江浙沪招生考试网

　　1. Which two are technologies that secure the control plane of the Cisco router? (Choose two.)

　　A. Cisco IOS Flexible Packet Matching

　　B. uRPF

　　C. routing protocol authentication

　　D. CPPr

　　E. BPDU protection

　　F. role-based access control

　　Answer: CD

　　2. What are the two category types associated with 5.x signature use in Cisco IOS IPS? (Choose two.)

　　A. basic

　　B. advanced

　　C. 128MB.sdf

　　D. 256MB.sdf

　　E. attack-drop

　　F. built-in

　　Answer: AB

　　3. Refer to the exhibit.

　　Which optional AAA or RADIUS configuration command is used to support 802.1X guest VLAN functionality?

　　A. aaa authentication dot1x default group radius

　　B. aaa authorization network default group radius

　　C. aaa accounting dot1x default start-stop group radius

　　D. aaa accounting system default start-stop group radius

　　E. radius-server host 10.1.1.1 auth-port 1812 acct-port 1813

　　Answer: B

　　TestInside Cisco 642-504

　　4. Which is an advantage of implementing the Cisco IOS Firewall feature?

　　A. provides self-contained end-user authentication capabilities

　　B. integrates multiprotocol routing with security policy enforcement

　　C. acts primarily as a dedicated firewall device

　　D. is easily deployed and managed by the Cisco Adaptive Security Device Manager

　　E. provides data leakage protection capabilities

　　Answer: B

　　5. Which three statements correctly describe the GET VPN policy management? (Choose three.)

　　A. A central policy is defined at the ACS (AAA) server.

　　B. A local policy is defined on each group member.

　　C. A global policy is defined on the key server, and it is distributed to the group members.

　　D. The key server and group member policy must match.

　　E. The group member appends the global policy to its local policy.

　　Answer: BCE

　　6. The CPU and Memory Threshold Notifications of the Network Foundation Protection feature protects which

　　router plane?

　　A. control plane

　　B. management plane

　　C. data plane

　　D. network plane

　　Answer: B

　　7. In DMVPN, the NHRP process allows which requirement to be met?

　　A. dynamic physical interface IP address at the spoke routers

　　B. high-availability DMVPN designs

　　C. dynamic spoke-to-spoke on-demand tunnels

　　D. dynamic routing over the DMVPN

　　E. dual DMVPN hub designs

　　TestInside Cisco 642-504

　　Answer: A

　　8. Which is correct regarding the Management Plane Protection feature?

　　A. By default, Management Plane Protection is enabled on all interfaces.

　　B. Management Plane Protection provides for a default management interface.

　　C. Only SSH and SNMP management will be allowed on nondesignated management interfaces.

　　D. All incoming packets through the management interface are dropped except for those from the allowed

　　management protocols.

　　Answer: D

　　9. What are the two enrollment options when using the SDM Certificate Enrollment wizard? (Choose two.)

　　A. SCEP

　　B. LDAP

　　C. OCSP

　　D. Cut-and-Paste/Import from PC

　　Answer: AD

　　10. Refer to the exhibit.

　　Which two configuration commands are used to apply an inspect policy map for traffic traversing from the E0 or

　　E1 interface to the S3 interface? (Choose two.)

　　A. zone-pair security test source Z1 destination Z2

　　B. interface E0

　　C. policy-map myfwpolicy

　　class class-default

　　inspect

　　D. ip inspect myfwpolicy out

　　TestInside Cisco 642-504

　　E. ip inspect myfwpolicy in

　　F. service-policy type inspect myfwpolicy

　　Answer: AF

　　11. Cisco IOS Firewall supports which three of the following features? (Choose three.)

　　A. alerts

　　B. audit trails

　　C. multicontext firewalling

　　D. active/active stateful failover

　　E. DoS attacks protection

　　Answer: ABE

　　12. Refer to the exhibit.

　　What is correct based on the partial configuration shown?

　　A. The policy is configured to use an authentication key of 'rsa-sig'.

　　B. The policy is configured to use Diffie-Hellman group sha-1.

　　C. The policy is configured to use Triple DES IPsec encryption.

　　D. The policy is configured to use digital certificates.

　　E. The policy is configured to use access list 101 to identify the IKE-protected traffic.

　　Answer: D

　　13. When enabling Cisco IOS IPS using 5.x signatures, which required item can be downloaded from Cisco.com?

　　A. SDF files (128MB.sdf, 256MB.sdf, attack.drop.sdf)

　　B. public key

　　C. built-in signatures

　　TestInside Cisco 642-504

　　D. Signature Micro-Engines

　　E. IME

　　Answer: B

　　14. Which information will be shown by entering the command show zone-pair security?

　　A. zone descriptions and assigned interfaces

　　B. all service policy maps

　　C. source and destination zones, and attached policy

　　D. physical interface members of the zone pair

　　Answer: C

　　15. Cisco IOS SSL VPN thin-client mode has which two characteristics? (Choose two.)

　　A. uses a Java applet

　　B. supports TCP and UDP applications that use static port(s)

　　C. provides full tunnel access like the IPsec VPN software client

　　D. requires the use of browser plug-ins

　　E. provides TCP port forwarding capabilities

　　Answer: AE

　　16. Refer to the exhibit.

　　What will result from this zone-based firewall configuration?

　　TestInside Cisco 642-504

　　A. All traffic from the private zone to the public zone will be dropped.

　　B. All traffic from the private zone to the public zone will be permitted but not inspected.

　　C. All traffic from the private zone to the public zone will be permitted and inspected.

　　D. All traffic from the public zone to the private zone will be permitted but not inspected.

　　E. Only HTTP and DNS traffic from the private zone to the public zone will be permitted and inspected.

　　F. Only HTTP and DNS traffic from the public zone to the private zone will be permitted and inspected.

　　Answer: A

　　17. Cisco Easy VPN Server pushes parameters such as the client internal IP address, DHCP server IP address, and

　　WINS server IP address to the Cisco Easy VPN Remote client during which of these phases?

　　A. IKE Phase 1 first-message exchange

　　B. IKE Phase 2 last-message exchange

　　C. IKE mode configuration

　　D. IKE XAUTH

　　E. IKE quick mode

　　Answer: C

　　18. Which two are capabilities of the Cisco IOS Firewall Feature Set? (Choose two.)

　　TestInside Cisco 642-504

　　A. protects against worms, malicious users, and denial of service

　　B. provides intrusion protection capabilities

　　C. when combined with application inspection, performs as an advanced application layer firewall gateway

　　D. interoperates with Network Address Translation to conserve and simplify network address use

　　E. provides for secure connectivity between branch offices

　　Answer: AD

　　19. Which two commands are used to allow only SSH traffic to the router Eth0 interface and deny other

　　management traffic (BEEP, FTP, HTTP, HTTPS, SNMP, Telnet, TFTP) to the router interfaces? (Choose two.)

　　A. interface eth0

　　B. control-plane host

　　C. policy-map type port-filter policy-name

　　D. service-policy type port-filter input policy-name

　　E. management-interface eth0 allow ssh

　　F. line vty 0 5

　　transport input ssh

　　Answer: BE

　　20. Cisco IOS IPS uses which alerting protocol with a pull mechanism for getting IPS alerts to the network

　　management application?

　　A. HTTPS

　　B. SMTP

　　C. SNMP

　　D. syslog

　　E. SDEE

　　F. POP3

　　Answer: E

　　21. When configuring FPM, what should be the next step after the PHDFs have been loaded?

　　A. Define a stack of protocol headers.

　　B. Define a traffic policy.

　　TestInside Cisco 642-504

　　C. Define a service policy.

　　D. Define a class map of type "access-control" for classifying packets.

　　E. Reload the router.

　　F. Save the PHDFs to startup-config.

　　Answer: A

　　22. GET VPN uses which secure group keying mechanism?

　　A. Diffie-Hellman

　　B. pre-shared

　　C. Group Domain of Interpretation

　　D. public and private keys

　　E. group key agreement

　　Answer: C

　　23. When configuring the Auto Update feature for Cisco IOS IPS, what is a recommended best practice?

　　A. Synchronize the router's clock to the PC before configuring Auto Update.

　　B. Clear the router's flash of unused signature files.

　　C. Enable anonymous TFTP downloads from Cisco.com and specify the download frequency.

　　D. Create the appropriate directory on the router's flash memory to store the downloaded signature files.

　　E. Download the realm-cisco.pub.key file and update the public key stored on the router.

　　Answer: A

　　24. When configuring GRE over IPsec, what is true regarding the GRE tunnel endpoints?

　　A. A mirror image of the IPsec crypto ACL needs to be configured to permit the interesting end-user traffic

　　between the GRE endpoints.

　　B. The tunnel interface of both endpoints should be configured to use the outside IP address of the router as the

　　unnumbered IP address.

　　C. The tunnel interface of both endpoints needs to be in the same IP subnet.

　　D. For high availability, the GRE tunnel interface should be configured with a primary and a backup tunnel

　　destination IP address.

　　Answer: C

　　TestInside Cisco 642-504

　　25. Refer to the exhibit.

　　Given that the fa0/1 interface is the trusted interface, what could be a reason for users on the trusted inside

　　networks not to be able to successfully establish outbound HTTP connections?

　　A. The outgoing ACL on the fa0/1 interface is not set.

　　B. The FWRULE inspection policy is not inspecting HTTP traffic.

　　C. ACL 104 is denying the outbound HTTP traffic.

　　D. The outgoing inspection rule on the fa0/1 interface is not set.

　　E. ACL 104 is denying the return HTTP traffic.

　　F. The FWRULE inspection policy is not configured correctly.

　　Answer: C

　　26. The Cisco SDM IPS migration tool is used for what purpose?

　　A. to migrate the built-in signatures to the SDF format

　　B. to migrate from Cisco IOS IPS version 4.0 to Cisco IOS IPS version 5.0

　　C. to migrate from promiscuous mode IPS to inline IPS

　　D. to migrate from Cisco IOS IPS to the Cisco AIM-IPS

　　E. to migrate from the Cisco NM-CIDS to the Cisco AIM-IPS

　　Answer: B

　　TestInside Cisco 642-504

　　27. Refer to the exhibit.

　　Based on the output shown, which statement is correct regarding the Cisco IOS IPS configuration?

　　A. The built-in signatures will be used.

　　B. There were problems loading the signatures as indicated by the high number of total inactive signatures shown.

　　C. The router is using the advanced IPS signature set.

　　D. The SDF will be loaded from the IPS directory in flash.

　　TestInside Cisco 642-504

　　E. The SMEs are stored in the IPS directory in flash.

　　Answer: C

　　28. Which Cisco IOS Firewall feature allows the firewall to function as a Layer 2 bridge on the network?

　　A. zone-based firewall

　　B. CBAC

　　C. firewall ACL bypass

　　D. transparent firewall

　　Answer: D

　　29. Which statement is correct regarding Cisco IOS Firewall URL-filtering services on Cisco IOS Release

　　12.4(15)T and later?

　　A. Multiple URL lists and URL filter server lists can be configured on the router.

　　B. URL filtering with zone-based firewalls is configured using the type "inspect" parameter-map.

　　C. Enabling "allow mode" is required when using an external URL-filtering server.

　　D. The services support Secure Computing server or Websense server and the local URL list.

　　Answer: D

　　30. Refer to the exhibit.

　　Based on the CLI configuration shown, which two statements are correct? (Choose two.)

　　A. Serial0/0/0 is the outside NAT interface.

　　B. The overload option enables static PAT.

　　C. The static PAT configuration will not work since the second entry in access-list 1 overlaps the static PAT

　　configuration.

　　D. All HTTP connections to the Serial0/0/0 interface IP address will be translated to the 172.16.1.2 IP address port

　　8080.

　　TestInside Cisco 642-504

　　E. access-list 1 defines the list of inside global IP addresses.

　　Answer: AD

　　31. When using Cisco Easy VPN, what are the three options for entering the XAUTH username and password for

　　establishing the VPN connection from the Cisco Easy VPN remote router? (Choose three.)

　　A. using the router local user database

　　B. using an external AAA server

　　C. entering the information from the router console or SDM

　　D. entering the information from the PC browser when browsing

　　E. saving the XAUTH credentials to this router

　　Answer: CDE

　　32. Which Cisco IOS IPS risk rating component uses a low value of 75, a medium value of 100, a high value of

　　150, and a mission-critical value of 200?

　　A. Signature Fidelity Rating

　　B. Attack Severity Rating

　　C. Target Value Rating

　　D. Attack Relevancy Rating

　　E. Promiscuous Delta

　　F. Watch List Rating

　　Answer: C

　　33. When configuring the zone-based firewall feature on a Cisco router, which statement is correct regarding the

　　zone-based firewall policy?

　　A. The policy is applied unidirectionally between two security zones.

　　B. Interfaces in the same zone require that a bidirectional traffic policy be applied to permit traffic flow.

　　C. Traffic between an interface belonging to a zone and an interface that is not a zone member is allowed to pass

　　without the policy being applied to the traffic.

　　D. Traffic between an interface belonging to a zone and the "self" zone is denied by default unless it is explicitly

　　allowed by a used-defined policy.

　　Answer: A

　　TestInside Cisco 642-504

　　34. When you add NADs as AAA clients in the ACS, which three parameters are configured for each AAA client?

　　(Choose three.)

　　A. the NAD IP address

　　B. the AAA server IP address

　　C. the EAP type

　　D. the shared secret key

　　E. the AAA protocol to use for communication with the NADs

　　F. the UDP ports to use for communication with the NADs

　　Answer: ADE

　　35. Which Cisco IOS VPN feature simplifies IPsec VPN configuration and design by using on-demand virtual

　　access interfaces that are cloned from a virtual template configuration?

　　A. GET VPN

　　B. dynamic VTI

　　C. static VTI

　　D. GRE tunnels

　　E. GRE over IPsec tunnels

　　F. DMVPN

　　Answer: B

　　36. Refer to the DMVPN topology diagram in the exhibit. Which two statements are correct? (Choose two.)

　　TestInside Cisco 642-504

　　A. The hub router needs to have EIGRP split horizon disabled.

　　B. At the Spoke A router, the next hop to reach the 192.168.2.0/24 network is 10.0.0.1.

　　C. Before a spoke-to-spoke tunnel can be built, the spoke router needs to send an NHRP query to the hub to

　　resolve the remote spoke router physical interface IP address.

　　D. At the Spoke B router, the next hop to reach the 192.168.1.0/24 network is 172.17.0.1.

　　E. The spoke routers act as the NHRP servers for resolving the remote spoke physical interface IP address.

　　F. At the Spoke A router, the next hop to reach the 192.168.0.0/24 network is 172.17.0.1.

　　Answer: AC

　　37. Refer to the exhibit.

　　Based on the output shown, which statement is correct regarding the Cisco IOS IPS configuration?

　　TestInside Cisco 642-504

　　A. The router will drop all packets if the IPS engine is unable to scan data.

　　B. The basic signatures set has been disabled.

　　C. Inline IPS is applied in the outbound direction on the interfaces.

　　D. The signature delta file is stored in the IPS directory in flash.

　　Answer: D

　　TestInside Cisco 642-504

　　38. When deploying 802.1X authentication on Cisco Catalyst switches, which traffic can be passed between the

　　client PC and the Cisco Catalyst switch over the uncontrolled port?

　　A. RADIUS

　　B. TACACS+

　　C. HTTP

　　D. DHCP

　　E. EAPoLAN

　　F. CDP

　　Answer: E

　　39. Refer to the exhibit. Based on the partial configuration shown, which additional configuration parameter is

　　needed under the GET VPN group member GDOI configuration?

　　A. key server IP address

　　B. rekey parameter

　　C. local priority

　　D. mapping of the IPsec profile to the IPsec SA

　　E. mapping of the IPsec transform set to the GDOI group

　　Answer: A

　　40. Which action does the interface configuration command switchport protected enable?

　　A. groups ports into an isolated community when configured on multiple ports

　　B. configures the interface for the PVLAN edge

　　TestInside Cisco 642-504

　　C. provides isolation between two protected ports located on different switches

　　D. allows traffic on protected ports to be forwarded at Layer 2

　　Answer: B

　　41. What configuration task must you perform prior to configuring private VLANs?

　　A. enable port security on the interface

　　B. associate all isolated ports to the primary VLAN

　　C. set the VTP mode to transparent

　　D. configure PVLAN trunking

　　Answer: C

　　42. When deploying 802.1X authentication on Cisco Catalyst switches, what are two possible options for

　　authenticating the clients that do not have an 802.1X supplicant? (Choose two.)

　　A. MAC Authentication Bypass

　　B. Active Directory Single Sign-On

　　C. authentication proxy

　　D. web authentication

　　E. Protected EAP

　　Answer: AD

　　43. When implementing EIGRP dynamic routing over DMVPN, what are three configuration tasks required at the

　　hub router tunnel interface? (Choose three.)

　　A. disabling EIGRP ip next-hop-self

　　B. disabling EIGRP ip split-horizon

　　C. disabling EIGRP auto-summary

　　D. disabling EIGRP stub

　　E. enabling multipoint GRE

　　F. configuring the NHRP next-hop server IP address

　　Answer: ABE

　　44. Refer to the exhibit.

　　TestInside Cisco 642-504

　　What is wrong with the GRE over IPsec configuration shown?

　　A. The crypto map is not correctly configured.

　　B. The crypto ACL is not correctly configured.

　　C. The network 172.16.0.0 command is missing under router eigrp 1 .

　　D. ESP transport mode should be configured instead of using the default tunnel mode.

　　Answer: B

　　45. When you configure Cisco IOS WebVPN, you can use the port-forward command to enable which function?

　　A. web-enabled applications

　　B. Cisco Secure Desktop

　　C. full-tunnel client

　　D. thin client

　　E. CIFS

　　F. OWA

　　Answer: D