Any Time.” – www.actualtests.com 154 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
A. Disable port scan.
B. Enable trust levels.
C. Use SSH or SSL.
D. Usesecure Telnet.
E. Deny echo replies on all edge routers.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation: Use Secure Protocols When Possible: Many protocols are used in order to carry sensitive network management data. You must use secure protocols whenever possible. A secure protocol choice includes the use of SSH instead of Telnet so that both authentication data and management information are encrypted. In addition, you must use secure file transfer protocols when you copy configuration data. An example is the use of the Secure Copy Protocol (SCP) in place of FTP or TFTP. Because information can be disclosed during an interactive management session, this traffic must be encrypted so that a malicious user cannot gain access to the data being transmitted. Encrypting the traffic allows a secure remote access connection to the device. If the traffic for a management session is sent over the network in cleartext, an attacker can obtain sensitive information about the device and the network. An administrator is able to establish an encrypted and secure remote access management connection to a device by using the Secure Shell (SSH) or HTTPS (Secure Hypertext Transfer Protocol) features. Cisco IOS software supports SSH Version 1.0 (SSH1), SSH Version 2.0 (SSH2), and HTTPS that uses Secure Sockets Layer (SSL) and Transport Layer Security (TLS) for authentication and data encryption.
Reference: “Cisco Guide to Harden Cisco IOS Devices” http://www.cisco.com/en/US/tech/tk648/tk361/ technologies_tech_note09186a0080120f48.shtml#in teractmanage
ActualTests.com
QUESTION 112
Which two statements are true about the configuration of the Cisco IOS Firewall using the SDM? (Choose two.)
A. The Basic Firewall Configuration wizard applies default access rules to the inside (trusted), outside (untrusted) and DMZ interfaces.
B. Firewall policies can be viewed from the Home screen of the SDM.
C. Cisco IOS Firewall features may be configured by choosing the Additional Tasks wizard.
D. The Advanced Firewall Configuration wizard applies access rules to the inside (trusted), outside (untrusted) and DMZ interfaces. “Pass Any Exam. Any Time.” – www.actualtests.com 155 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
E. To simplify the Firewall configuration task, the SDM provides Basic Firewall, Intermediate Firewall, and Advanced Firewall wizards.
Correct Answer: BD Section: (none) Explanation
Explanation/Reference:
Explanation: SDM, a configuration and management tool for Cisco IOS routers using a GUI, offers a simple method to set up the Cisco IOS Firewall. Depending on the number of router interfaces, you will select either the Basic Firewall Configuration wizard, which supports only one outside interface and one or more inside interfaces, or the Advanced Firewall Configuration wizard, which, in addition to the inside and outside interfaces, also supports a DMZ interface. The Basic Firewall Configuration wizard applies default access rules to both inside and outside interfaces, applies default inspection rules to the outside interface, and enables IP unicast reverse-path forwarding on the outside interface. The Advanced Firewall Configuration wizard applies default or custom access rules, as well as default or custom inspection rules, to inside, outside, and DMZ interfaces. Furthermore, the Advanced Firewall Configuration wizard enables IP unicast reverse-path forwarding on the outside
QUESTION 113
Refer to the exhibit.
Which three statements describe the steps that are required to configure an IPsec site-to-site VPN using a GRE tunnel? (Choose three.)
ActualTests.com
“Pass Any Exam. Any Time.” – www.actualtests.com 156 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
A. The tunnel source Ethernet1 command must be configured on the Tunnel0 interface.
B. The command access-list 110 permit ip must be configured to specify which hosts can use the tunnel.
C. The command access-list 110 permit gre must be configured to specify which traffic will be encrypted.
D. The tunnel source Tunnel0 command must be configured on the Tunnel0 interface.
E. The tunnel destination 172.17.63.18 command must be configured on the Tunnel0 interface.
F. The tunnel mode gre command must be configured on the Tunnel0 interface. ActualTests.com
Correct Answer: ACE Section: (none) Explanation
Explanation/Reference:
Explanation: Tunnels provide logical, point-to-point connections across a connectionless IP network. This enables the use of advanced security features. Tunnels for VPN solutions employ encryption to protect data from being viewed by unauthorized entities and to perform multiprotocol encapsulation, if necessary. Encryption is applied to the tunneled connection to make data legible only to authorized senders and receivers
“Pass Any Exam. Any Time.” – www.actualtests.com 157 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
QUESTION 114
Which two statements are true about broadband cable (HFC) systems? (Choose two.)
A. A function of the cable modem termination system is to convert the digital data stream from the end user host into a modulated RF signal for transmission onto the cable system.
B. Cable modems operate at Layers 1 and 2 of the OSI model.
C. Cable modems only operate at Layer 1 of the OSI model.
D. Cable modems operate at Layers 1, 2, and 3 of the OSI model.
E. A function of the cable modem termination system (CMTS) is to convert the modulated signal from the cable modem into a digital signal.
Correct Answer: BE Section: (none) Explanation
Explanation/Reference:
Explanation: ActualTests.com Hybrid fiber-coaxial (HFC): A mixed optical-coaxial network in which optical fiber replaces some or all of the traditional trunk portion of the cable network. The HFC architecture is the evolution of an initial cable system and signifies a network that incorporates both optical fiber along with coaxial cable to create a broadband network. By upgrading a cable plant to an HFC architecture, you can deploy a data network over an HFC system to offer high-speed Internet services and you can serve more subscribers. The cable network is segmented into smaller service areas in which fewer amplifiers are cascaded after each optical node-typically five or fewer. The tree-and-branch network architecture for HFC can be a fiber backbone, cable area network, superdistribution, fiber to the feeder, or a ring.
QUESTION 115
“Pass Any Exam. Any Time.” – www.actualtests.com 158 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
Which three protocols are available for local redundancy in a backup VPN scenario? (Choose three.)
A. a routing protocol
B. VRRP
C. GLBP
D. HSRP
E. proxy ARP F. RSVP
Correct Answer: BCD Section: (none) Explanation
Explanation/Reference:
Explanation: GLBP stands for Gateway Load Balancing Protocol, and it’s been on the Cisco scene for about two years. GLBP is a router redundancy protocol introduced in Cisco IOS version 12.2(14 )S . To give you an idea where GLBP fits into your network, let’s look at how it compares to its competition. Two such protocols are Hot Standby Router Protocol (HSRP) and Virtual Router Redundancy Protocol (VRRP). Both are router redundancy protocols that are similar to GLBP. GLBP and HSRP are both Cisco proprietary solutions, but VRRP is an open standard based on RFC 3768. Of course, that means you’ll find HSRP and GLBP on Cisco routers only and VRRP on almost all enterprise routers (including Cisco). Since all three are router redundancy protocols, what differentiates GLBP from the rest? With GLBP, all routers that are part of the group are available to forward packets. (In the server world, we might call this an active/active cluster.) On the other hand, with HSRP or VRRP, only one router forwards packets at a time, and the others are waiting in case the primary goes down (an active/passive cluster). Regardless of the approach, all three protocols provide this redundancy using a virtual IP address that serves as the default gateway. The virtual IP address points to the primary or secondary routers in the case of HSRP and VRRP or to the group of routers forwarding traffic in the case of GLBP. (On a side note, while HSRP acts as an active/passive router redundancy protocol by ActualTests.com design, you can now use Multi group HSRP-MHSRP-to perform load-sharing, much like GLBP does.) Reference: http://sysnetadmin.wordpress.com/2008/04/20/ensuring-high-availability-load- balancing-and-router-redundancy-with-glbp/
QUESTION 116
What is a recommended practice for secure configuration management?
A. Deny echo replies on all edge routers.
B. Enable trust levels.
C. Disable port scan. “Pass Any Exam. Any Time.” – www.actualtests.com 159 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
D. Usesecure Telnet.
E. Use SSH or SSL.
Correct Answer: E Section: (none) Explanation
Explanation/Reference:
Explanation: Use Secure Protocols When Possible: Many protocols are used in order to carry sensitive network management data. You must use secure protocols whenever possible. A secure protocol choice includes the use of SSH instead of Telnet so that both authentication data and management information are encrypted. In addition, you must use secure file transfer protocols when you copy configuration data. An example is the use of the Secure Copy Protocol (SCP) in place of FTP or TFTP. Because information can be disclosed during an interactive management session, this traffic must be encrypted so that a malicious user cannot gain access to the data being transmitted. Encrypting the traffic allows a secure remote access connection to the device. If the traffic for a management session is sent over the network in cleartext, an attacker can obtain sensitive information about the device and the network. An administrator is able to establish an encrypted and secure remote access management connection to a device by using the Secure Shell (SSH) or HTTPS (Secure Hypertext Transfer Protocol) features. Cisco IOS software supports SSH Version 1.0 (SSH1), SSH Version 2.0 (SSH2), and HTTPS that uses Secure Sockets Layer (SSL) and Transport Layer Security (TLS) for authentication and data encryption.
Reference: “Cisco Guide to Harden Cisco IOS Devices” http://www.cisco.com/en/US/tech/tk648/tk361/ technologies_tech_note09186a0080120f48.shtml#in teractmanage
QUESTION 117
ActualTests.com
How can virus and Trojan horse attacks be mitigated?
A. Deny echo replies on all edge routes.
B. Implement RFC 2827 filtering.
C. Use antivirus software.
D. Disable port scan.
E. Enable trust levels.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation: The most common blunder people make when the topic of a computer virus arises is to refer to a worm or Trojan horse as a virus. While the words Trojan, worm and virus are often used interchangeably, they are not the same. Viruses, worms and Trojan Horses are all malicious
“Pass Any Exam. Any Time.” – www.actualtests.com 160 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
programs that can cause damage to your computer, but there are differences among the three, and knowing those differences can help you to better protect your computer from their often damaging effects. A computer virus attaches itself to a program or file so it can spread from one computer to another, leaving infections as it travels. Much like human viruses, computer viruses can range in severity: Some viruses cause only mildly annoying effects while others can damage your hardware, software or files. Almost all viruses are attached to an executable file, which means the virus may exist on your computer but it cannot infect your computer unless you run or open the malicious program. It is important to note that a virus cannot be spread without a human action, (such as running an infected program) to keep it going. People continue the spread of a computer virus, mostly unknowingly, by sharing infecting files or sending e-mails with viruses as attachments in the e-mail. A worm is similar to a virus by its design, and is considered to be a sub-class of a virus. Worms spread from computer to computer, but unlike a virus, it has the capability to travel without any help from a person. A Trojan Horse is full of as much trickery as the mythological Trojan Horse it was named after. The Trojan Horse , at first glance will appear to be useful software but will actually do damage once installed or run on your computer. Those on the receiving end of a Trojan Horse are usually tricked into opening them because they appear to be receiving legitimate software or files from a legitimate source. When a Trojan is activated on your computer, the results can vary. Some Trojans are designed to be more annoying than malicious (like changing your desktop, adding silly active desktop icons) or they can cause serious damage by deleting files and destroying information on your system. Trojans are also known to create a backdoor on your computer that gives malicious users access to your system, possibly allowing confidential or personal information to be compromised. Unlike viruses and worms, The first steps to protecting your computer are to ensure your operating system (OS) is up-to-date. This is essential if you are running a Microsoft Windows OS. Secondly, you should have anti-virus software installed on your system and ensure you download updates frequently to ensure your software has the latest fixes for new viruses, worms, and Trojan horses. ActualTests.com Reference: http://www.webopedia.com/DidYouKnow/Internet/2004/virus.asp
QUESTION 118
What phrase best describes a Handler in a distributed denial of service (DDoS) attack?
A. person who launches the attack
B. host running the attacker program
C. host being attacked
D. host that generates a stream of packets that is directed toward the intended victim
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
“Pass Any Exam. Any Time.” – www.actualtests.com 161 CertUniverse.Blogspot.Com
Cisco 642-825: Practice Exam
Explanation:
Understanding the Basics of DDoS Attacks
Refer to the following illustration:
Behind a Client is a person that orchestrate an attack. A Handler is a compromised host with a special program running on it. Each handler is capable of controlling multiple agents. An Agent is a compromised host that is running a special program. Each agent is responsible for generating a stream of packets that is directed toward the intended victim.
Reference: http://www.cisco.com/en/US/tech/tk59/technologies_white_paper09186a0080174a5b.shtml
QUESTION 119
Refer to exhibit. On the basis of the information that is presented, which statement is true? ActualTests.com
A. ACL 109 is designed to prevent any inbound packets with the SYN flag set from entering the router.
B. ACL 109 is designed to allow packets with the ACK flag set to enter the router.
C. ACL 109 is designed to prevent any inbound packets with the ACK flag set from entering the router. “Pass Any Exam. Any Time.” – www.actualtests.com 162 CertUniverse.Blogspot.Com
Cisco 642-825: Practice Exam
D. ACL 109 should have been applied to interface Fa0/0.
E. ACL 109 is designed to prevent outbound IP address spoofing attacks.
F. ACL 109 is designed to allow packets with the SYN flag set to enter the router.
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation: What happens if you have implemented an access list to prevent TCP sessions from being established into your network, but you want to ensure that the access list passes the responses if your network establishes a TCP session? The established keyword allows this event by checking the ACK and RST flags in the TCP segment header. If one of these flags is set, a match occurs. If neither bit is set, the source is trying to establish a TCP connection to the destination and a match will not occur. The packet will be denied on a subsequent line of the access list. Reference: http://www.iphelp.ru/faq/21/app02lev1sec3.html
QUESTION 120
Which two statements about common network attacks are true? (Choose two.)
A. Reconnaissance attacks can consist of packet sniffers, port scans, ping sweeps, and Internet information queries.
B. Reconnaissance attacks can consist of password attacks, trust exploitation, port redirection and Internet information queries.
C. Reconnaissance attacks can consist of ping sweeps, port scans, man-in-middle attacks and Internet information queries.
D. Access attacks can consist of password attacks, ping sweeps, port scans, and man-in-the- middle attacks.
E. Access attacks can consist of packet sniffers, ping sweeps, port scans, and man-in-the-middle attacks. ActualTests.com
F. Access attacks can consist of password attacks, trust exploitation, port redirection, and man-in- the-middle attacks.
Correct Answer: AF Section: (none) Explanation
Explanation/Reference:
Explanation: Reconnaissance is the unauthorized discovery and mapping of systems, services, or vulnerabilities. Reconnaissance is also known as information gathering, and in most cases, precedes an actual access or DoS attack. First, the malicious intruder typically conducts a ping sweep of the target network to determine which IP addresses are alive. Then, the intruder determines which services or ports are active on the live IP addresses. From this information, the intruder queries the ports to determine the type and version of the application and operating system running on the target host. In many cases, the intruders look for vulnerable services that they can exploit later when there is less likelihood that anyone is looking. Reconnaissance is
“Pass Any Exam. Any Time.” – www.actualtests.com 163 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
somewhat analogous to a thief surveying a neighborhood for vulnerable homes, such as an unoccupied residence, or a house with an easy-to-open door or window to break into. Reconnaissance attacks can consist of the following: Packet sniffers Port scans Ping sweeps Internet information queries Access attacks exploit known vulnerabilities in authentication services, FTP services, and web services to gain entry to web accounts, confidential databases, and other sensitive information.
QUESTION 121
Which three statements are correct about MPLS-based VPNs? (Choose three.)
A. Authentication is done using a digital certificate or pre-shared key.
B. Route Targets (RTs) are attributes attached to a VPNv4 BGP route to indicate its VPN membership.
C. Scalability becomes challenging for a very large, fully meshed deployment.
D. A VPN client is not required for users to interact with the network.
E. A VPN client is required for client-initiated deployments.
F. An MPLS-based VPN is highly scalable because no site-to-site peering is required.
Correct Answer: BDF Section: (none) Explanation
Explanation/Reference:
Explanation: With the introduction of Multiprotocol Label Switching (MPLS), which combines the benefits of Layer 2 switching with Layer 3 routing and switching, it became possible to construct a technology that combines the benefits of an overlay VPN (such as security and isolation among customers) with the benefits of simplified routing that a peer-to-peer VPN implementation brings. The new ActualTests.com technology, called MPLS/VPN, results in simpler customer routing and somewhat simpler service provider provisioning, and makes possible a number of topologies that are hard to implement in either the overlay or peer-to-peer VPN models. MPLS also adds the benefits of a connection- oriented approach to the IP routing paradigm, through the establishment of label-switched paths, which are created based on topology information rather than traffic flow.
QUESTION 122
Which two statements are true about the use of SDM to configure the Cisco Easy VPN feature on a router? (Choose two.)
A. The SDM Easy VPN Server wizard can be used to configure user XAuth authentication locally on the router or externally with a RADIUS server. “Pass Any Exam. Any Time.” – www.actualtests.com 164 CertUniverse.Blogspot.Com Cisco 642-825: Practice Exam
B. The Easy VPN server address must be configured when configuring the SDM Easy VPN Server wizard.
C. The SDM Easy VPN Server wizard can be used to configure a GRE over IPSec site-to-site VPN or a dynamic multipoint VPN (DMVPN).
D. The SDM Easy VPN Server wizard recommends using the Quick setup feature when configuring a dynamic multipoint VPN.
E. The SDM Easy VPN Server wizard displays a summary of the configuration before applying the VPN configuration.
F. An Easy VPN connection is a connection that is configured between two Easy VPN clients.
Correct Answer: AE Section: (none) Explanation
Explanation/Reference:
Explanation:
Cisco Easy VPN has two main functions:
-Simplify client configuration
-Centralize client configuration and dynamically push the configuration to clients How are these two goals achieved ?
-IKE Mode Config functionality is used to download some configuration parameters to clients.
-Clients are preconfigured with a set of IKE policies and IPsec transform sets.
Cable modems, xDSL routers, and other forms of broadband access provide high-performance connections to the Internet, but many applications also require the security of VPN connections that perform a high level of authentication and that encrypt the data between two particular endpoints. However, establishing a VPN connection between two routers can be complicated and typically requires tedious coordination between network administrators to configure the VPN parameters of the two routers. The Cisco Easy VPN Remote feature eliminates much of this tedious work by implementing the Cisco Unity Client protocol, which allows most VPN parameters to be defined at a Cisco IOS Easy VPN Server. This server can be a dedicated VPN device, such as a Cisco VPN 3000 Concentrator, a Cisco PIX Firewall, or a Cisco IOS router that supports the Cisco Unity Client protocol. ActualTests.com After the Cisco Easy VPN Server has been configured, a VPN connection can be created with minimal configuration on an Easy VPN Remote client, such as a Cisco 800 Series router or a Cisco 1700 Series router. When the Easy VPN Remote initiates the VPN tunnel connection, the Cisco Easy VPN Server pushes the IPsec policies to the Easy VPN Remote client and creates the corresponding VPN tunnel connection.
Each Answers in Cisco 642-825 study guides are checked by the concerned professional to provide you the best quality dumps. If you are looking to get certified in short possible time, you will never find quality product than Flydumps.com.
Welcome to download the newest Pass4itsure c2010-503 PDF dumps: http://www.pass4itsure.com/c2010-503.html
Cisco 642-825 Question Description, 100% Success Rate Cisco 642-825 Actual Questions Online Store