1.Which two of these statements best describe fast secure roaming? (Choose two.)
A. available only in autonomous APs
B. available in autonomous and lightweight APs
C. a feature of WDS in autonomous APs
D. a feature of WDS in lightweight APs
E. requires at least one AP and one Wireless LAN Services Module
Answer: BC
2.Which two of these statements best describe fast secure roaming for the wireless core feature set using
autonomous access points? (Choose two.)
A. It is compatible with all wireless clients.
B. It reduces roaming latency through reduced client RF channel scanning enhancements.
C. It reduces roaming latency to targeted times of less than 75ms.
D. Roaming occurs without reauthentication through a centralized RADIUS server.
E. It is enabled through WLSE deployment.
Answer: BD
3.Which two of these statements best describe the benefits of the Cisco Compatible Extensions Program? (Choose
two.)
A. offers a feature-rich implementation alternative to Wi-Fi certification
B. accelerates the availability of innovative features while maintaining interoperability
C. provides innovative features only on Cisco's wireless client adapters
D. provides an evolving set of specifications for interoperability
E. eliminates the need for testing by providing innovative features to wireless client vendors through a one-time
license fee
Answer: BD
4.Which item is a feature of Cisco Compatible Extensions, Version 3?
A. full 802.11e compliance
B. full WPAv2 compliance
C. wireless IDS
TestInside 642-371
D. NAC
Answer: B
5.Which two of these statements best describe the benefits of WPAv1? (Choose two.)
A. SSID broadcast prevention
B. improved mutual authentication
C. improved encryption through AES
D. improved protection against sniffing initialization vectors
E. RF jamming prevention
Answer: BD
6.Which two of these statements best describe the benefits of WPAv2? (Choose two.)
A. SSID broadcast prevention
B. man-in-the-middle attack protection
C. cost reduction through software upgrades in all existing hardware
D. dynamic key generation
E. RF jamming prevention
Answer: BD
7.Which SDM feature secures the router using a set of recommended security configurations based on Cisco IOS
AutoSecure and ICSA recommendations?
A. security wizard
B. security audit
C. one-step lockdown
D. Easy VPN Server
E. auto setup wizard
Answer: C
8.Which three of these features are supported on the Cisco VPN software client release 4.0.5? (Choose three.)
A. application programming interface which allows you to control operation of the VPN client from another
application
TestInside 642-371
B. integrated personal firewall
C. transparent tunneling-IPSec over UDP and IPSec over TCP
D. provides automatic software updates for Windows 2000 and Windows XP
E. load balancing and backup server support
Answer: BCE
9.What is the benefit of using the Cisco Easy VPN Server feature along with the Cisco software VPN client for
implementing remote-access VPNs?
A. The Cisco Easy VPN Server feature and the Cisco software VPN client use the same GUI configuration tool to
simplify remote-access VPN configurations.
B. The Cisco Easy VPN Server feature allows the Cisco software VPN client to receive its security policies from
the central site VPN device. This minimizes the configuration requirements at the remote location for large remote
access VPN deployments.
C. The Cisco Easy VPN Server feature and the Cisco software VPN client use hardware-based encryption to
reduce the CPU overhead of the central site VPN router.
D. The Cisco Easy VPN Server feature and the Cisco software VPN client enable scalable remote-access VPNs
deployment by using a thick client/thin server model where the central site VPN router can handle thousands of
incoming VPN connections.
Answer: B
10.Deploying ISRs with integrated security services can help lower the total cost of wnership. Which of these
Cisco ISR Routers features illustrate this point?
A. using built-in on-board VPN acceleration to reduce the amount of VPN configuration tsks
B. using the USB port to perform fast Cisco IOS image upgrade
C. using the security audit feature to implement inline Intrusion Prevention System
D. using the SDM configuration tool to reduce training costs
E. using the high performance AIM to increase the Cisco IOS Firewall performance
Answer: D
11.Which of these is the Cisco IOS Firewall feature that provides secure, per-application access control across
network perimeters?
TestInside 642-371
A. DDoS Mitigation
B. Cisco Security Agent
C. Intrusion Prevention System
D. Authentication Proxy
E. Context-based Access Control
F. Monitoring, Analysis and Response System
Answer: E
12.Which of these is the Cisco IOS Firewall feature that creates specific security policies for each user with
LAN-based, dynamic, per-user authentication and authorization?
A. DDoS Mitigation
B. Cisco Security Agent
C. Intrusion Prevention System
D. Authentication Proxy
E. Context-based Access Control
F. Monitoring, Analysis and Response System
Answer: D
13.Which of these is the Cisco IOS security feature that enhances perimeter firewall protection by taking
appropriate actions on packets and flows that violate the security policy or represent malicious network activity?
A. DDoS Mitigation (DDoS)
B. Cisco Security Agent (CSA)
C. Intrusion Prevention System (IPS)
D. Authentication Proxy (Auth Proxy)
E. Context-based Access Control (CBAC)
F. Monitoring, Analysis and Response System (MARS)
Answer: C
14.Which of these is the Cisco IOS feature that allows you to create secure site-to-site VPNs?
A. GRE
B. IPSec
TestInside 642-371
C. L2TP
D. MPLS
E. AToM
F. pseudo wire
Answer: B
15.Your customer is concerned about the flexibility of the security design. Which Cisco IOS Firewall benefit
would you highlight?
A. Cisco IOS Firewall is available for a wide variety of router platforms. It scales to meet the bandwidth and
performance requirements of any network.
B. Integrating firewall functions into a multiprotocol router takes advantage of an existing router investment,
without the cost and learning curve associated with a new platform.
C. Cisco SDM allows GUI-based configuration of router security features.
D. Because it is installed on a Cisco router, Cisco IOS Firewall is an all-in-one, scalable solution that performs
multiprotocol routing, perimeter security, intrusion prevention, VPN functions, and per-user authentication and
authorization.
Answer: D
16.Your customer is concerned that adding firewall-based security will require major hardware changes. Which
Cisco IOS Firewall benefit would you highlight?
A. Cisco IOS Firewall is available for a wide variety of router platforms. It scales to meet the bandwidth and
performance requirements of any network.
B. Integrating firewall functions into a multiprotocol router takes advantage of an existing router investment,
without the cost and learning curve associated with a new platform.
C. Because it is installed on a Cisco router, Cisco IOS Firewall is an all-in-one, scalable solution that performs
multiprotocol routing, perimeter security, intrusion prevention, VPN functions, and per-user authentication and
authorization.
D. Combining the Cisco CNS 2100 Series Intelligence Engine and the Cisco IOS Software Extensible Markup
Language application helps a network administrator deploy any Cisco router with little or no preconfiguration to a
given destination.
Answer: B
TestInside 642-371
17.Your customer is concerned that adding firewall-based security will require complicated management. Which
Cisco IOS Firewall benefit would you highlight?
A. Integrating firewall functions into a multiprotocol router takes advantage of an existing router investment,
without the cost and learning curve associated with a new platform.
B. Cisco SDM allows GUI-based configuration of router security features, greatly reducing the need to learn
complex CLI command syntaxes.
C. Because it is installed on a Cisco router, Cisco IOS Firewall is an all-in-one, scalable solution.
D. Combining the Cisco CNS 2100 Series Intelligence Engine and the Cisco IOS Software Extensible Markup
Language application helps a network administrator deploy any Cisco router with little or no preconfiguration to a
given destination. The router has the most current Cisco IOS software release and its security policy configuration
for the firewall when it is connected to the Internet.
Answer: B
18.Which three of these are benefits of the Cisco IOS IPSec VPN feature set? (Choose three.)
A. It provides a comprehensive VPN security management system.
B. It is available for a wide range of platforms running IOS software.
C. It integrates appliance design and innovative hybrid security architecture to provide stateful GRE VPN
capabilities.
D. It enables scaleable secure connectivity for remote access VPNs, including e-commerce, mobile user, and
telecommuting applications.
E. It combines IPSec VPN enhancements with robust firewall, intrusion prevention, and secure administration
capabilities.
F. It provides strong encryption and authentication through digital certificates, one-time password tokens, and
pre-shared keys to the baseline Cisco Secure Integrated Software.
Answer: BEF
19.Which of these is a benefit of VPN software integrated into a Cisco router such as the ISR?
A. It uses the IPSec protocol to establish secure SAs.
B. It supports digital certificates to authenticate clients.
C. It uses Triple DES encryption to provide data integrity.
D. It is based upon the GRE standard to provide multi-protocol support.
TestInside 642-371
E. It supports access to a Microsoft CA for security policy authentication.
Answer: B
20.What is a benefit of Cisco's anti-x defense strategy?
A. applications security
B. virtual firewall
C. security events correlation for proactive response
D. malware, virus, and worm mitigation
E. secure connectivity (V3PN)
Answer: D
21.Your customer has a basic stateful firewall setup that only permits incoming traffic from the Internet to an
internal web server. What are the security risks if the firewall being used does not perform advanced application
inspection and control like the ASA Security Appliance does? (Choose two.)
A. Allowing all return traffic from the internal web server back out to the Internet may increase the risk of worm
propagation.
B. Peer-to-peer or instant messaging traffic using port 80 may exhaust the network capacity.
C. Not validating port 80 traffic content may increase the risk of malware infection.
D. Denial of service attacks launched against port 80 of the internal web server can bring down the web server.
E. If the firewall cannot perform deep packet inspection, the firewall cannot properly classify the HTTP and
HTTPS traffic. This may lead to connectivity issues from the Internet to the internal web server.
Answer: BC
22.Which Cisco security tool can determine if a Cisco ISR Router is properly secured?
A. Cisco Security MARS
B. SDM security audit
C. CSA
D. CSA MC
E. VMS
Answer: B
TestInside 642-371
23.Which three of these items can a wireless assisted site survey optimize? (Choose three.)
A. radio transmit power setting
B. security selection
C. beacon interval
D. IPS auto-response settings
E. channel selection
F. IDS settings
Answer: ACE
24. Refer to the exhibit. Deploying integrated services on the Cisco ISR Router can help reduce network cost and
complexity by integrating which four of these features on the ISR? (Choose four.)
A. firewall and VPN
B. IP telephony and voice mail
C. Secure Access Control Server
D. LAN switching and Wireless LAN
TestInside 642-371
E. IPS
F. Anomaly Guard and Detection
Answer: ABDE
25.The Cisco ASA Security Appliance can offer the benefit of integrating which three security services into one
device? (Choose three.)
A. IPS
B. VPN Concentrator
C. ACS server
D. PIX firewall
E. CSA MC
F. DDoS Anomaly Guard and Detector
Answer: ABD
26.Cisco ISR Routers offer which three of these security benefits? (Choose three.)
A. onboard VPN accelerator
B. events correlation and proactive response
C. high-performance AIM VPN modules
D. virtual firewall
E. Cisco IOS Firewall and IOS IPS
F. transparent firewall
Answer: ACE
27.What are three features of the NAM blade for the Cisco Catalyst 6500 Series switch? (Choose three.)
A. It monitors LAN data from physical ports, VLANs, and Cisco EtherChannel using SPAN.
B. It is easily configured and deployed using Cisco NAM Enterprise Manager software.
C. The ART MIB tracks response times at different points in the network to pinpoint application performance
problems to the network or to the server.
D. VoIP traffic flows can be analyzed in real time to alert network managers to VoIP quality degradation.
E. Provides remote QoS configuration on Catalyst 6500 Series switches enabling real-time traffic engineering
tasks in enterprise networks.
TestInside 642-371
F. With a NAM module installed in one Catalyst 6500 Series switch in a LAN, RMON statistics can be collected
for all switches on the network.
Answer: ACD
28.What are three benefits that companies gain with intelligent networking based on Cisco IOS network
infrastructure? (Choose three.)
A. a fully integrated network
B. a network requiring fewer networking devices
C. an adaptive network
D. a more resilient network
E. a completely fault-tolerant network
Answer: ACD
29. Refer to the exhibit. What are two Cisco IOS commands that would verify connectivity between routers R1
and R2? (Choose two.)
A. show cdp neighbor
B. show controllers serial
C. show frame-relay lmi
D. show ip route
E. show running-config
Answer: AD
30.What are three benefits of the Cisco Adaptive Threat Defense strategy? (Choose three.)
A. using QoS techniques such as Traffic Policing to rate limit suspected traffic to prevent DoS attacks
TestInside 642-371
B. automatic reconfigurations of the security devices based on current security threats
C. containment and control of security threats
D. application security
E. anti-x defense
F. virtual firewall
Answer: CDE
31.List three benefits of implementing an integrated security solution based on the Cisco Self-Defending Network
strategy? (Choose three.)
A. integrated security
B. collaborative security system
C. self provisioning
D. Adaptive Threat Defense
E. programmable security ASICs
F. Cisco IOS-based security
Answer: ABD
32.Which two of these are types of signature files that can be loaded onto a Cisco router running Cisco IOS IPS?
(Choose two.)
A. default signatures which are statically maintained
B. attack-drop.sdf
C. dynamic signature definition file
D. customizable signature files that the customer defines and compiles into the SDF format
E. built-in signatures that can be merged with dynamic signature definition files
Answer: BC
33.Which two of these are the recommended methods to download signature definition files to a Cisco router
running Cisco IOS IPS? (Choose two.)
A. VMS IDS Management Center
B. command-line interface
C. Security Device Event Exchange
TestInside 642-371
D. PostOffice protocol
E. Security Device Manager
Answer: AE
34.How does the Cisco IOS IPS feature set monitor the network for malicious activity?
A. passive "bird-on-a-wire" packet inspection
B. deep inline packet inspection
C. Security Device Event Exchange (SDEE) packet inspection
D. out-of-band (OOB) packet inspection
Answer: B
35.Which network management solution performs configuration, monitoring, and management of Cisco Firewall,
VPN router, and IPS devices as well as maintains network device inventory and software distribution features?
A. CiscoWorks Security Device Management Center (SD/MC)
B. Security Device Manager (SDM)
C. Adaptive Security Device Manager (ASDM)
D. CiscoWorks VMS/Management Center (VMS/MC)
Answer: D
36.Which feature benefit of Cisco IOS IPS allows for scanning of multiple patterns within a Signature Micro
Engine at any given time?
A. event correlation signature scanning
B. multiple signature scanning
C. parallel signature scanning
D. serial signature scanning
E. custom signature scanning
Answer: C
37.What is the benefit of the parallel signature scanning feature in Cisco IOS IPS software?
A. scans multiple patterns within a Signature Micro Engine at any given time B. scans traffic patterns serially and
correlates the events in parallel
TestInside 642-371
C. dynamically runs detection scanning rules in parallel within a Signature Micro Engine to increase IPS
performance
D. runs currently configured scanning rules in parallel while updating new signature definition files to reduce the
risk of day-zero attacks
Answer: A
38.Which of these is an administrative time saving benefit of dynamic signature definition files on a Cisco router
running Cisco IOS IPS?
A. dynamically learns new signatures in real time
B. dynamically updates signatures from Cisco.com
C. dynamically configures IPS signature parameters
D. dynamically chooses which signatures to activate based upon network traffic seen
Answer: B
39.Which is a key benefit of Cisco IOS IPS?
A. It mitigates network attacks via SDEE.
B. It utilizes the latest versions of Cisco IOS software to obtain the latest signature definition file.
C. It leverages existing Cisco router infrastructure.
D. It configures the router to shun malicious activity via dynamically created access control lists.
Answer: C
40.Which of these is a benefit of an integrated security management system?
A. It provides configuration, monitoring, and troubleshooting capabilities across a wide range of security
products.
B. It integrates security device management products and collects events on an "as needed" basis to reduce
management overhead.
C. It integrates security management capabilities into the router or switch.
D. It provides a single point of contact for all security configuration tasks thereby enhancing the return on
investment.
E. It leverages existing network management systems such as HP OpenView to lower the cost of implementation.
Answer: A
TestInside 642-371
41.Which tools on Cisco.com could you use to plan for correct Cisco IOS images to support a customer's security
design and requirements? (Choose two.)
A. Cisco IOS Matrix Navigator
B. Cisco Feature Navigator
C. Cisco IOS Package Planner
D. Cisco IOS Security Planner
E. Cisco Dynamic Configuration Tool
Answer: BC
42.What are two important approaches to communicate when identifying a customer's security risks? (Choose
two.)
A. Smaller companies are at less risk than larger enterprises, so their security needs are not as great.
B. Business strategy should directly relate to the security policy and budget.
C. The designated security expert should report to the IT department, since that is where the solution will be
implemented.
D. Security should be a continuous process.
E. Security solutions should come from multiple vendors to make it easier to coordinate security events from the
point of origin.
Answer: BD
43.Regarding the USB eToken module supported on the Cisco ISR series of routers, which three of these are
correct? (Choose three.)
A. The storage size is 32KB.
B. The storage size is 128MB.
C. It is used for Cisco IOS image storage.
D. Files can be encrypted and accessed via a PIN.
E. The USB eToken feature is a Cisco proprietary feature.
F. A bootstrap configuration can be stored in its unprotected space.
Answer: ADF
44.The Cisco SDM can configure most, but not all, routing protocols. Which two of these routing protocols can be
TestInside 642-371
configured using SDM? (Choose two.)
A. BGP
B. IGRP
C. ISIS
D. OSPF
E. EIGRP
Answer: DE
45.Which two of these statements best describe the benefits of Cisco's wireless IDS functionality? (Choose two.)
A. AirDefense for wireless IDS is required by autonomous APs.
B. 2.4GHz RF management can monitor both 802.11 and non-802.11 RF interference.
C. APs only monitor the RF channels that are servicing the clients.
D. Cisco or CCX compatible client cards can extend the RF IDS service for autonomous APs.
E. Autonomous APs must be dedicated IDS sensors while lightweight APs can combine client traffic and RF
monitoring.
Answer: BD
46.During the Cisco IOS image selection process, which two Cisco ISR 2811 security bundles should you select if
the 2811 needs to support the optional AIM-VPNII Plus? (Choose two.)
A. Entry Security Bundle
B. Enhanced Security Bundle
C. Advanced IP Services Bundle
D. V3PN Bundle
E. Advanced Enterprise Services Bundle
F. Enterprise Plus Bundle
Answer: BD
47.The PIX Security Appliance feature set is a subset of the ASA Security Appliance feature set. Which two of
these features are only supported by an ASA Security Appliance? (Choose two.)
A. security contexts
B. transparent firewall
642-371
C. WebVPN
D. Active/Active failover
E. low latency queuing
F. AIP-SSM intrusion prevention
Answer: CF
48.Which of these statements regarding Cisco's WebVPN support is correct?
A. Cisco ISR Routers with the Enhanced Security Bundles support WebVPN.
B. Cisco security appliances act as a proxy between the end user and the target web server.
C. Cisco PIX Security Appliances (running release 7.0) and Adaptive Security Appliances both support WebVPN.
D. Cisco's WebVPN solution supports both TCP and UDP port forwarding for legacy application support.
Answer: B
49. Refer the exhibit. Which two methods enable a PC connected to the PartnerNet to connect to a server on
DMZ1 but deny it access to both DMZ2 and the Inside network? (Choose two.)
A. Enable port address translation for traffic sourced from the PartnerNet PC to the DMZ1 server.
B. Disable NAT control on DMZ2 and the Inside interfaces only.
C. Enable static NAT translation for the DMZ1 server, and then use an ACL to permit the PartnerNet PC traffic to
the DMZ1 server.
TestInside 642-371
D. Disable NAT control on the DMZ1 interface only.
E. Lower the security level of the DMZ2 interface to 30.
F. Raise the security level of the PartnerNet interface to 55.
Answer: CF
50.Which statement concerning the Active/Active failover feature is correct?
A. ASA Security Appliance failover pair must have either an Unrestricted and UR license or a UR and FO-A/A
license to be able to support Active/Active failover.
B. If an active security context within the primary security appliance "fails", the status of the primary security
appliance unit changes to "failed" while the secondary failover security appliance unit transitions to "active."
C. Active/Active failover is supported in "multiple mode" configuration only.
D. Active/Active failover supports site-to-site IPSec VPN stateful failover.
Answer: C
51.Which two of these data encryption AIM modes are found on the 3800 family of Cisco ISR Routers? (Choose
two.)
A. BPII
B. BPII-Plus
C. EPII
D. EPII-Plus
E. HPII
F. HPII-Plus
Answer: DF