Certifyme 642-825

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 Question: 1 When configuring the Cisco VPN Client with transparent tunneling, what is true about the IPSec over TCP option? A - The port number is negotiated automatically. B - Clients will have access to the secured tunnel and local resources. C - The port number must match the configuration on the secure gateway. D - Packets are encapsulated using Protocol 50 (Encapsulating Security Payload, or ESP). Answer: C Question: 2 Refer to the exhibit. MPLS must be enabled on all routers in the MPLS domain that consists of Cisco routers and equipment of other vendors. What MPLS distribution protocol(s) should be used on router R2 Fast Ethernet interface Fa0/0 so that the Label Information Base (LIB) table is populated across the MPLS domain? A - Only LDP should be enabled on Fa0/0 interface. B - Only TDP should be enabled on Fa0/0 interface. C - Both distribution protocols LDP and TDP should be enabled on the Fa0/0 interface. D - MPLS cannot be enabled in a domain consisting of Cisco and non-Cisco devices. Page 1 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 Answer: C Question: 3 Which two statements about common network attacks are true? (Choose two.) A - Access attacks can consist of password attacks, trust exploitation, port redirection, and man- in-the-middle attacks. B - Access attacks can consist of password attacks, ping sweeps, port scans, and man-in-the- middle attacks. C - Access attacks can consist of packet sniffers, ping sweeps, port scans, and man-in-the- middle attacks. D - Reconnaissance attacks can consist of password attacks, trust exploitation, port redirection and Internet information queries. E - Reconnaissance attacks can consist of packet sniffers, port scans, ping sweeps, and Internet information queries. F - Reconnaissance attacks can consist of ping sweeps, port scans, man-in-middle attacks and Internet information queries. Answer: A, E Question: 4 Which two statements about worms, viruses, or Trojan horses are true? (Choose two.) A - A Trojan horse has three components: an enabling vulnerability, a propagation mechanism, and a payload. B - A Trojan horse virus propagates itself by infecting other programs on the same computer. C - A virus cannot spread to a new computer without human assistance. D - A virus has three components: an enabling vulnerability, a propagation mechanism, and a payload. E - A worm can spread itself automatically from one computer to the next over an unprotected network. F - A worm is a program that appears desirable but actually contains something harmful. Answer: C, E Question: 5 Which two statements about management protocols are true? (Choose two.) A - Syslog version 2 or above should be used because it provides encryption of the syslog messages. B - NTP version 3 or above should be used because these versions support a cryptographic authentication mechanism between peers. C - SNMP version 3 is recommended since it provides authentication and encryption services for management packets. D - SSH, SSL and Telnet are recommended protocols to remotely manage infrastructure devices. E - TFTP authentication (username and password) is sent in an encrypted format, and no additional encryption is required. Answer: B, C Question: 6 Which two statements about the Cisco Autosecure feature are true? (Choose two.) A - All passwords entered during the Autosecure configuration must be a minimum of 8 characters in length. Page 2 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 B - Cisco 123 would be a valid password for both the enable password and the enable secret commands. C - The auto secure command can be used to secure the router login as well as the NTP and SSH protocols. D - For an interactive full session of AutoSecure, the auto secure login command should be used. E - If the SSH server was configured, the 1024 bit RSA keys are generated after the auto secure command is enabled. Answer: C, E Question: 7 Which three statements are correct about MPLS-based VPNs? (Choose three.) A - Route Targets (RTs) are attributes attached to a VPNv4 BGP route to indicate its VPN membership. B - Scalability becomes challenging for a very large, fully meshed deployment. C - Authentication is done using a digital certificate or pre-shared key. D - A VPN client is required for client-iniated deployments. E - A VPN client is not required for users to interact with the network. F- An MPLS-based VPN is highly scalable because no site-to-site peering is required. Answer: A, E, F Question: 8 Which IPsec mode will encrypt a GRE tunnel to provide multiprotocol support and reduced overhead? A - 3DES B - multipoint GRE C - tunnel D - transport Answer: D Question: 9 Which two statements are true about broadband cable (HFC) systems? (Choose two.) A - Cable modems only operate at Layer 1 of the OSI model. B - Cable modems operate at Layers 1 and 2 of the OSI model. C - Cable modems operate at Layers 1, 2, and 3 of the OSI model. D - A function of the cable modem termination system (CMTS) is to convert the modulated signal from the cable modem into a digital signal. F - A function of the cable modem termination system is to convert the digital data stream from the end user host into a modulated RF signal for transmission onto the cable system. Answer: B, D Question: 10 Refer to the exhibit. Page 3 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 Which two statements about the AAA configuration are true? (Choose two.) A - A good security practice is to have the none parameter configured as the final method used to ensure that no other authentication method will be used. B - If a TACACS+ server is not available, then a user connecting via the console port would not be able to gain access since no other authentication method has been defined. C - If a TACACS+ server is not available. then the user Bob could be able to enter privileged mode as long as the proper enable password is entered. D - The aaa new-model command forces the router to override every other authentication method previously configured for the router lines. E - To increase security, group radius should be used instead of group tacacs+. F - Two authentication options are prescribed by the displayed aaa authentication command. Answer: D, F Question: 11 Which two statements are correct about mitigating attacks by the use of access control lists (ACLs)? (Choose two.) A - Extended ACLs on routers should always be placed as close to the destination as possible. B - Each ACL that is created ends with an implicit permit all statement. C - Ensure that earlier statements in the ACL do not negate any statements that are found later in the list. D - Denied packets should be logged by an ACL that traps informational (level 6) messages. E - IP packets that contain the source address of any internal hosts or networks inbound to a private network should be permitted. F - More specific ACL statements should be placed earlier in the ACL. Answer: D, F Question: 12 Refer to the exhibit. Page 4 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 What is needed to complete the PPPoA configuration? A - A static route to the ISP needs to be configured. B - The VPDN group needs to be created. C - The ATM PVC needs to be configured. D - PPP0E encapsulation needs to be configured on the ATM interface. E - PAP authentication needs to be configured. Answer: C Question: 13 Which three configuration steps must be taken to connect a DSL ATM interface to a service provider? (Choose three.) A - Enable VPDN. B - Configure PPP0E on the VPDN group. Page 5 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 C - Configure the ATM PVC. D - Assign a VPDN group name. E - Configure a dialer interface. F - Configure the correct PPP encapsulation on the ATM virtual circuit. Answer: C, E, F Question: 14 When configuring the Cisco software VPN client on a PC, which values need to be entered to complete the setup when pre-shared key authentication is used? A - IP address of server, groupname, and password B - IP address of server, groupname and password, and default gateway C - IP address of server, groupname and password, default gateway, and DNS servers D - IP address of server, groupname and password, default gateway, DNS servers, and local IP address Answer: A Question: 15 What is one benefit of AutoSecure? A - By default, all passwords are encrypted with level 7 encryption. B - By default, a password is enabled on all ports. C - Command line questions are created that automate the configuration of security features. D - A multiuser logon screen is created with different privileges assigned to each member. Answer: C Question: 16 Which two steps must be taken for SSH to be implemented on a router? (Choose two.) A - Ensure that the Cisco lOS Firewall feature set is installed on the devices. B - Ensure that the target routers are configured for MA either locally or through a database C - Ensure that each router is using the correct domain name for the network D - Ensure that an ACL is configured on the VTY lines to block Telnet access Answer: B, C Question: 17 What is meant by the attack classification of “false positive” on a Cisco IPS device? A - A signature is fired for nonmalicious traffic, benign activity. B - A signature is not fired when offending traffic is detected. C - A signature is correctly fired when offending traffic is detected and an alarm is generated. D - A signature is not fired when non-offending traffic is captured and analyzed. Answer: A Question: 18 Which statement is true about signature-based intrusion detection? A - It performs analysis that is based on a predefined network security policy. B - It performs analysis that is based on known intrusive activities by matching predefined patterns in network traffic. Page 6 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 C - It performs analysis that is based on anomalies in packets or packet sequences. It also verifies anomalies in traffic behavior. D - It performs analysis by intercepting the procedural calls to the operating system kernel. Answer: B Question: 19 What are three objectives that the no ip inspect command achieves? (Choose three.) A - removes the entire CBAC configuration B - removes all associated static ACLs C - turns off the automatic audit feature in SDM D - denies HTTP and Java applets to the inside interface but permits this traffic to the DMZ E - resets all global timeouts and thresholds to the defaults F - deletes all existing sessions Answer: A, E, F Question: 20 When packets in a session match a signature, what are three actions that the Cisco lOS Firewall IPS can take? (Choose three.) A - notify a centralized management interface of a false positive B - remove the virus or worm from the packets C - use the signature micro-engine to prevent a CAM Table Overflow Attack D - reset the connection E - drop the packets F - send an alarm to a syslog server Answer: D, E, F Question: 21 Refer to the exhibit. SDM has added the commands in the exhibit to the router’s configuration. What are the three objectives that these commands accomplish? (Choose three.) A - forces the user to authenticate twice to prevent man-in-the-middle attacks B - inspects SSH packets across all enabled interfaces every 60 seconds C - specifies SSH for remote management access D - prevents Telnet access to the device unless it is from the SDM workstation E - sets the SSH timeout value to 60 seconds, a value that causes incomplete SSH connections to shut down after 60 seconds F - sets the maximum number of unsuccessful SSH login attempts to two before locking access to the router Answer: C, E, F Page 7 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 Question: 22 Which three MPLS statements are true? (Choose three.) A - Cisco Express Forwarding (CEF) must be enabled as a prerequisite to running MPLS on a Cisco router. B - Frame-mode MPLS inserts a 32-bit label between the Layer 3 and Layer 4 headers. C - MPLS is designed for use with frame-based Layer 2 encapsulation protocols such as Frame Relay, but is not supported by ATM because of ATM fixed-length cells. D - OSPF, EIGRP, IS-IS, RIP, and SGP can be used in the control plane. E - The control plane is responsible for forwarding packets. F - The two major components of MPLS include the control plane and the data plane. Answer: A, D, F Question: 23 Refer to the exhibit. The configuration in the exhibit is found on an Internet service provider (ISP) Multiprotocol Label Switching (MPLS) network. What is its purpose? A - to prevent man-in-the-middle attacks B - to use OBAC to shut down Distributed Denial of Service attacks C - to use IPS to protect against session-replay attacks D - to prevent customers from running TDP with the ISP routers E - to prevent customers from running LDP with the ISP routers F - to prevent other ISPs from running LDP with the ISP routers Answer: D Question: 24 Which three features are benefits of using GRE tunnels in conjunction with lPsec for building site- to-site VPNs? (Choose three.) A - Allows dynamic routing over the tunnel B - Supports multi-protocol (non-IP) traffic over the tunnel C - Reduces IPsec headers overhead since tunnel mode is used D - Simplifies the ACL used in the crypto map E - Uses Virtual Tunnel Interface (VTI) to simplify the IPsec VPN configuration Answer: A, B, D Page 8 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 Question: 25 What are the four main steps in configuring an IPsec site-to-site VPN tunnel on Cisco routers? (Choose four.) A - Define the ISAKMP policy. B - Define the IPsec transform set. C - Define the pre-shared key used in the DH (Diffie-Hellman) exchange. D - Create a crypto access list to define which traffic should be sent through the tunnel. E - Create a crypto map and apply it to the outgoing interface of the VPN device. F - Configure dynamic routing over the IPsec tunnel interface. Answer: A, B, D, E Question: 26 Which statement is true about an IPsec/GRE tunnel? A - The GRE tunnel source and destination addresses are specified within the IPsec transform set. B - An IPsec/GRE tunnel must use IPsec tunnel mode. C - GRE encapsulation occurs before the IPsec encryption process. D - Crypto map ACL is not needed to match which traffic will be protected. Answer: C Question: 27 Which feature is an accurate description of the Diffie-Hellman (DH) exchange between two IPsec peers? A. allows the two peers to communicate the pre-shared secret key to each other during IKE phase 1 B. allows the two peers to communicate its digital certificate to each other during IKE phase 1 C. allows the two peers to jointly establish a shared secret key over an insecure communications channel D. allows the two peers to negotiate its IPsec transforms during IKE phase 2 E. allows the two peers to authenticate each other over an insecure communications channel Answer: C Question: 28 Which three modulation signaling standards are used in broadband cable technology? (Choose three.) A - S-Video B - PAL C - NTSC D - SECAM E - FDM F - FEC Answer: B, C, D Question: 29 Which statement is true about the default operation of frame-mode MPLS? A - LSRs must wait to get the next-hop label from their downstream neighbors before propagating Page 9 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 information B - LSRs will only propagate label mappings to their neighbors by request. C - Labels are sequentially generated for neighbors. D - Interfaces can share the same labels. Answer: D Question: 30 What technique can help to counter a reconnaissance attack? A - Implement a switched infrastructure. B - Disable accounts after a specific number of unsuccessful logins. C - Disable port redirection. D - Configure RFC 2827 filtering. Answer: A Question: 31 Which can be used to mitigate Trojan horse attacks? A - the use or an antivirus software B - the disabling of port redirection C - RFC 2827 filtering D - implementation of traffic rate limiting F - implementing anti-Dos features Answer: A Question: 32 How can application layer attacks be mitigated? A - Install the latest patches. B - Implement RFC 2827 filtering. C - Implement traffic rate limiting. D - Implement Anti-Dos features. E - Disable port redirection. Answer: A Question: 33 What does the dsl operating-mode auto command configure on a Cisco router? A - It configures a Cisco router to automatically detect the proper modulation method to use when connecting an ATM interface B - It configures a Cisco router to automatically detect the proper encapsulation method to use when connecting an ATM interface C - It configures a Cisco router to automatically detect the proper DSL type (ADSL, IDSL, HDSL, VDSL) to use when connecting an ATM interface D - It configures a Cisco router to automatically detect the proper authentication method to use when connecting an ATM interface Answer: A Question: 34 Refer to the exhibit. Page 10 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 Which three statements describe the steps that are required to configure an IPsec site-to-site VPN using a GRE tunnel? (Choose three.) A - The command access-list 110 permit gre must be configured to specify which traffic will be encrypted. B - The command access-list 110 permit ip must be configured to specify which hosts can use the tunnel. C - The tunnel destination 172.17.63.18 command must be configured on the Tunnel0 interface. D - The tunnel mode gre command must be configured on the Tunnel0 interface. E - The tunnel source Ethernet1 command must be configured on the Tunnel0 interface F - The tunnel source Tunnel0 command must be configured on the Tunnel0 interface. Answer: A, C, E Question: 35 Which three IPsec VPN statements are true? (Choose three.) A - IKE keepalives are unidirectional and sent every ten seconds. B - IKE uses the Diffie-Hellman algorithm to generate symmetrical keys to be used by IPsec peers. C - IPsec uses the Encapsulating Security Protocol (ESP) or the Authentication Header (AH) protocol for exchanging keys. D - Main mode is the method used for the IKE phase two security association negotiations. Page 11 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 E - Quick mode is the method used for the IKE phase one security association negotiations. F - To establish IKE SA, main mode utilizes six packets while aggressive mode utilizes only three packets. Answer: A, B, F Question: 36 Which three statements are true about Cisco lOS Firewall? (Choose three.) A - It can be configured to block Java traffic. B - It can be configured to detect and prevent SYN-flooding denial-of-service (DoS) network attacks C - It can only examine network layer and transport layer information. D - It can only examine transport layer and application layer information. E - The inspection rules can be used to set timeout values for specified protocols. F - The ip inspect cbac-name command must be configured in global configuration mode. Answer: A, B, E Question: 37 Which two statements are true about the configuration of the Cisco IOS Firewall using the SDM? (Choose two.) A - Cisco IOS Firewall features may be configured by choosing the Additional Tasks wizard. B - Firewall policies can be viewed from the Home screen of the SDM. C - To simplify the Firewall configuration task, the SDM provides Basic Firewall, Intermediate Firewall, and Advanced Firewall wizards. D - The Basic Firewall Configuration wizard applies default access rules to the inside (trusted), outside (untrusted) and DMZ interfaces E - The Advanced Firewall Configuration wizard applies access rules to the inside (trusted), outside (untrusted) and DMZ interfaces. Answer: B, E Question: 38 Refer to the exhibit. Page 12 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 A site-to-site VPN connection has been configured using SDM. What option can aid in the configuration of the VPN on the peer router? A - the Generate Mirror option on the VPN Edit tab B - the Monitor Mode option on the VPN Status tab C - the VPN Components option on the VPN tab D - the IPSec Policies from the VPN Components tab Answer: A Question: 39 What should a security administrator who uses SDM consider when configuring the firewall on an interface that is used in a VPN connection? A - The firewall must permit traffic going out of the local interface only. B - The firewall must permit traffic to a VPN concentrator only. C - The firewall must permit encrypted traffic between the local and remote VPN peers. D - The firewall cannot be configured in conjunction with a VPN. Answer: C Question: 40 Refer to the exhibit. Page 13 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 A GRE tunnel has been configured between the R1 headquarters router and the R2 branch site router. Why are users at the branch site unable to access the corporate intranet? A - The source IP address of the GRE tunnel must be different from the IP address of interface S0/0 on router R1. B - The destination IP address of the GRE tunnel must be different from the IP address of the interface S0/1 on router R2. C - The IP address of the interface tunnel1 must be the same as the IP address of the interface SO/0 on router R1. D - The interface 50/0 on router R1 must be enabled with the no shutdown command. The GRE tunnel must be configured with the encapsulation ppp command. Answer: D Question: 41 Refer to the exhibit. Page 14 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 What is missing in the configuration of both IPSec peers concerning the IPSec/GRE configuration? A - crypto map vpnmap2 on the Ethernet1 interface B - access-list 110 on both peers to permit ISAKMP and IPsec traffic between 172.16.175.75 and 172.17.63.18 C - access-list 110 on both peers to encrypt GRE traffic between 172.16.175.75 and 172.17.63.18 D - mode tunnel under the crypto ipsec transform-set trans2 E - mode transport under the crypto ipsec transform-set trans2 F - DH group configuration under the crypto ipsec transform-set trans2 Answer: C Question: 42 Which three statements are correct about a GRE over IPsec VPN tunnel configuration on Cisco lOS routers? (Choose three.) A - The crypto map must be applied on the physical interface. B - The crypto map must be applied on the tunnel interface. C - A dynamic routing protocol can be configured to run over the tunnel interface. D - A crypto ACL will dictate the GRE traffic to be encrypted between the two IPsec peers. E - A crypto ACL will dictate the ISAKMP and IPsec traffic to be encrypted between the two IPsec peers. F - Crypto maps must specify the use of IPsec transport mode. Page 15 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 Answer: A, C, D Question: 43 Which two statements about Cisco Easy VPN are true? (Choose two.) A - An lOS router, a PIX firewall or a VPN client can operate as an Easy VPN terminal point. B - A VPN client can also be configured to operate as an Easy VPN server. C - Easy VPN does not support split tunnels. D - Easy VPN tunnel endpoint addresses can be the virtual IP address of an HSRP configuration. E - Easy VPN is only appropriate for smaller deployments. Answer: A, D Question: 44 Refer to the exhibit. Which two statements are true about the information that is shown from the Cisco VPN screens? (Choose two.) A - The 10.10.32.32 network entry in the Route Details screen represents the lP address of the server end of the encrypted tunnel. B - The 10.10.32.32 network entry in the Route Details screen represents an IP address that will be accessed without traversing the VPN. C - Selecting Enable Transparent Tunneling on the connection entry on the right allows Local LAN Routes to be available on the Route Details on the left screen. D - Selecting IPSec over TCP on the connection entry on the right allows Local LAN Routes to be available on the Route Details on the left screen. E - Selecting Allow Local LAN Access on the connection entry on the right allows Local LAN Routes to be available on the Route Details on the left screen. Answer: B, E Question: 45 Refer to the exhibit. Page 16 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 Which statement is true about the configuration of split tunnels using SDM? A - Any protected subnets that are entered represent subnets at the end user’s site that will be accessed without going through the encrypted tunnel. B - Any protected subnets that are entered represent subnets at the end user’s site that will be accessed through the encrypted tunnel. C - Any protected subnets that are entered represent subnets at the VPN server site that will be accessed without going through the encrypted tunnel. D - Any protected subnets that are entered represent subnets at the VPN server site that will be accessed through the encrypted tunnel. Answer: D Question: 46 What is the function of the MPLS data plane? A - The data plane exchanges Layer 3 routing information using OSPF, EIGRP, IS-IS, and BGP protocols. B - The data plane exchanges labels using the label exchange protocols TDP, LDP, BGP. and RSVP. C - The data plane uses the Forwarding Information Base (FIB) to forward packets based on the routing information. D - The data plane uses Label Forwarding Information Base (LFIB) to forwards packets based on the labels. Answer: D Page 17 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 Question: 47 Which two statements about packet sniffers or packet sniffing are true? (Choose two.) A - A packet sniffer requires the use of a network adapter card in no promiscuous mode to capture all network packets that are sent across a LAN. B - Packet sniffers can only work in a switched Ethernet environment. C - To reduce the risk of packet sniffing, cryptographic protocols such as Secure Shell Protocol (SSH) and Secure Sockets Layer (SSL) should be used. D - To reduce the risk of packet sniffing, strong authentication, such as one time passwords, should be used. E - To reduce the risk of packet sniffing, traffic rate limiting and RFC 2827 filtering should be used. Answer: C, D Question: 48 Which two network attack statements are true? (Choose two.) A. Access attacks can consist of password attacks, trust exploitation, port redirection, and man- in-the-middle attacks. B. Access attacks can consist of UDP and TCP SYN flooding, ICMP echo-request floods, and ICMP directed broadcasts. C. DoS attacks can be reduced through the use of access control configuration, encryption, and RFC 2827 filtering. D. DoS attacks can consist of IP spoofing and DDoS attacks. E. IP spoofing can be reduced through the use of policy-based routing. F. IP spoofing exploits known vulnerabilities in authentication services, FTP services, and web services to gain entry to web accounts, confidential databases, and other sensitive information. Answer: A, D Question: 49 Which three statements are true about Cisco Intrusion Detection System (IDS) and Cisco Intrusion Prevention System (IPS) functions? (Choose three.) A - Only IDS systems provide real-time monitoring that includes packet capture and analysis of network packets. B - Both IDS and IPS systems provide real-time monitoring that involves packet capture and analysis of network packets. C - The signatures on the IDS devices are configured manually whereas the signature on the IPS devices are configured automatically. D - IDS can detect misuse, abuse, and unauthorized access to networked resources but can only respond after an attack is detected. E - IPS can detect misuse, abuse, and unauthorized access to networked resources and respond before network security can be compromised. F - IDS can deny malicious traffic from the inside network whereas IPS can deny malicious traffic from outside the network. Answer: B, D, E Question: 50 What are the four steps, in their correct order, to mitigate a worm attack? Page 18 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 A - contain, inoculate, quarantine, and treat B - inoculate, contain, quarantine, and treat C - quarantine, contain, inoculate, and treat D - preparation, identification, traceback, and postmortem E - preparation, classification, reaction, and treat F - identification, inoculation, postmortem, and reaction Answer: A Question: 51 Which three benefits does IPsec VPNs provide? (Choose three.) A - Origin authentication B - Adaptive threat defense C - Confidentiality D - Qos E - Data integrity F - A fully-meshed topology with low overhead Answer: A, C, E Question: 52 Refer to the exhibit. Page 19 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 When you are using the Quick Setup option of the Site-to-Site VPN wizard on the SDM to configure an IPsec VPN, which three settings can you configure? (Choose three.) A - Peer identity B - Crypto map C - Pre-shared key D - Transform set priority E - Source interface and destination IP address F - Encapsulation security payload Answer: A, C, E Question: 53 Which IPsec VPN term describes a policy contract that specifies how two peers will use IPsec security services to protect network traffic? A - Encapsulation security payload B - Transform set C - Authentication header D - Security association Answer: D Question: 54 Refer to the exhibit. Page 20 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 What command generates the pictured output? A - Show crypto ipsec transform-set B - Debug crypto ipsec C - Show crypto ipsec sa D - Show crypto map Answer: C Question: 55 If an edge Label Switch Router (LSR) is properly configured, which three combinations are possible? (Choose three.) A - A received lP packet is forwarded based on the lP destination address and the packet is sent as an lP packet. B - An lP destination exists in the IP forwarding table. A received labeled packet is dropped because the label is not found in the LFIB table. C - There is an MPLS label-switched path toward the destination. A received IP packet is dropped because the destination is not found in the IP forwarding table. D - A received IP packet is forwarded based on the IP destination address and the packet is sent as a labeled packet. E - A received labeled IP packet is forwarded based upon both the label and the IP address. F - A received labeled packet is forwarded based on the label. Alter the label is swapped, the newly labeled packet is sent. Answer: A, D, F Question: 56 Which three techniques should be used to secure management protocols? (Choose three.) A - Configure SNMP with only read-only community strings. B - Encrypt TFTP and syslog traffic in an IPSec tunnel. C - Implement RFC 2827 filtering at the perimeter router when allowing syslog access from devices on the outside of a firewall. D - Synchronize the NTP master clock with an Internet atomic clock. E - Use SNMP version 2. F - Use TFTP version 3 or above because these versions support a cryptographic authentication mechanism between peers. Answer: A, B, C Question: 57 Which two management protocols provide security enhancements such as cryptographic authentication and packet encryption of management traffic? (Choose two.) A - NTP version 3 B - SNMP version 3 C - Syslog version3 D - Telnet version 3 E - TFTP version 3 Answer: A, B Question: 58 Refer to the exhibit. Page 21 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 SDM has been used to configure IPS on the router. While reviewing the Secure Device Event Exchange (SDEE) error messages, you noticed that SDM failed to load a signature definition file (SDF) from the specified URL locations. Which other location, if enabled, could the SDF be loaded from? A - The RAM of a router B - The flash memory of a router C - The startup configuration file of a router D - The running configuration file of a router E - The RAM of a PC Answer: B Question: 59 Refer to the exhibit. Page 22 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 What is one of the objectives accomplished by the default startup configuration file created by the SDM? A - Blocks both Telnet and SSH B - Prevents the router from ever being used as an HTTP server C - Encrypts all HTTP traffic to prevent man-in-the-middle attacks D - Enables local logging to support the log monitoring function E - Requires access authentication by a TACACS+ server Answer: D Question: 60 Refer to the exhibit. Page 23 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 What is the exhibited configuration an example of? A - Authentication Proxy B - lOS firewall C - Distributed time-based ACLs D - Infrastructure protection ACLs E - Turbo ACLs F - Reflexive ACLs Answer: B Question: 61 Refer to the exhibit. What does the configuration accomplish? A - The configuration permits ICMP outbound traffic, denies ICMP inbound traffic, and permits traffic that has been initiated from inside a router that has been synched with an NTP server. B - The configuration permits ICMP inbound traffic, denies ICMP outbound traffic, and permits traffic that has been initiated from inside a router that has been synched with an NTP server. C - For the specified protocols, the configuration results in a timeout value of 3600 seconds for authentication of encrypted traffic. D - The configuration uses NTP synchronization to implement time-based ACLs. E - The configuration creates temporary openings in the access lists of the firewall. These openings time out alter the specified period of inactivity. F - The configuration creates temporary openings in the access lists of the firewall. These openings have an absolute timeout value. Page 24 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 Answer: E Question: 62 Refer to the exhibit What type of security configuration is being verified? A - TurboACLs B - Reflexive ACLs C - Authentication Proxy D - lOS Firewall E - Distributed Time-Based ACLs F - Infrastructure Protection ACLs Answer: D Question: 63 Which firewall feature allows per-user policy to be downloaded dynamically to the router from a TACACS+ or RADIUS server using AAA services? A - Intrusion Prevention System B - Reflexive ACLs C - Authentication Proxy D - Lock-and-Key (dynamic ACLs) E - Port-to-Application Mapping (RAM) Answer: C Question: 64 Which statement describes Reverse Route Injection (RRI)? A - A static route that points towards the Cisco Easy VPN server is created on the remote client. B - A static route is created on the Cisco Easy VPN server for the internal IP address of each VPN client. C - A default route is injected into the route table of the remote client. D - A default route is injected into the route table of the Cisco Easy VPN server. Answer: B Question: 65 Which two commands will start services that should be enabled for SDM operations? (Choose two.) A - ip http secure-server B - ip http authentication local C - service password-encryption D - ip dhcp-client network-discovery E - service tcp-small-servers Answer: A, B Page 25 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 Question: 66 Which privilege level is required when configuring the SDM? A-0 B-1 C-8 D - 10 E - 12 F - 15 Answer: F Question: 67 Which two actions will take place when One-Step Lockdown is implemented? (Choose two.) A - CDP will be enabled. B - A banner will be set. C - Logging will be enabled. D - Security passwords will be required to be a minimum of 8 characters. E - Telnet settings will be disabled. Answer: B, C Question: 68 Refer to the exhibit Page 26 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 What does the “Allow Local LAN Access” option enable a Cisco software VPN client to do? A - allows remote connections tram trusted clients to access local resources B - allows secured remote clients to access local LAN resources through the VPN connection C - allows local traffic from trusted resources to pass through the VPN connection D - allows a user to access the resources on the local LAN when connected through a secure gateway to a central-site VPN device Answer: D Question: 69 Which two statements are true about Cisco lOS Firewall? (Choose two.) A - It enhances security for TCP applications only. B - It enhances security for TCP and UDP applications. C - It enhances security for UDP applications only. D - It is implemented as a per-application process. F - It is implemented as a per-destination process. Answer: B, D Question: 70 Refer to the exhibit Page 27 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 Of the numbered items in the exhibit, which combination is required to implement only SSH? A - 1, 3, 5, 6, 7, and 9 B - 5, 6, and 7 C - 5, 6, 7, and 9 D - 1, 4, 5, and 9 E - 2, 3, 5, and 9 Answer: D Question: 71 Which statement is true about the super view of Role-Based CLI? A - A CLI view cannot be shared by multiple super views. B - Any user with level 15 privileges can create or modify views and super views. C - Commands cannot be directly configured for a super view. D - The maximum number of CLI views which can exist is limited only by the amount of flash available. Answer: C Question: 72 Which HFC cable network statement is true about the downstream data channel to the customer and the upstream data channel to the service provider? A - The downstream data path is assigned a 30 MHz channel and the upstream data path is assigned a 1 MHz channel. B - The downstream data path is assigned a fixed bandwidth channel and the upstream data path uses a variable bandwidth channel. Page 28 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 C - Both upstream and downstream data paths are assigned in 6 MHz channels. D - The upstream data path is assigned a channel in a higher frequency range than the downstream path has. Answer: C Question: 73 Which statement about xDSL implementations is true? A - All xDSL standards operate in higher frequencies than the POTS system and therefore can coexist on the same media. B - All xDSL standards operate in lower frequencies than the POTS system and can therefore coexist on the same media. C - The ADSL standard operates in higher frequencies than the POTS system and can therefore coexist on the same media. D - The HDSL standard operates in higher frequencies than the POTS system and can therefore coexist on the same media. E - Other than providing higher data rates, HDSL is identical to ADSL. Answer: C Question: 74 Which two statements about the Autosecure feature are true? (Choose two.) A - Auto Secure automatically disables the CDP feature. B - If you enable AutoSecure, the minimum length of the login and enable passwords is set to 6 characters. C - The auto secure full command automatically configures the management and forwarding planes without any user interaction. D - To enable AutoSecure, the auto secure global configuration command must be used. E - Once AutoSecure has been configured, the user can launch the SDM Web interface to perform a security audit. Answer: A, B Question: 75 Which statement is true about the global configuration command ntp server 198.133.219.25? A - Entering the command ntp server 198.133.219.26 would replace the original command ntp server 196.133.219.25. B - The command configures the router to be the NTP time source for a peer located at IP address 198.133.219.25. C - The command configures the router to provide the date and clock setting for a host located at IP address 198.133.219.25. D - The command configures the router to synchronize with an NTP time source located at IP address 198.133.219.25. Answer: D Question: 76 Which statement is true about a router configured with the ntp trusted-key 10 command? A - This router only synchronizes to a system that uses this key in its NTP packets. B - The lOS will not permit ‘10’ as an argument to the ntp trusted-key command. C - This command enables DES encryption of NTP packets. Page 29 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 D - This router will join an NTP multicast group where all routers share the same trusted key. Answer: A Question: 77 Which statement about the aaa authentication enable default group radius enable command is true?” A - lf the radius server returns an error the enable password will be used. B - It the radius server returns a ‘failed’ message, the enable password will be used. C - The command login authentication group will associate the AAA authentication to a specified interface. D - If the group database is unavailable, the radius server will be used. Answer: A Question: 78 Which command sequence is an example of a correctly configured AAA configuration that uses the local database? A. RTA(config)# username Bob password cisco RTA(config)# aaa new-model RTA(config)# aaa authentication login LOCAL_AUTH local RTA(config)# line con 0 RTA(config-line)# login authentication LOCAL_AUTH B. RTA(config)# username Bob password cisco RTA(config)# aaa new-model RTA(config)# aaa authentication login LOCAL_AUTH local RTA(config)# line con 0 RTA(config-line)# login authentication default C. RTA(config)# aaa new-model RTA(config)# tacacs-server host 10.1.1.10 RTA(config)# tacacs-server key cisco 123 RTA(config)# aaa authentication login LOCAL_AUTH group tacacs+ RTA(config)# line con 0 RTA(config-line)# login authentication default D. RTA(config)# aaa new-model RTA(config)#tacacs-server host 10.1.1.10 RTA(config)# tacacs-server key cisco 123 RTA(config)# aaa authentication login LOCAL_AUTH group tacacs+ RTA(config)# line con 0 RTA(config-line)# login authentication LOCAL AUTH Answer: A Question: 79 Refer to the exhibit Page 30 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 Based on the partial configuration, which two statements are true? (Choose two.) A - If configured, the enable password could also be used to log into the console port. B - The local parameter is missing at the end of each aaa authentication LOCAL-AUTH command. C - The command aaa authentication default should be issued for each line instead of the login authentication LOCAL_AUTH command. B - This is an example of a self-contained AAA configuration using the local database. E - To make the configuration more secure, the none parameter should be added to the end of the aaa authentication login LOCAL_AUTH local command. F - To successfully establish a Telnet session with RTA, a user can enter the username Bob and password cisco. Answer: D, F Question: 80 Refer to the exhibit. Page 31 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 A network administrator wishes to mitigate network threats. Given that purpose, which two statements about the lOS firewall configuration that is revealed by the output are true? A - The command ip inspect FIREWALL_ACL out must be applied on interface FastEthernet 0/0. B - The command ip inspect FIREWALL_ACL out must be applied on interface FastEthernet 0/1. C - The command ip access-group FIREWALL_ACL in must be applied on interface FastEthernet 0/0. D - The command ip access-group FIREWALL_ACL in must be applied on interface FastEthernet 0/1. E - The configuration excerpt is an example of a CBAC list. F - The configuration excerpt is an example of a reflexive ACL. Answer: B, E Question: 81 In an MPLS VPN implementation, how are overlapping customer prefixes propagated? A - A separate instance of the core lGP is used for each customer. B - Separate BGP sessions are established between each customer edge LSR. C - Because customers have their own unique LSPs, address space is kept separate. D - A route target is attached to each customer prefix. E - Because customers have their own interfaces, distributed CEFs keep the forwarding tables separate. Answer: D Question: 82 Refer to the exhibit Page 32 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 On the basis of the information presented, which configuration change would correct the Secure Shell (SSH) problem? A - Configure router RTA with the ip domain name domain-name global configuration command. B - Configure router RTA with the crypto key generate rsa general-keys modulus modulus- number global configuration command. C - Configure router RTA with the crypto key generate rsa usage-keys modulus modulus-number global configuration command. D - Configure router RTA with the transport input ssh vty line configuration command. E - Configure router RTA with the no transport input telnet vty line configuration command. Answer: D Question: 83 When configuring a site-to-site IPsec VPN tunnel, which configuration must be the exact reverse of the other IPsec peer? A - the IPsec transform B - the crypto ACL C - the ISAKMP policy D - the pre-shared key E - the crypto map Answer: B Question: 84 Refer to the exhibit. Page 33 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 A user is unable to initiate an SSH session with RTA. To help troubleshoot the problem, RTA has been configured as indicated in the exhibit. However, a second attempt to initiate an SSH connection to RTA fails to generate debug information on the Syslog server. What configuration change would display the debug information on the Syslog server? A - Router RTA should be configured with the debug ip packet EXEC command. B - Router RTA must be configured with the correct Syslog IP address. C - Router RTA must be configured with the logging buffered informational global configuration command. D - Router RTA must be configured with the logging monitor debugging global configuration command. E - Router RTA must be configured with the logging trap debugging global configuration command. Answer: E Question: 85 When you are using the SDM to configure a GRE tunnel over IPsec, which two parameters are required when defining the tunnel interface information? (Choose two.) A - MTU size of the GRE tunnel interface B - GRE tunnel source interface or IP address, and tunnel destination IP address C - IPSEC mode (tunnel or transport) D - GRE tunnel interface IP address E - crypto ACL number Answer: B, D Question: 86 Refer to the exhibit. Page 34 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 Routers RTB and RTC have established LDP neighbor sessions. Troubleshooting discovered that labels are being distributed between the two routers but no label swapping information is in the LEIB. What is the most likely cause of this problem? A - The IGP is summarizing the address space. B - IP CEF has not been enabled on both routers RTB and RTC. C - BGP neighbor sessions have not been configured on both routers. D - LDP has been enabled on one router and TDP has been enabled on the other. E - LDP is using the loopback address as the LDP ID and the loopback address is not in the routing table. Answer: B Question: 87 Refer to the exhibit. All routers participate in the MPLS domain. An ISP propagates the routing information for network 10.10.10.0/24 from R3 to R1. However, router R3 summarizes the routing information to 10.10.0.0/16. How will the routes be propagated through the MPLS domain? A. R3, using LDP, will advertise labels for both networks, and the information will be propagated throughout the MPLS domain. B. R3 will label the summary route using a pop label. The route will then be propagated through the rest of the MPLS domain. R3 will label the 10.10.10.0/24 network and forward to R2 where the network will be dropped. C. R3 will label the 10.10.10.0/24 network using a pop label which will be propagated through the rest of the MPLS domain. R3 will label the summary route and forward to R2 where the network will be dropped. D. None of the networks will be labeled and propagated through the MPLS domain because aggregation breaks the MPLS domain. Page 35 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 Answer: B Question: 88 Refer to the exhibit. MPLS and LDP are enabled on routers RTB and RTC and all interfaces are enabled. However, the routers will not establish an LDP neighbor session. Troubleshooting has revealed that there is forwarding information in the FIB table, but there is no forwarding information in the LFIB table. Which issue would cause this problem? A - IP CEF is not enabled on one or both of the routers. B - MPLS has been enabled on the interface but has not been enabled globally on one or both of the routers. C - BGP neighbor sessions have not been configured on one or both of the routers. D - One or both of the routers are using the loopback address as the LDP ID and the loopback is not being advertised by the IGP. Answer: D Question: 89 What can be configured to provide resiliency when using SDM to configure a site-to-site GRE over IPsec VPN tunnel? A - HSRP B - Stateful IPsec failover C - A backup GRE over IPsec tunnel D - Load balancing using two GRE over IPsec tunnels E - Redundant dynamic crypto maps Answer: C Question: 90 Refer to the exhibit and the partial configuration on a DSL router. Page 36 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 The DSL Router is connected to a service provider using a PPPoE session over a DSL line. The FTP traffic. generated from inside the network 10.92.1.0/24. fails to reach the PPP0E Server. What should be configured on the DSL Router to fix the problem? A - The ip mtu command with a bytes argument set greater than 1500 needs to be configured for Page 37 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 the Dialer 1 interface. B - The ip mtu command with a bytes argument set lower than 1500 needs to be configured for the Dialer 1 interface. C - The ip mtu command with a bytes argument set greater than 1500 needs to be configured for the ATM0 interface D - The ip mtu command with a bytes argument set lower than 1500 needs to be configured for the ATM0 interface. Answer: B Question: 91 Refer to the exhibit. On the basis of the command output, which statement is true? A - The value 32 is a local label ID. B - Traffic associated with local label 26 will be forwarded to an interface that is not associated with label switching. C - Traffic associated with local label 30 will have a next hop of 10.250.0.97/32. D - Traffic associated with local label 29 will be forwarded to an interface that is not associated with label switching. Answer: B Question: 92 Which three routing protocols can be configured when configuring a site-to-site GRE over IPsec tunnel using SDM? (Choose three.) Page 38 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 A - BGP B - RIP C - IGRP D - EIGRP E - OSPF F - IS-IS Answer: B, D, E Question: 93 When configuring an IPsec VPN to backup a WAN connection, what can be configured to influence the EIGRP routing process to select the primary WAN link over the backup lPsec tunnel? A - Configure a lower clock rate value on the tunnel interface. B - Configure a longer FIGRP hello interval on the tunnel interface. C - Configure a higher bandwidth value on the tunnel interface. D - Configure a longer delay value on the tunnel interface. E - Configure the EIGRP variance to 1. F - Configure the FIGRP variance to 2. Answer: D Question: 94 Which high availability option uses the concept of a virtual IP address to ensure that the default IP gateway for an IPsec site-to-site tunnel is always reachable? A - Backup IPsec peer B - Reverse Route Injection (RRI) C - HSRP D - Dynamic Crypto Map E - GRE over IPsec Answer: C Question: 95 What are three features in the SDM that role-based access provides? (Choose three.) A - provides configuration wizards for all routing protocols (like RIP, OSPF, EIGRP, SGP, IS-IS) B - provides to end customers Multiservice switching platforms (MSSPs) with a graphical, read- only view of the customer premises equipment (CPE) services C - provides advanced troubleshooting using debug output analysis D - provides secure access to the SDM user interface and Telnet interface specific to the profile of each administrator E - provides logical separation of the router between different router administrators and users F - provides dynamic update of new R3 signatures for administrator, firewall administrator, easy VPN client, and read-only users Answer: B, D, E Question: 96 Refer to the exhibit Page 39 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 What two types of attacks does the lOS firewall configuration prevent? (Choose two.) A - Java applets B - SYN flood C - Trojan horse D - DDOS E - packet sniffers Answer: B, D Question: 97 Refer to the exhibit Page 40 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 What Cisco feature generated the configuration? A - EZ VPN B - lOS Firewall C - AutoSecure D - IOS IPS E - AAA F - TACACS+ Answer: C Question: 98 Which two statements are true about the Easy VPN Server configuration that is shown? (Choose two). Page 41 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 A - Digital Certificate is used to authenticate the remote VPN client. B - To connect, the remote VPN client will use a groupname of “test.” C - The remote VPN client will be assigned an internal IP address from the SDM_POOL_1 IP address pool. D - Split tunneling is enabled where traffic that matches ACL 100 will not be encrypted. E - Split tunneling is disabled because no protected subnets have been defined. Answer: B, C Question: 99 What are the tour fields in an MPLS label? (Choose tour.) A - version B - experimental C - label D - protocol E - TTL F - bottom-of-stack indicator Answer: B, C, E, F Question: 100 Which global configuration mode command will configure a Cisco router as an authoritative NTP server? A - ntp broadcast B - ntp peer C - ntp server D - ntp master Answer: D Question: 101 Refer to the exhibit Page 42 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 SDM has been used to configure the locations from which the signature definition file (SDF) will be loaded. What will happen if the SDF files in flash are not available at startup? A - All traffic will flow uninspected or will be dropped. B - All traffic will be marked as uninspected and will be checked after the signature file is loaded. C - All traffic will be inspected by the built-in signatures bundled with Cisco lOS Software. D - All traffic will be inspected by the pre-built signatures bundled in the attack-drop.sdf file. Answer: A Question: 102 Which statement is true about convergence in an MPLS network? A - MPLS convergence will take place at the same time as the routing protocol convergence. B - MPLS convergence will take place after the routing protocol convergence. C - MPLS convergence will take place before the routing protocol convergence. D - MPLS must be reconfigured after the routing protocol convergence. Answer: B Question: 103 Refer to the exhibit Page 43 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 Which statement is true about the output of the show crypto engine connections active command? A - The device that is shown has not established a VPN connection with a peer. B - No sub interfaces are involved in VPN connections. C - All three interfaces are active and are encrypting and decrypting traffic. D - The state of “set” indicates that the connection is configured but not connected to a peer. Answer: C Question: 104 Which two protocols can be used to prevent a reconnaissance attack? (Choose two.) A - SSH B - Telnet C - IPsec D - NTP E - SNMP Answer: A, C Question: 105 What is a possible way to prevent a worm attack on a host PC? A - Enable SSH. B - Enable encryption. C - Implement TACACS+. D - Keep the operating system current with the latest patches. Answer: D Question: 106 Which procedure is recommended to protect SNMP from application layer attacks? A - Configure SNMP with only read-only community strings. B - Implement RFC 2827 filtering. C - Use SNMP version 2. D - Create an access list on the SNMP server. Answer: A Question: 107 Refer to the exhibit Page 44 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 What is the result of the ACL configuration that is displayed? A - Inbound packets to request a TCP session with the 10.10.10.0/24 network are allowed. B - TCP responses from the outside network for TCP connections that originated on the inside network are allowed. C - TCP responses from the inside network for TCP connections that originated on the outside network are denied. D - Any inbound packet with the SYN flag set to be routed is permitted. Answer: B Question: 108 Which two statements are true about the Cisco lOS Firewall set? (Choose two.) A - protects against denial of service (DoS) attacks B - An ACL entry is statically created and added to the existing, permanent ACL. C - Traffic originating within the router is not inspected. D - Temporary ACL entries are created and persist for the duration of the communication session. Answer: A, D Question: 109 Which statement is true about the SDM Basic Firewall wizard? A - The wizard applies predefined rules to protect the private and DMZ networks. B - The wizard can configure multiple DMZ interfaces for outside users. C - The wizard permits the creation of a custom application security policy. D - The wizard configures one outside interface and one or more inside interfaces. Answer: D Question: 110 Which three statements about frame-mode MPLS are true? (Choose three.) A - MPLS has three distinct components consisting of the data plane, the forwarding plane, and Page 45 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 the control plane. B - The control plane is a simple label-based forwarding engine that is independent of the type of routing protocol or label exchange protocol. C - The CEF FIB table contains information about outgoing interfaces and their corresponding Layer 2 header. D - The MPLS data plane takes care of forwarding based on either destination addresses or labels. E - To exchange labels, the control plane requires protocols such as Tag Distribution Protocol (TDP) or MPLS Label Distribution Protocol (LDP). F - Whenever a router receives a packet that should be CEF-switched, but the destination is not in the FIB, the packet is dropped. Answer: D, E, F Question: 111 Which three statements about the Cisco Easy VPN feature are true? (Choose three.) A - It the VPN server is configured for Xauth, the VPN client waits for a username / password challenge. B - The Cisco Easy VPN feature only supports transform sets that provide authentication and encryption. C - The VPN client initiates aggressive mode (AAA) if a pre-shared key is used for authentication during the IKE phase 1 process. D - The VPN client verifies a server username/password challenge by using a AAA authentication server that supports TACACS+ or RADIUS. E - The VPN server can only be enabled on Cisco PIX Firewalls and Cisco VPN 3000 series concentrators. F - When connecting with a VPN client, the VPN server must be configured for ISAKMP group 1. 2 or 5. Answer: A, B, C Question: 112 Which two statements are true about the use of SDM to configure the Cisco Easy VPN feature on a router? (Choose two.) A - An Easy VPN connection is a connection that is configured between two Easy VPN clients. B - The Easy VPN server address must be configured when configuring the SDM Easy VPN Server wizard. C - The SDM Easy VPN Sewer wizard displays a summary of the configuration before applying the VPN configuration. D - The SDM Easy VPN Sewer wizard can be used to configure a GRE over IPSec site-to-site VPN or a dynamic multipoint VPN (DMVPN). E - The SDM Easy VPN Sewer wizard can be used to configure user XAuth authentication locally on the router or externally with a RADIUS sewer. F - The SDM Easy VPN Server wizard recommends using the Quick setup feature when configuring a dynamic multipoint VPN. Answer: C, E Question: 113 Which three statements are true when configuring Cisco 103 Firewall features using the SDM? (Choose three.) A - A custom application security policy can be configured in the Advanced Firewall Security Page 46 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 Configuration dialog box. B - An optional DMZ interface can be specified in the Advanced Firewall Interface Configuration dialog box. C - Custom application policies for e-mail, instant messaging, HTTP, and peer-to-peer services can be created using the Intermediate Firewall wizard. D - Only the outside (untrusted) interface is specified in the Basic Firewall Interface Configuration dialog box. E - The outside interface that SDM can be launched from is configured in the Configuring Firewall for Remote Access dialog box. F- The SDM provides a basic, intermediate, and advanced firewall wizard. Answer: A, B, E Question: 114 Which device is responsible for attaching a VPN label to a packet traversing an MPLS network? A - the provider (P) router B - the provider edge (PE) router C - the customer edge (CE) router D - the customer (C) router Answer: B Question: 115 Refer to the exhibit. Given the partial tunnel configuration that is shown, which tunneling encapsulation is set? A - GRE B - GRE multipoint C - cayman D - DVMRP Answer: A Question: 116 Which three statements about lOS Firewall configurations are true? (Choose three.) A - The IP inspection rule can be applied in the inbound direction on the secured interface. B - The IP inspection rule can be applied in the outbound direction on the unsecured interface. C - The ACL applied in the outbound direction on the unsecured interface should be an extended ACL. Page 47 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 D - The ACL applied in the inbound direction on the unsecured interface should be an extended ACL. E - For temporary openings to be created dynamically by Cisco lOS Firewall, the access-list for the returning traffic must be a standard ACL. F - For temporary openings to be created dynamically by Cisco lOS Firewall, the IP inspection rule must be applied to the secured interface. Answer: A, B, D Question: 117 Which statement describes the Authentication Proxy feature? A - All traffic is permitted from the inbound to the outbound interface upon successful authentication of the user. B - A specific access profile is retrieved from a TACACS+ or RADIUS server and applied to an lOS Firewall based on user provided credentials. C - Prior to responding to a proxy APP, the router will prompt the user for a login and password which are authenticated based on the configured AAA policy. D - The proxy server capabilities of the lOS Firewall are enabled upon successful authentication of the user. Answer: B Question: 118 Which two statements about an IDS are true? (Choose two.) A - The IDS is in the traffic path. B - The IDS can send TCP resets to the source device. C - The IDS can send TCP resets to the destination device. D - The IDS listens promiscuously to all traffic on the network. E - Default operation is for the IDS to discard malicious traffic. Answer: B, D Question: 119 Which statement is true about the SDM IPS Policies wizard? A - In order to configure the lPS, the wizard requires that customized signature files be created. B - The lPS Policies wizard only allows the use of default signatures which cannot be modified. C - The lPS Policies wizard can be used to modify, delete, or disable signatures that have been deployed on the router. D - When initially enabling the IPS Policies wizard, SDM automatically checks and downloads updates of default signatures available from CCO (cisco.com). E - The wizard verifies whether the command is correct but does not verify available router resources before the signatures are deployed to the router. Answer: C Question: 120 Which statement is correct about Security Device Event Exchange (SDEE) messages? A - SDEE messages can be viewed in real time using SDM. B - SDEE messages displayed at the SDM window cannot be filtered. C - SDFE messages are the SDM version of syslog messages. D - SDEE specifies the IPS/IDS message exchange format between an IPS/IDS device and IPS Page 48 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 the management/monitoring station. E - For SDEE messages to be viewed, the show ip ips all or show logging commands must be given first. Answer: D Question: 121 Refer to the exhibit What are the ramifications of Fail Closed being enabled under Engine Options? A - The router will drop all packets that arrive on the affected interface. B - If the IPS engine is unable to scan data, the router will drop all packets. C - If the IPS detects any malicious traffic, it will cause the affected interlace to close any open TCP connections. D - The IPS engine is enabled to scan data and drop packets depending upon the signature of the flow. Answer: B Question: 122 A router interface is configured with an inbound access control list and an inspection rule. How will an inbound packet on this interface be processed? A - The packet is processed by the inbound ACL. If the packet is dropped by the ACL, it is processed by the inspection rule. B - The packet is processed by the inbound ACL. If the packet is not dropped by the ACL, it is processed by the inspection rule. C - The packet is processed by the inspection rule. If the packet matches the inspection rule, the inbound ACL is invoked. D - The packet is processed by the inspection rule. If the packet does not match the inspection rule, the inbound ACL is invoked. Page 49 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 Answer: B Question: 123 Refer to the exhibit. Assume that a signature can identity an IP address as the source of an attack. Which action would automatically create an ACL that denies all traffic from an attacking IP address? A - alarm B - drop C - reset D - deny Flow ln line E - denyAttackerlnline F - deny-connection-inline Answer: E Question: 124 A site requires support for skinny and H.323 voice protocols. How is this configured on an lOS firewall using the SDM? A - The Basic Firewall wizard is executed and the High Security Application policy is selected. B - The Advanced Firewall wizard is executed and a custom Application Security policy is selected in place of the default Application Security policies. C - The Application Security tab is used to create a policy with voice support before the Firewall wizard is run. D - The Application Security tab is used to modify the SDM_High policy to add voice support prior to the Firewall wizard being run. Answer: B Question: 125 Refer to the exhibit. Page 50 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 The Basic Firewall wizard has been used to configure a router. What is the purpose of the highlighted access list statement? A - to prevent spoofing by blocking traffic entering interface Fa0/0 with a source address in the same subnet as interface VLAN10 B - to prevent spoofing by blocking traffic entering Fa0/0 with a source address in the RFC 1916 private address space C - to establish a DMZ by preventing traffic from interface VLAN10 being sent out interface Fa0/0 D - to establish a DMZ by preventing traffic from interface Fa0/0 being sent out interface VLAN1 0 Answer: A Question: 126 When establishing a VPN connection from the Cisco software VPN client to an Easy VPN server router using pre-shared key authentication, what is entered in the configuration GUI of the Cisco software VPN client to identify the group profile that is associated with this VPN client? A - group name B - client name C - distinguished name D - organizational unit Answer: A Question: 127 Refer to the exhibit. Page 51 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 An lOS firewall has been configured to support skinny and H.323. Voice traffic is not passing through the firewall as expected. What needs to be corrected in this configuration? A - Access list 100 needs to permit skinny and H.323. B - Access list 101 needs to permit skinny and H.323. C - The ip inspect Voice in command on interface FastEthernet 0/1 should be applied in the outbound direction. D - The ip inspect Voice out command should be applied to interface FastEthernet 0/0. Answer: C Question: 128 During the Easy VPN Remote connection process, which phase involves pushing the IP address, Domain Name System (DNS), and split tunnel attributes to the client? A - mode configuration B - the VPN client establishment of an ISAKMP SA C - IPsec quick mode completion of the connection D - VPN client initiation of the IKE phase 1 process Page 52 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 Answer: A Question: 129 When entering the Group Authentication information while configuring the Cisco VPN Client on a PC, what information is entered in the “Name” field? A - login name of the user (such as “jsmith”) B - client name of the device (such as “jsmith-laptop”) C - IPsec group information (such as “Engineering”) D - the group pre-shared secret (such as “CiNl1iNFTW”) E - host name of the remote VPN device (such as “vpna.cisco.com”) Answer: C Question: 130 Drag each Cisco Easy VPN connection process on the left to its step on the right. Answer: Page 53 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 Question: 131 When configuring the Cisco VPN Client, what action is required prior to installing Mutual Group Authentication? A - Transparent tunneling must be enabled. B - A valid root certificate must be installed. C - A group pre-shared secret must be properly configured. D - The option to “Allow Local LAN Access” must be selected. Answer: B Question: 132 This item contains several questions that you must answer. You can view these questions by clicking on the Questions button to the left. Changing questions can be accomplished by clicking the numbers to the left of each question. In order to complete the questions, you will need to refer to the SDM and the topology, neither of which is currently visible. To gain access to either the topology or the SDM, click on the button to left side of the screen that corresponds to the section you wish to access. When you have finished viewing the topology or the SDM, you can return to your questions by clicking on the Questions button to the left. Off Shore Industries is a large worldwide sailing charter. The company has recently upgraded its Internet connectivity. As a recent addition to the network engineering team, you have been tasked with documenting the active Firewall configurations on the Annapolis router using the Cisco Router and Security Device Manager (SDM) utility. Using the SDM output from Firewall and ACL Tasks under the Configure tab, answer the following questions: Page 54 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 Page 55 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 Which statement is true? (We can’t offer correct answers for this question, hope you can help us, and send your suggestions to supportCompany.com, it is greatly appreciated.) A - Both FastEthernet 0/0 and Serial 0/0/0 are trusted interface B - Both FastEthernet 0/0 and Serial 0/0/0 are untrusted interfaces. C - FastEthernet 0/0 is a trusted interface and Serial 0/0/0 is an untrusted interface. D - FastEthernet 0/0 is an untrusted interface and Serial 0/0/0 is a trusted interface. Answer: C Page 57 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 Question: 133 This item contains several questions that you must answer. You can view these questions by clicking on the Questions button to the left. Changing questions can be accomplished by clicking the numbers to the left of each question. In order to complete the questions, you will need to refer to the SDM and the topology, neither of which is currently visible. To gain access to either the topology or the SDM, click on the button to left side of the screen that corresponds to the section you wish to access. When you have finished viewing the topology or the SDM, you can return to your questions by clicking on the Questions button to the left. Off Shore Industries is a large worldwide sailing charter. The company has recently upgraded its Internet connectivity. As a recent addition to the network engineering team, you have been tasked with documenting the active Firewall configurations on the Annapolis router using the Cisco Router and Security Device Manager (SDM) utility. Using the 3SM output from Firewall and ACL Tasks under the Configure tab, answer the following questions: Page 58 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 Which two statements would be true for a permissible incoming TCP packet on an untrusted Interface in the this configuration? (Choose two.) (We can’t offer correct answers for this question, hope you can help us, and send your suggestions to supportCompany.com, it is greatly appreciated.) A - The packedt has a source address of 10.79.233.186 B - The packet has a source address of 172.16.81.108 C - The packet has a source address of 198.133.219.135 D - The session originated from an untrusted interface E - The session originated from a trusted Interface Page 61 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 F - The application is not specified within the inspection rule SDM_LOW. Answer: C, E Question: 134 This item contains several questions that you must answer. You can view these questions by clicking on the Questions button to the left. Changing questions can be accomplished by clicking the numbers to the left of each question. In order to complete the questions, you will need to refer to the SDM and the topology, neither of which is currently visible. To gain access to either the topology or the SDM, click on the button to left side of the screen that corresponds to the section you wish to access. When you have finished viewing the topology or the SDM, you can return to your questions by clicking on the Questions button to the left. Off Shore Industries is a large worldwide sailing charter. The company has recently upgraded its Internet connectivity. As a recent addition to the network engineering team, you have been tasked with documenting the active Firewall configurations on the Annapolis router using the Cisco Router and Security Device Manager (SDM) utility. Using the SDM output from Firewall and ACL Tasks under the Configure tab, answer the following questions: Page 62 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 Which two statements would specify a permissible incoming TCP packet on a trusted interface in this configuration? (Choose two.) (We can’t offer correct answers for this question, hope you can help us, and send your suggestions to supportCompany.com, it is greatly appreciated.) A - The packet has a source address of 10.79.233.107 B - The packet has a source address of 172.16.81.108 C - The packet has a source address of 198.133.21940 D - The destination address is not specified within the inspection rule SDM_LOW. E - The destination address is specified within the inspection rule SDM_LOW. Page 65 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 Answer: A, C Question: 135 This item contains several questions that you must answer. You can view these questions by clicking on the Questions button to the left. Changing questions can be accomplished by clicking the numbers to the left of each question. In order to complete the questions, you will need to refer to the SDM and the topology, neither of which is currently visible. To gain access to either the topology or the SDM, click on the button to left side of the screen that corresponds to the section you wish to access. When you have finished viewing the topology the SDM, you can return to your questions by clicking on the Questions button to the left. Page 66 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 Which defined peer IP address and local subnet belong to Crete? (Choose two.) (We can’t offer correct answers for this question, hope you can help us, and send your suggestions to supportCompany.com, it is greatly appreciated.) A - peer address 192.168.55.159 B - peer address 192.168.77.120 C - peer address 192.168.167.85 D - subnet 10.5.15.0/24 E - subnet 10.8.28.0/24 F - subnet 10.5.33.0/24 Answer: Pending. Send your suggestions at feedback@Examsheet.net Question: 136 This item contains several questions that you must answer. You can view these questions by clicking on the Questions button to the left. Changing questions can be accomplished by clicking the numbers to the left of each question. In order to complete the questions, you will need to refer to the SDM and the topology, neither of which is currently visible. To gain access to either the topology or the SDM, click on the button to left side of the screen that corresponds to the section you wish to access. When you have finished viewing the topology the SDM, you can return to your questions by clicking on the Questions button to the left. Page 73 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 Which IPSec rule is used for the Onlympia branch and what does it define? (Choose two.) (We can’t offer correct answers for this question, hope you can help us, and send your suggestions to supportCompany .com, it is greatly appreciated.) Page 80 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 A - 102 B - 116 C - 127 D - IP traffic sourced from 10.10.10.0/24 destined to 10.5.15.0/24 will use the VPN. E - IP traffic sourced from 10.10.10.0/24 destined to 10.8.28.0/24 will use the VPN. F - IP traffic sourced from 10.10.10.0/24 destined to 10.5.33.0/24 will use the VPN. Answer: Pending. Send your suggestions at feedback@Examsheet.net Question: 137 This item contains several questions that you must answer. You can view these questions by clicking on the Questions button to the left. Changing questions can be accomplished by clicking the numbers to the left of each question. In order to complete the questions, you will need to refer to the SDM and the topology, neither of which is currently visible. To gain access to either the topology or the SDM, click on the button to left side of the screen that corresponds to the section you wish to access. When you have finished viewing the topology the SDM, you can return to your questions by clicking on the Questions button to the left. Page 81 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 Which algorithm as defined by the transform set is used for providing data confidentiality when connected to Tyre? (We can’t offer correct answers for this question, hope you can help us, and send your suggestions to supportCompany .com, it is greatly appreciated.) A - ESP-3DES-SHA B - ESP-3DES-SHA1 C - ESP-3DES-SHA2 D - ESP-3DES E - ESP-SHA-HMAC Answer: Pending. Send your suggestions at feedback@Examsheet.net Question: 138 This item contains several questions that you must answer. You can view these questions by clicking on the Questions button to the left. Changing questions can be accomplished by clicking the numbers to the left of each question. In order to complete the questions, you will need to refer to the SDM and the topology, neither of which is currently visible. To gain access to either the topology or the SDM, click on the button to left side of the screen that corresponds to the section you wish to access. When you have finished viewing the topology the SDM, you can return to your questions by clicking on the Questions button to the left. Page 88 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 Which peer authentication method and which IPSEC mode is used to connect to the branch locations? (Choose two.) Page 95 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 (We can’t offer correct answers for this question, hope you can help us, and send your suggestions to supportCompanycom, it is greatly appreciated) A - Digital Certificate B - Pre-Shared Key C - Transport Mode D - Tunnel Mode E - GRE/IPSEC Transport Mode F - GRE/IPSEC Tunnel Mode Answer: Pending. Question: 139 What are two steps that must be taken when mitigating a worm attack? (Choose two.) A. Inoculate systems by applying update patches. B. Limit traffic rate. C. Apply authentication. D. Quarantine infected machines. E. Enable anti-spoof measures Answer: A, D Question: 140 What is a reason for implementing MPLS in a network? A. MPLS eliminates the need of an IGP in the core. B. MPLS reduces the required number of BGP-enabled devices in the core. C. Reduces routing table lookup since only the MPLS core routers perform routing table lookups. D. MPLS eliminates the need for fully meshed connections between BGP enabled devices. Answer: B Question: 141 What are three features of the Cisco IOS Firewall feature set? (Choose three.) A. Network-based application recognition (NBAR) B. Authentication proxy C. Stateful packet filtering D. AAA services E. Proxy server F. IPS Answer: B, C, F Question: 142 Which two mechanisms can be used to detect IPsec GRE tunnel failures? (Choose two). A. Dead Peer Detection (DPD) B. CDP C. isakmp keepalives D. GRE keepalive mechanism E. The hello mechanism of the routing protocol across the IPsec tunnel Answer: A, E Page 96 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 Question: 143 Which two statements are true about broadband cable (HFC) systems? (Choose two.) A. Cable modems only operate at Layer 1 of the OSI model. B. Cable modems operate at Layers 1 and 2 of the OSI model. C. Cable modems operate at Layers 1, 2, and 3 of the OSI model. D. A function of the cable modem termination system (CMTS) is to convert the modulated signal from the cable modem into a digital signal. E. A function of the cable modem termination system is to convert the digital data stream from the end user host into a modulated RF signal for transmission onto the cable system. Answer: B, D Question: 144 What are three configurable parameters when editing signatures in Security Device Manager (SDM)? (Choose three.) A. AlarmSeverity B. AlarmKeepalive C. AlarmTraits D. EventMedia E. EventAlarm F. EventAction Answer: A, C, F Question: 145 Which two statements about common network attacks are true? (Choose two.) A. Access attacks can consist of password attacks, trust exploitation, port redirection, and man- in-the-middle attacks. B. Access attacks can consist of password attacks, ping sweeps, port scans, and man-in-the- middle attacks. C. Access attacks can consist of packet sniffers, ping sweeps, port scans, and man-in-the- middle attacks. D. Reconnaissance attacks can consist of password attacks, trust exploitation, port redirection and Internet information queries. E. Reconnaissance attacks can consist of packet sniffers, port scans, ping sweeps, and Internet information queries. F. Reconnaissance attacks can consist of ping sweeps, port scans, man-in-middle attacks and Internet information queries. Answer: A, E Question: 146 Which form of DSL technology is typically used as a replacement for T1 lines? A. VDSL B. HDSL C. ADSL D. SDSL E. G.SHDSL F. IDSL Page 97 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 Answer: B Question: 147 Which three statements are true when configuring Cisco IOS Firewall features using the SDM? (Choose three.) A. A custom application security policy can be configured in the Advanced Firewall Security Configuration dialog box. B. An optional DMZ interface can be specified in the Advanced Firewall Interface Configuration dialog box. C. Custom application policies for e-mail, instant messaging, HTTP, and peer-to-peer services can be created using the Intermediate Firewall wizard. D. Only the outside (untrusted) interface is specified in the Basic Firewall Interface Configuration dialog box. E. The outside interface that SDM can be launched from is configured in the Configuring Firewall for Remote Access dialog box. F. The SDM provides a basic, intermediate, and advanced firewall wizard. Answer: A, B, E Question: 148 Which three statements about frame-mode MPLS are true? (Choose three.) A. MPLS has three distinct components consisting of the data plane, the forwarding plane, and the control plane. B. The control plane is a simple label-based forwarding engine that is independent of the type of routing protocol or label exchange protocol. C. The CEF FIB table contains information about outgoing interfaces and their corresponding Layer 2 header. D. The MPLS data plane takes care of forwarding based on either destination addresses or labels. E. To exchange labels, the control plane requires protocols such as Tag Distribution Protocol (TDP) or MPLS Label Distribution Protocol (LDP). F. Whenever a router receives a packet that should be CEF-switched, but the destination is not in the FIB, the packet is dropped. Answer: D, E, F Question: 149 What are the four fields in an MPLS label? (Choose four.) A. Version B. Experimental C. Label D. Protocol E. TTL F. Bottom-of-stack indicator Answer: B, C, E, F Question: 150 Which statement is true when ICMP echo and echo-reply are disabled on edge devices? A. Pings are allowed only to specific devices. B. CDP information is not exchanged. Page 98 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 C. Port scans can no longer be run. D. Some network diagnostic data is lost. E. Wireless devices need to be physically connected to the edge device. F. OSPF routing needs the command ip ospf network non-broadcast enabled. Answer: D Question: 151 Which statement is true about a worm attack? A. Human interaction is required to facilitate the spread. B. The worm executes arbitrary code and installs copies of itself in the memory of the infected computer. C. Extremely large volumes of requests are sent over a network or over the Internet. D. Data or commands are injected into an existing stream of data. That stream is passed between a client and server application. Answer: B Question: 152 Which two network attack statements are true? (Choose two.) A. Access attacks can consist of password attacks, trust exploitation, port redirection, and man- in-the-middle attacks. B. Access attacks can consist of UDP and TCP SYN flooding, ICMP echo-request floods, and ICMP directed broadcasts. C. DoS attacks can be reduced through the use of access control configuration, encryption, and RFC 2827 filtering. D. DoS attacks can consist of IP spoofing and DDoS attacks. E. IP spoofing can be reduced through the use of policy-based routing. F. IP spoofing exploits known vulnerabilities in authentication services, FTP services, and web services to gain entry to web accounts, confidential databases, and other sensitive information. Answer: A,D Question: 153 Which two statements are correct about mitigating attacks by the use of access control lists (ACLs)? (Choose two.) A. Extended ACLs on routers should always be placed as close to the destination as possible. B. Each ACL that is created ends with an implicit permit all statement. C. Ensure that earlier statements in the ACL do not negate any statements that are found later in the list. D. Denied packets should be logged by an ACL that traps informational (level 6) messages. E. IP packets that contain the source address of any internal hosts or networks inbound to a private network should be permitted. F. More specific ACL statements should be placed earlier in the ACL. Answer: D, F Question: 154 Which two Network Time Protocol (NTP) statements are true? (Choose two.) A. A stratum 0 time server is required for NTP operation. Page 99 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 B. NTP is enabled on all interfaces by default, and all interfaces receive NTP packets. C. NTP operates on IP networks using User Datagram Protocol (UDP) port 123. D. The ntp server global configuration is used to configure the NTP master clock to which other peers synchronize themselves. E. The show ntp status command displays detailed association information of all NTP peers. F. Whenever possible, configure NTP version 5 because it automatically provides authentication and encryption services. Answer: B, C Question: 155 Which statement is true about the SDM Basic Firewall wizard? A. The wizard applies predefined rules to protect the private and DMZ networks. B. The wizard can configure multiple DMZ interfaces for outside users. C. The wizard permits the creation of a custom application security policy. D. The wizard configures one outside interface and one or more inside interfaces. Answer: D Question: 156 Which two statements are true about the configuration of the Cisco IOS Firewall using the SDM? (Choose two.) A. Cisco IOS Firewall features may be configured by choosing the Additional Tasks wizard. B. Firewall policies can be viewed from the Home screen of the SDM. C. To simplify the Firewall configuration task, the SDM provides Basic Firewall, Intermediate Firewall, and Advanced Firewall wizards. D. The Basic Firewall Configuration wizard applies default access rules to the inside (trusted), outside (untrusted) and DMZ interfaces. E. The Advanced Firewall Configuration wizard applies access rules to the inside (trusted), outside (untrusted) and DMZ interfaces. Answer: B, E Question: 157 How can virus and Trojan horse attacks be mitigated? A. Disable port scan. B. Deny echo replies on all edge routes. C. Implement RFC 2827 filtering. D. Use antivirus software. E. Enable trust levels. Answer: D Question: 158 What are three objectives that the no ip inspect command achieves? (Choose three.) A. Removes the entire CBAC configuration B. Removes all associated static ACLs C. Turns off the automatic audit feature in SDM D. Denies HTTP and Java applets to the inside interface but permits this traffic to the DMZ E. Resets all global timeouts and thresholds to the defaults F. Deletes all existing sessions Page 100 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 Answer: A, E, F Question: 159 What is required when configuring IOS Firewall using the CLI? A. IOS IPS enabled on the untrusted interface B. NBAR enabled to perform protocol discovery and deep packet inspection C. Route-map to define the trusted outgoing traffic D. Route-map to define the application inspection rules E. An inbound extended ACL applied to the untrusted interface Answer: E Question: 160 Which two statements about packet sniffers or packet sniffing are true? (Choose two.) A. A packet sniffer requires the use of a network adapter card in nonpromiscuous mode to capture all network packets that are sent across a LAN. B. Packet sniffers can only work in a switched Ethernet environment. C. To reduce the risk of packet sniffing, cryptographic protocols such as Secure Shell Protocol(SSH) and Secure Sockets Layer (SSL) should be used. D. To reduce the risk of packet sniffing, strong authentication, such as one time passwords, should be used. E. To reduce the risk of packet sniffing, traffic rate limiting and RFC 2827 filtering should be used. Answer: C, D Question: 161 Which statement is true about the management protocols? A. TFTP data is sent encrypted. B. Syslog data is sent encrypted between the server and device. C. SNMP v1/v2 can be compromised because the community string information for authentication is sent in clear text. D. NTP v.3 does not support a cryptographic authentication mechanism between peers. Answer: C Question: 162 Which statement about an IPS is true? A. The IPS is in the traffic path. B. Only one active interface is required. C. Full benefit of an IPS will not be realized unless deployed in conjunction with an IDS. D. When malicious traffic is detected, the IPS will only send an alert to a management station. Answer: A Question: 163 When configuring the Cisco VPN Client, what action is required prior to installing Mutual Group Authentication? A. Transparent tunneling must be enabled. Page 101 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 B. A valid root certificate must be installed. C. A group pre-shared secret must be properly configured. D. The option to quot;Allow Local LAN Accessquot; must be selected. Answer: B Question: 164 For what purpose does SDM use Security Device Event Exchange (SDEE)? A. To extract relevant SNMP information B. To pull event logs from the router C. To perform application-level accounting D. To provide a keepalive mechanism Answer: B Question: 165 Which three statements are true about Cisco Intrusion Detection System (IDS) and Cisco Intrusion Prevention System (IPS) functions? (Choose three.) A. Only IDS systems provide real-time monitoring that includes packet capture and analysis of network packets. B. Both IDS and IPS systems provide real-time monitoring that involves packet capture and analysis of network packets. C. The signatures on the IDS devices are configured manually whereas the signature on the IPS devices are configured automatically. D. IDS can detect misuse, abuse, and unauthorized access to networked resources but can only respond after an attack is detected. E. IPS can detect misuse, abuse, and unauthorized access to networked resources and respond before network security can be compromised. F. IDS can deny malicious traffic from the inside network whereas IPS can deny malicious traffic from outside the network. Answer: B, D, E Question: 166 What phrase best describes a Handler in a distributed denial of service (DDoS) attack? A. Person who launches the attack B. Host that generates a stream of packets that is directed toward the intended victim C. Host running the attacker program D. Host being attacked Answer: C Question: 167 Which PPPoA configuration statement is true? A. The dsl operating-mode auto command is required if the default mode has been changed. B. The encapsulation ppp command is required. C. The ip mtu 1492 command must be applied on the dialer interface. D. The ip mtu 1496 command must be applied on the dialer interface. E. The ip mtu 1492 command must be applied on the Ethernet interface. F. The ip mtu 1496 command must be applied on the Ethernet interface. Answer: A Page 102 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 Question: 168 What is a recommended practice for secure configuration management? A. Disable port scan. B. Use SSH or SSL. C. Deny echo replies on all edge routers. D. Enable trust levels. E. Use secure Telnet. Answer: B Question: 169 Which three statements about hybrid fiber-coaxial (HFC) networks are true? (Choose three.) A. A tap produces a significantly larger output signal. B. An amplifier divides the input RF signal power to provide subscriber drop connections. C. Baseband sends multiple pieces of data simultaneously to increase the effective rate of transmission. D. Downstream is the direction of an RF signal transmission (TV channels and data) from the source (headend) to the destination (subscribers). E. The term CATV refers to residential cable systems. F. Upstream is the direction from subscribers to the headend. Answer: D, E, F Question: 170 Which two active response capabilities can be configured on an intrusion detection system (IDS) in response to malicious traffic detection? (Choose two.) A. The initiation of dynamic access lists on the IDS to prevent further malicious traffic B. The configuration of network devices to prevent malicious traffic from passing through C. The shutdown of ports on intermediary devices D. The transmission of a TCP reset to the offending end host E. The invoking of SNMP-sourced controls Answer: B, D Question: 171 Which IPsec VPN backup technology statement is true? A. Each Hot Standby Routing Protocol (HSRP) standby group has two well-known MAC addresses and a virtual IP address. B. Reverse Route Injection (RRI) is configured on at the remote site to inject the central site networks. C. The crypto isakmp keepalive command is used to configure the Stateful Switchover (SSO) protocol. D. The crypto isakmp keepalive command is used to configure stateless failover. E. The reverse-route command should be applied directly to the outside interface. Answer: D Question: 172 Which two statements describe the functions and operations of IDS and IPS systems? (Choose two.) Page 103 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 A. A network administrator entering a wrong password would generate a true-negative alarm. B. A false positive alarm is generated when an IDS/IPS signature is correctly identified. C. An IDS is significantly more advanced over IPS because of its ability to prevent network attacks. D. Cisco IDS works inline and stops attacks before they enter the network. E. Cisco IPS taps the network traffic and responds after an attack. F. Profile-based intrusion detection is also known as quot;anomaly detectionquot;. Answer: B, F Question: 173 Which three DSL technologies support an analog POTS channel and utilize the entire bandwidth of the copper to carry data? (Choose three.) A. ADSL B. IDSL C. SDSL D. RADSL E. VDSL Answer: A, D, E Question: 174 What actions can be performed by the Cisco IOS IPS when suspicious a tivity is detected? (Choose four.) A. Send an alarm to a syslog server or a centralized management interface B. Initiate antivirus software to clean the packet C. Drop the packet D. Reset the connection E. Request packet to be resent F. Deny traffic from the source IP address associated with the connection Answer: A, C, D, F Question: 175 What are the four steps that occur with an IPsec VPN setup? A. Step 1: Interesting traffic initiates the IPsec process. A. Step 2: AH authenticates IPsec peers and negotiates IKE SAs. B. Step 3: AH negotiates IPsec SA settings and sets up matching IPsec SAs in the peers. C. Step 4: Data is securely transferred between IPsec peers. B. Step 1: Interesting traffic initiates the IPsec process. D. Step 2: ESP authenticates IPsec peers and negotiates IKE SAs. E. Step 3: ESP negotiates IPsec SA settings and sets up matching IPsec SAs in the peers. F. Step 4: Data is securely transferred between IPsec peers. C. Step 1: Interesting traffic initiates the IPsec process. G. Step 2: IKE authenticates IPsec peers and negotiates IKE SAs. H. Step 3: IKE negotiates IPsec SA settings and sets up matching IPsec SAs in the peers. I. Step 4: Data is securely transferred between IPsec peers. D. Step 1: Interesting traffic initiates the IPsec process. J. Step 2: IKE negotiates IPsec SA settings and sets up matching IPsec SAs in the peers. K. Step 3: IKE authenticates IPsec peers and negotiates IKE SAs. L. Step 4: Data is securely transferred between IPsec peers. Page 104 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 Answer: C Question: 176 What is a recommended practice for secure configuration management? A. Disable port scan. B. Use SSH or SSL. C. Deny echo replies on all edge routers. D. Enable trust levels. E. Use secure Telnet. Answer: B Question: 177 Which statement is true about a worm attack? A. Human interaction is required to facilitate the spread. B. The worm executes arbitrary code and installs copies of itself in the memory of the infected computer. C. Extremely large volumes of requests are sent over a network or over the Internet. D. Data or commands are injected into an existing stream of data. That stream is passed between a client and A. server application. Answer: B Question: 178 Which two statements are true about the troubleshooting of VPN connectivity on a Cisco router? (Choose two.) A. SDM can be used to provide statistical output that is related to IPsec SAs. B. The debug crypto isakmp command output displays detailed IKE phase 1 and phase 2 negotiation processes. C. SDM can be used to perform advance troubleshooting. D. Knowledge of Cisco IOS CLI commands is required. E. The Monitor Tunnel Operation page in SDM is the primary tool for troubleshooting VPN connectivity. Answer: B, D Question:179 Which action can be taken by Cisco IOS IPS when a packet matches a signature pattern? A. Drop the packet B. Reset the UDP connection C. Block all traffic from the destination address for a specified amount of time D. Perform a reverse path verification to determine if the source of the malicious packet was spoofed E. Forward the malicious packet to a centralized NMS where further analysis can be taken Answer: A Question: 180 Which statement about the aaa authentication enable default group radius enable command is true? Page 105 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 A. If the radius server returns an error, the enable password will be used. B. If the radius server returns a 'failed' message, the enable password will be used. C. The command login authentication group will associate the AAA authentication to a specified interface. D. If the group database is unavailable, the radius server will be used. Answer: A Question: 181 Which three DSL technologies support an analog POTS channel and utilize the entire bandwidth of the copper to carry data? (Choose three.) A. ADSL B. IDSL C. SDSL D. RADSL E. VDSL Answer: A, D, E Question: 182 Which two statements are correct about mitigating attacks by the use of access control lists (ACLs)? (Choose two.) A. Extended ACLs on routers should always be placed as close to the destination as possible. B. Each ACL that is created ends with an implicit permit all statement. C. Ensure that earlier statements in the ACL do not negate any statements that are found later in the list. D. Denied packets should be logged by an ACL that traps informational (level 6) messages. E. IP packets that contain the source address of any internal hosts or networks inbound to a private network should be permitted. F. More specific ACL statements should be placed earlier in the ACL. Answer: D, F Question: 183 If an edge Label Switch Router (LSR) is properly configured, which three combinations are possible? (Choose three.) A. A received IP packet is forwarded based on the IP destination address and the packet is sent as an IP packet. B. An IP destination exists in the IP forwarding table. A received labeled packet is dropped because the label is not found in the LFIB table. C. There is an MPLS label-switched path toward the destination. A received IP packet is dropped because the destination is not found in the IP forwarding table. D. A received IP packet is forwarded based on the IP destination address and the packet is sent as a labeled packet. E. A received labeled IP packet is forwarded based upon both the label and the IP address. F. A received labeled packet is forwarded based on the label. After the label is swapped, the newly labeled packet is sent. Answer: A, D, F Question: 184 What three features does Cisco Security Device Manager (SDM) offer? (Choose three.) Page 106 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 A. Smart wizards and advanced configuration support for NAC policy features B. Single-step mitigation of Distributed Denial of Service (DDoS) attacks C. One-step router lockdown D. Security auditing capability based upon CERT recommendations E. Multi-layered defense against social engineering F. Single-step deployment of basic and advanced policy settings Answer: A, C, F Question: 185 What are the four steps that occur with an IPsec VPN setup? A. Step 1: Interesting traffic initiates the IPsec process. A. Step 2: AH authenticates IPsec peers and negotiates IKE SAs. B. Step 3: AH negotiates IPsec SA settings and sets up matching IPsec SAs in the peers. C. Step 4: Data is securely transferred between IPsec peers. B. Step 1: Interesting traffic initiates the IPsec process. D. Step 2: ESP authenticates IPsec peers and negotiates IKE SAs. E. Step 3: ESP negotiates IPsec SA settings and sets up matching IPsec SAs in the peers. F. Step 4: Data is securely transferred between IPsec peers. C. Step 1: Interesting traffic initiates the IPsec process. G. Step 2: IKE authenticates IPsec peers and negotiates IKE SAs. H. Step 3: IKE negotiates IPsec SA settings and sets up matching IPsec SAs in the peers. I. Step 4: Data is securely transferred between IPsec peers. D. Step 1: Interesting traffic initiates the IPsec process. J. Step 2: IKE negotiates IPsec SA settings and sets up matching IPsec SAs in the peers. K. Step 3: IKE authenticates IPsec peers and negotiates IKE SAs. L. Step 4: Data is securely transferred between IPsec peers. Answer: C Question: 186 Which form of DSL technology is typically used as a replacement for T1 lines? A. VDSL B. HDSL C. ADSL D. SDSL E. G.SHDSL F. IDSL Answer: B Question: 187 Which three categories of signatures can a Cisco IPS microengine identify? (Choose three.) A. DDoS signatures B. Strong signatures C. Exploit signatures D. Numeric signatures E. Spoofing signatures F. Connection signatures Answer: A, C, F Page 107 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 Question: 188 What are two principles to follow when configuring ACLs with IOS Firewall? (Choose two.) A. Prevent traffic that will be inspected by IOS Firewall from leaving the network through the firewall. B. Configure extended ACLs to prevent IOS Firewall return traffic from entering the network through the firewall. C. Configure an ACL to deny traffic from the protected networks to the unprotected networks. D. Permit broadcast messages with a source address of 255.255.255.255. E. Allow traffic that will be inspected by IOS Firewall to leave the network through the firewall. Answer: B, E Question: 189 With MPLS, what is the function of the protocol ID (PID) in a Layer 2 header? A. It specifies that the bottom-of-stack bit immediately follows. B. It specifies that the payload starts with a label and is followed by an IP header. C. It specifies that the receiving router use the top label only. D. It specifies how many labels immediately follow. Answer: B Question: 190 Which statement identifies a limitation in the way Cisco IOS Firewall tracks UDP connections versus TCP connections? A. It cannot track the source IP. B. It cannot track the source port. C. It cannot track the destination IP. D. It cannot track the destination port. E. It cannot track sequence numbers and flags. F. It cannot track multicast or broadcast packets. Answer: E Question: 191 What are three methods of network reconnaissance? (Choose three.) A. IP spoofing B. One-time password C. Dictionary attack D. Packet sniffer E. Ping sweep F. Port scan Answer: D, E, F Question:192 What are three options for viewing Security Device Event Exchange (SDEE) messages in Security Device Manager (SDM)? (Choose three.) A. To view SDEE status messages B. To view SDEE keepalive messages Page 108 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 C. To view all SDEE messages D. To view SDEE statistics E. To view SDEE alerts F. To view SDEE actions Answer: A, C, E Question: 193 Which IOS command would display IPS default values that may not be displayed using the show running-config command? A. Show ip ips configuration B. Show ip ips interface C. Show ip ips statistics D. Show ip ips session Answer: A Question: 194 Which statement describes the Authentication Proxy feature? A. All traffic is permitted from the inbound to the outbound interface upon successful authentication of the user. B. A specific access profile is retrieved from a TACACS+ or RADIUS server and applied to an IOS Firewall based on user provided credentials. C. Prior to responding to a proxy ARP, the router will prompt the user for a login and password which are authenticated based on the configured AAA policy. D. The proxy server capabilities of the IOS Firewall are enabled upon successful authentication of the user. Answer: B Question: 195 Which two actions will take place when One-Step Lockdown is implemented? (Choose two.) A. CDP will be enabled. B. A banner will be set. C. Logging will be enabled. D. Security passwords will be required to be a minimum of 8 characters. E. Telnet settings will be disabled. Answer: B, C Question: 196 What are the two main features of Cisco IOS Firewall? (Choose two.) A. TACACS+ B. AAA C. Cisco Secure Access Control Server D. Intrusion Prevention System E. Authentication Proxy Answer: D, E Question: 197 Page 109 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 Which two statements about an IDS are true? (Choose two.) A. The IDS is in the traffic path. B. The IDS can send TCP resets to the source device. C. The IDS can send TCP resets to the destination device. D. The IDS listens promiscuously to all traffic on the network. E. Default operation is for the IDS to discard malicious traffic. Answer: B, D Question: 198 Which statement is true about the management protocols? A. TFTP data is sent encrypted. B. Syslog data is sent encrypted between the server and device. C. SNMP v1/v2 can be compromised because the community string information for authentication is sent in clear text. D. NTP v.3 does not support a cryptographic authentication mechanism between peers. Answer: C Question: 199 What are two ways to mitigate IP spoofing attacks? (Choose two.) A. Disable ICMP echo. B. Use RFC 3704 filtering (formerly know as RFC 2827). C. Use encryption. D. Configure trust levels. E. Use NBAR. F. Use MPLS. Answer: B, C Question: 200 What technology must be enabled as a prerequisite to running MPLS on a Cisco router? A. Process switching B. Routing-table driven switching C. Cache driven switching D. CEF switching E. Fast switching Answer: D Question: 201 Which two statements are true about signatures in a Cisco IOS IPS? (Choose two.) A. The action of a signature can be enabled on a per-TCP-session basis. B. Common signatures are hard-coded into the IOS image. C. IOS IPS signatures are propagated with the SDEE protocol. D. IOS IPS signatures are stored in the startup config of the router. E. Selection of an SDF file should be based on the amount of RAM memory available on the router. Answer: B, E Page 110 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 Question: 202 Which two statements are true about broadband cable (HFC) systems? (Choose two.) A. Cable modems only operate at Layer 1 of the OSI model. B. Cable modems operate at Layers 1 and 2 of the OSI model. C. Cable modems operate at Layers 1, 2, and 3 of the OSI model. D. A function of the cable modem termination system (CMTS) is to convert the modulated signal from the cable modem into a digital signal. E. A function of the cable modem termination system is to convert the digital data stream from the end user host into a modulated RF signal for transmission onto the cable system. Answer: B, D Question: 203 Which two network attack statements are true? (Choose two.) A. Access attacks can consist of password attacks, trust exploitation, port redirection, and man- in-the-middle attacks. B. Access attacks can consist of UDP and TCP SYN flooding, ICMP echo-request floods, and ICMP directed broadcasts. C. DoS attacks can be reduced through the use of access control configuration, encryption, and RFC 2827 filtering. D. DoS attacks can consist of IP spoofing and DDoS attacks. E. IP spoofing can be reduced through the use of policy-based routing. F. IP spoofing exploits known vulnerabilities in authentication services, FTP services, and web services to gain entry to web accounts, confidential databases, and other sensitive information. Answer: A, D Question: 204 Which two statements about the AutoSecure feature are true? (Choose two.) A. AutoSecure automatically disables the CDP feature. B. If you enable AutoSecure, the minimum length of the login and enable passwords is set to 6 characters. C. The auto secure full command automatically configures the management and forwarding planes without any user interaction. D. To enable AutoSecure, the auto secure global configuration command must be used. E. Once AutoSecure has been configured, the user can launch the SDM Web interface to perform a security audit. Answer: A, B Question: 205 What two proactive preventive actions are taken by an intrusion prevention system (IPS) when malicious traffic is detected? (Choose two.) A. The IPS shuts down intermediary ports. B. The IPS invokes SNMP-enabled controls. C. The IPS sends an alert to the management station. D. The IPS enables a dynamic access list. E. The IPS denies malicious traffic. Page 111 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 Answer: C, E Question: 206 Which three MPLS statements are true? (Choose three.) A. Cisco Express Forwarding (CEF) must be enabled as a prerequisite to running MPLS on a Cisco router. B. Frame-mode MPLS inserts a 32-bit label between the Layer 3 and Layer 4 headers. C. MPLS is designed for use with frame-based Layer 2 encapsulation protocols such as Frame Relay, but is not supported by ATM because of ATM fixed-length cells. D. OSPF, EIGRP, IS-IS, RIP, and BGP can be used in the control plane. E. The control plane is responsible for forwarding packets. F. The two major components of MPLS include the control plane and the data plane. Answer: A, D, F Question: 207 Which three statements are correct about MPLS-based VPNs? (Choose three.) A. Route Targets (RTs) are attributes attached to a VPNv4 BGP route to indicate its VPN membership. B. Scalability becomes challenging for a very large, fully meshed deployment. C. Authentication is done using a digital certificate or pre-shared key. D. A VPN client is required for client-initiated deployments. E. A VPN client is not required for users to interact with the network. F. An MPLS-based VPN is highly scalable because no site-to-site peering is required. Answer: A, E, F Question: 208 When configuring backup IPsec VPNs with Cisco IOS Release 12.2(8)T or later, what are the default parameters? A. Cisco IOS keepalives are sent every 10 seconds if there is no traffic to send. B. Dead peer detection (DPD) hello messages are sent every 10 seconds if there is no traffic to send. C. Cisco IOS keepalives are sent every 10 seconds if the router has traffic to send. D. DPD hello messages are sent every 10 seconds if the router has traffic to send. Answer: D Question: 209 Which two statements about common network attacks are true? (Choose two.) A. Access attacks can consist of password attacks, trust exploitation, port redirection, and man- in-the-middle attacks. B. Access attacks can consist of password attacks, ping sweeps, port scans, and man-in-the- middle attacks. C. Access attacks can consist of packet sniffers, ping sweeps, port scans, and man-in-the- middle attacks. D. Reconnaissance attacks can consist of password attacks, trust exploitation, port redirection and Internet information queries. E. Reconnaissance attacks can consist of packet sniffers, port scans, ping sweeps, and Internet information queries. Page 112 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 F. Reconnaissance attacks can consist of ping sweeps, port scans, man-in-middle attacks and Internet information queries. Answer: A, E Question: 210 Which two mechanisms can be used to detect IPsec GRE tunnel failures? (Choose two). A. Dead Peer Detection (DPD) B. CDP C. Isakmp keepalives D. GRE keepalive mechanism E. The hello mechanism of the routing protocol across the IPsec tunnel Answer: A, Question: 211 How can virus and Trojan horse attacks be mitigated? A. Disable port scan. B. Deny echo replies on all edge routes. C. Implement RFC 2827 filtering. D. Use antivirus software. E. Enable trust levels. Answer: D Question: 212 Which two statements are true about the use of SDM to configure the Cisco Easy VPN feature on a router? (Choose two.) A. An Easy VPN connection is a connection that is configured between two Easy VPN clients. B. The Easy VPN server address must be configured when configuring the SDM Easy VPN Server wizard. C. The SDM Easy VPN Server wizard displays a summary of the configuration before applying the VPN configuration. D. The SDM Easy VPN Server wizard can be used to configure a GRE over IPSec site-to-site VPN or a dynamic multipoint VPN (DMVPN). E. The SDM Easy VPN Server wizard can be used to configure user XAuth authentication locally on the router or externally with a RADIUS server. F. The SDM Easy VPN Server wizard recommends using the Quick setup feature when configuring a dynamic multipoint VPN. Answer: C, E Question: 213 A site requires support for skinny and H.323 voice protocols. How is this configured on an IOS firewall using the SDM? A. The Basic Firewall wizard is executed and the High Security Application policy is selected. B. The Advanced Firewall wizard is executed and a custom Application Security policy is selected in place of the default Application Security policies. C. The Application Security tab is used to create a policy with voice support before the Firewall wizard is run. Page 113 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 D. The Application Security tab is used to modify the SDM_High policy to add voice support prior to the Firewall wizard being run. Answer: B Question: 214 What are two steps that must be taken when mitigating a worm attack? (Choose two.) A. Inoculate systems by applying update patches. B. Limit traffic rate. C. Apply authentication. D. Quarantine infected machines. E. Enable anti-spoof measures Answer: A, D Question: 215 Which two statements about packet sniffers or packet sniffing are true? (Choose two.) A. A packet sniffer requires the use of a network adapter card in nonpromiscuous mode to capture all network packets that are sent across a LAN. B. Packet sniffers can only work in a switched Ethernet environment. C. To reduce the risk of packet sniffing, cryptographic protocols such as Secure Shell Protocol (SSH) and Secure Sockets Layer (SSL) should be used. D. To reduce the risk of packet sniffing, strong authentication, such as one time passwords, should be used. E. To reduce the risk of packet sniffing, traffic rate limiting and RFC 2827 filtering should be used. Answer: C, D Question: 216 Which two statements about Cisco Easy VPN are true? (Choose two.) A. An IOS router, a PIX firewall or a VPN client can operate as an Easy VPN terminal point. B. A VPN client can also be configured to operate as an Easy VPN server. C. Easy VPN does not support split tunnels. D. Easy VPN tunnel endpoint addresses can be the virtual IP address of an HSRP configuration. E. Easy VPN is only appropriate for smaller deployments. Answer: A, D Question: 217 When you are using the SDM to configure a GRE tunnel over IPsec, which two parameters are required when defining the tunnel interface information? (Choose two.) A. MTU size of the GRE tunnel interface B. GRE tunnel source interface or IP address, and tunnel destination IP address C. IPSEC mode (tunnel or transport) D. GRE tunnel interface IP address E. crypto ACL number Answer: B, D Page 114 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 Question: 218 Which two statements about the Security Device Manager (SDM) Intrusion Prevention System (IPS) Rule wizard are true? (Choose two.) A. By default, the Use Built-In Signatures (as backup) checkbox is not selected. B. Changes to the IPS rules can be made using the Configure IPS tab. C. Changes to the IPS rules can be made using the Edit Firewall Policy/ACL tab. D. Once all interfaces have rules applied to them, you can re-initiate the IPS Rule wizard to make changes. E. Once all interfaces have rules applied to them, you cannot re-initiate the IPS Rule wizard to make changes. F. When using the wizard for the first time, you will be prompted to enable the Security Device Event Exchange (SDEE). Answer: D, F Question: 219 At what size should the MTU on LAN interfaces be set in the implementation of MPLS VPNs with traffic engineering? A. 1512 bytes B. 1516 bytes C. 1520 bytes D. 1524 bytes E. 1528 bytes F. 1532 bytes Answer: A Question: 220 Which two devices serve as the main endpoint components in a DSL data service network? (Choose two.) A. SOHO workstation B. ATU-R C. ATU-C D. POTS splitter E. CO switch Answer: B, Question: 221 Which three protocols are available for local redundancy in a backup VPN scenario? (Choose three.) A. VRRP B. A routing protocol C. RSVP D. HSRP E. Proxy ARP F. GLBP Answer: A, D, F Question: 222 Page 115 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 Which PPPoE configuration statement is true? A. A PVC must be created before the pppoe enable command on the Ethernet interface is entered. B. The dsl operating-mode auto command is required. C. The encapsulation ppp command must be applied on the Ethernet interface. D. The ip mtu 1492 command must be applied on the dialer interface. E. The ip mtu 1496 command must be applied on the Ethernet interface. F. When the pppoe enable command is applied on the Ethernet interface, a PVC will be created. Answer: D Questions: 223 The Cisco SOHO 77 ADSL router provides an affordable, secure, multiuser digital subscriber line (DSL) access solution to small office/home office customers while reducing deployment and operational costs for service providers. Refer to the exhibit, which shows a PPPoA diagram and partial SOHO77 configuration. Which command needs to be applied to the SOHO77 to complete the configuration? A. Encapsulation aal5mux ppp dialer applied to the PVC B. Encapsulation aal5ciscoppp applied to the PVC C. Encapsulation aal5mux ppp dialer applied to the ATM0 interface Page 116 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 D. Encapsulation aal5ciscoppp applied to the ATM0 interface Answer: A Questions: 224 Which three methods are of network reconnaissance? (Choose three.) A. Packet sniffer B. Ping Sweep C. Dictionary attack D. Port scan Answer: A, B, D Questions: 225 Which two steps must be taken when mitigating a worm attack? (Choose two.) A. Inoculate systems by applying update patches. B. Limit traffic rate. C. Quarantine infected machines. D. Apply authentication. Answer: A, C Questions: 226 IPSec VPN is a widely-acknowledged solution for enterprise network. Which three IPsec VPN statements are true? (Choose three.) A. IKE keepalives are unidirectional and sent every ten seconds. B. IPsec uses the Encapsulating Security Protocol (ESP) or the Authentication Header (AH) protocol for exchanging keys. C. To establish IKE SA, main mode utilizes six packets while aggressive mode utilizes only three packets D. IKE uses the Diffie-Hellman algorithm to generate symmetrical keys to be used by IPsec peers. Answer: A, C, D Questions: 227 Study this exhibit carefully. What information can be derived from the SDM firewall configuration displayed? Page 117 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 A. Access-list 101 was configured for the trusted interface, and access-list 100 was configured for the untrusted interface. B. Access-list 100 was configured for the trusted interface, and access-list 101 was configured for the untrusted interface. C. Access-list 100 was configured for the inbound direction, and access-list 101 was configured for the outbound direction on the trusted interface. D. Access-list 100 was configured for the inbound direction, and access-list 101 was configured for the outbound direction on the untrusted interface. Answer: A Questions: 228 You work as a network technician at Company.com,study the exhibit carefully. What type of security solution will be provided for the inside network? Page 118 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 A. The router will intercept the traceroute messages. It will validate the connection requests before forwarding the packets to the inside network. B. The router will reply to the TCP connection requests. If the three-way handshake completes successfully, the router will establish a TCP connection between itself and the server. C. The TCP traffic that matches the ACL will be allowed to pass through the router and create a TCP connection with the server. D. The TCP connection that matches the defined ACL will be reset by the router if the connection does not complete the three-way handshake within the defined time period. Answer: B Questions: 229 Authentication is the process of determining if a user or identity is who they claim to be. Refer to the exhibit. Which statement about the authentication process is correct? Page 119 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 A. The LIST1 list will disable authentication on the console port. B. All login requests will be authenticated using the group tacacs+ method. C. The default login authentication will automatically be applied to all login connections. D. Because no method list is specified, the LIST1 list will not authenticate anyone on the console port. Answer: A Questions: 230 Which description is correct about the Authentication Proxy feature?A. All traffic is permitted from the inbound to the outbound interface upon successful authentication of the user. B. A Specific access profile is retrieved from a TACACS+ or RADIUS server and applied to an IOS Firewall based on user provided credentials. C. Prior to responding to a proxy ARP, the router will prompt the user for a login and password which are authenticated based on the configured AAA policy. D. The proxy server capabilities of the IOS Firewall are enabled upon successful authentication of the user. Answer: B Questions: 231 You are a network technician at Company.com,study the exhibit carefully. What does the quot;26quot; in the first two hop outputs indicate? Page 120 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 A. The IPv4 label for the forwarding router B. The IPv4 label for the destination network C. The IPv4 label for the destination router D. The outer label used to determine the next hop Answer: B Questions: 232 Authentication is the process of determining whether someone or something is, in fact, who or what it is declared to be. On the basis of the exhibit. Which two statements correctly describe the authentication method used to authenticate users who want privileged access into P4S-R1? (Choose two.) Page 121 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 A. All users will be authenticated using the RADIUS server. If the RADIUS server is unavailable, the authentication process stops and no other authentication method is attempted. B. All users will be authenticated using the RADIUS server. If the RADIUS server is unavailable, the router will attempt to authenticate the user using its local database. C. All users will be authenticated using the RADIUS server. If the user authentication fails, the router will attempt to authenticate the user using its local database. D. All users will be authenticated using the RADIUS server. If the user authentication fails, the authentication process stops and no other authentication method is attempted. Answer: B, D Questions: 233 Split tunneling allows you to configure specific network routes that are downloaded to the client. Refer to the exhibit. Which statement is true about the configuration of split tunnels using SDM? A. Any protected subnets that are entered represent subnets at the VPN server site that will be accessed without going through the encrypted tunnel. B. Any protected subnets that are entered represent subnets at the end user's site that will be accessed through the encrypted tunnel. Page 122 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 C. Any protected subnets that are entered represent subnets at the end user's site that will be accessed without going through the encrypted tunnel. D. Any protected subnets that are entered represent subnets at the VPN server site that will be accessed through the encrypted tunnel. Answer: D Questions: 234 You work as a network engineer at Company.com, study the exhibit carefully. Based on the presented information, which configuration was completed on the router CPE? A. CPE(config)# ip nat inside source list 101 interface Dialer0 overload CPE(config)# access-list 101 permit ip 10.0.0.0 0.255.255.255 any B. CPE(config)# ip nat inside source list 101 interface Dialer0 CPE(config)# access-list 101 permit ip 10.0.0.0 0.255.255.255 any C. CPE(config)# ip nat inside source list 101 interface Ethernet 0/0 CPE(config)# access-list 101 permit ip 10.0.0.0 0.255.255.255 any D. CPE(config)# ip nat inside source list 101 interface Ethernet 0/0 overload CPE(config)# access-list 101 permit ip 10.0.0.0 0.255.255.255 any Answer: A Questions: 235 You work as a network technician, refer to the exhibit. Which description is correct about the partial MPLS configuration that is shown? A. The route-target both 100:2 command sets import and export route-targets for vrf2. B. The route-target both 100:2 command changes a VPNv4 route to a IPv4 route. C. The route-target import 100:1 command sets import route-targets routes specified by the route map. Page 123 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 D. The route-target import 100:1 command sets import route-targets for vrf2 that override the other route-target configuration. Answer: A Questions: 236 As a network technician , study this exhibit below carefully. FastEthernet0/0 has been destined a network address of 200.0.1.2/24 and no ACL has been applied to that interface. Serial0/0/0 has been assigned a network address of 200.0.0.1/30. Assuming that there are no network-related problems, which ping will be successful? A. From 200.0.0.2 to 200.0.0.1 B. From 200.0.0.1 to 200.0.0.2 C. From 200.0.0.2 to 200.0.1.1 D. From 200.0.0.2 to 200.0.1.2 Answer: B Questions: 237 Which method to identify malicious traffic involves looking for a fixed sequence of bytes in a single packet or in predefined content? A. Policy-based B. Anomaly-based C. Signature-based D. Honeypot-based Answer: C Page 124 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 Questions: 238 For the following options,which three DSL technologies support an analog POTS channel and use the entire bandwidth of the copper to carry data? (Choose three.) A. ADSL B. IDSL C. VDSL D. RADSL Answer: A, C, D Questions: 239 DSL is a family of technologies that provide digital data transmission over the wires of a local telephone network. Which form of DSL technology is typically used as a replacement for T1 lines? A. ADSL B. HDSL C. VDSL D. SDSL Answer: B Questions: 240 Refer to the exhibit. Based on the presented information , which description is correct? A. The IOS firewall has allowed an HTTP session between two devices. B. A TCP session that started between 192.168.1.116 and 192.168.101.115 caused dynamic ACL entries to be created. C. A UDP session that started between 192.168.1.116 and 192.168.101.115 caused dynamic ACL entries to be created. Page 125 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 D. Telnet is the only protocol allowed through this IOS firewall configuration. Answer: B Questions: 241 Study the exhibit carefully. Based on the partial configuration, which two descriptions are correct? (Choose two.) A. A CBAC inspection rule is configured on router RTA. B. On interface Fa0/0, the ip inspect statement should be incoming. C. A QoS policy has been applied on interfaces Serial 0/0 and FastEthernet 0/1. D. Interface Fa0/0 should be the inside interface and interface Fa0/1 should be the outside interface. E. A named ACL called SDM_LOW is configured on router RTA. F. The interface commands ip inspect SDM_LOW in allow CBAC to monitor multiple protocols. Answer: A, F Questions: 242 Page 126 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 You work as a network engineer, study the exhibit carefully. Do you know which Cisco feature generated the configuration? A. TACACS+ B. IOS Firewall C. AutoSecure D. IOS IPS Answer: C Questions: 243 You work as a network engineer, study the exhibit carefully. Which order correctly identifies the steps to provision a cable modem to connect to a headend as defined by the DOCSIS standard? Page 127 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 A. A, D, C, G, E, F, B B. A, D, E, G, C, F, B C. C, D, F, G, E, A, B D. C, D, F, G, A, E, B E. F, D, C, G, A, E, B Answer: E Questions: 244 Drag and drop the Cisco IOS commands that would be used to configure the dialer Interface portion of a PPPoE client implementation where the client is facing the internet and private IP addressing is used on the internal network. Page 128 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 Answer: Questions: 245 Study the exhibit carefully, according to the information that is provided, which two statements are correct? (Choose two.) Page 129 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 A. An IPS policy can be edited by choosing the Edit button. B. Right-clicking on an interface will display a shortcut menu with options to edit an action or to set severity levels. C. The Edit IPS window is currently in Global Settings view. D. The Edit IPS window is currently in IPS Policies view. Answer: A, D Questions: 246 You are a network engineer, study the exhibit carefully. Router Company-R is unable to establish an ADSL connection with its provider. Which action would correct this problem? A. On the Dialer0 interface, add the pppoe enable command. B. On the Dialer0 interface, add the ip mtu 1496 command. C. On the ATM0/0 interface, add the pppoe-client dial-pool-number 1 command. D. On the ATM0/0 interface, add the dialer pool-member 1 command. Page 130 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 Answer: D Questions: 247 The exhibit below shows a PPPoA diagram and partial SOHO77 configuration. Which command needs to be applied to the SOHO77 to accomplish the configuration? A. Encapsulation aal5snap applied to the PVC. B. Encapsulation aal5ciscoppp applied to the PVC C. Encapsulation aal5mux ppp dialer applied to the PVC D. Encapsulation aal5mux ppp dialer applied to the ATM0 interface Answer: C Questions: 248 Page 131 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 The Companay network technician have configured access list on Companay-R router. Please study the exhibit carefully. What function the access list serves? A. It allows TCP traffic from any destination to reach the 16.1.1.0/24 network if the request originated from the inside network and has a port number greater than 1024. B. It allows TCP traffic from the 16.1.1.0/24 network to reach any destination if the request originated from the Internet and has a port number less than 1024. C. It allows TCP traffic from any destination to reach the 16.1.1.0/24 network if the request originated from the Internet. D. It allows TCP traffic from any destination to reach the 16.1.1.0/24 network if the request originated from the inside network. Answer: D Questions: 249 Study the exhibit carefully, then tell me what is the name given to the security zone occupied by the public web server? Page 132 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 A. ALG B. Extended proxy network C. multiple DMZs D. DMZ Answer: D Questions: 250 Study the exhibit carefully. Which description is true about the results of clicking the OK button in the Security Device Manager (SDM) Add a Signature Location window? A. SDM will respond with a message asking for the URL that points to the 256MB.sdf file. B. Cisco IOS IPS will choose to load the 256MB.sdf only if the Built-in Signatures (as backup) check box is unchecked. C. If Cisco IOS IPS fails to load the 256MB.sdf, it will load the built-in signatures provided the Built-in Signatures (as backup) check box is checked. D. Cisco IOS IPS will choose to load the 256MB.sdf and then also add the Cisco IOS built-in signatures. Answer: C Questions: 251 Authentication is the act of establishing or confirming something (or someone) as authentic, that is, that claims made by or about the thing are true. Refer to the exhibit. Which two statements are true about the authentication method used to authenticate users who want privileged access into Companay-R? (Choose two.) Page 133 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 A. All users will be authenticated using the RADIUS server. If the user authentication fails, the authentication process stops and no other authentication method is attempted. B. All users will be authenticated using the RADIUS server. If the user authentication fails, the router will attempt to authenticate the user using its local database. C. All users will be authenticated using the RADIUS server. If the RADIUS server is unavailable, the authentication process stops and no other authentication method is attempted. D. All users will be authenticated using the RADIUS server. If the RADIUS server is unavailable, the router will attempt to authenticate the user using its local database. Answer: A, D Questions: 252 Refer to the exhibit. Configure Router Companay-R ACL 150 to mitigate against a range of common threats. Based on the information shown in the exhibit, which statement is correct? Page 134 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 A. The ip access-group 150 command should have been applied to interface FastEthernet 0/0 in an outbound direction. B. Interface Fa0/0 and interface Fa0/1 should have been configured with the IP addresses 10.1.1.1 and 10.2.1.1, respectively. C. The ip access-group 150 command should have been applied to interface FastEthernet 0/0 in an inbound direction. D. ACL 150 will mitigate common threats. Answer: D Questions: 253 You are a network technician, study the exhibit carefully. Which description is correct about the interface S1/0 on router Companay1? A. IP label switching has been disabled on this interface. Page 135 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 B. Labeled packets can be sent over an interface. C. MPLS Layer 2 negotiations have occurred. D. None of the MPLS protocols have been configured on the interface. Answer: D Questions: 254 You work as a network technician at Companay.com, study the exhibit carefully. The configuration has been applied to router Companay-R to mitigate the threat of certain types of ICMP-based attacks. However, the configuration is incorrect. Base on the information in the exhibit, which configuration option would correctly configure router Companay-R? A. ACL 112 should have been applied to interface Fa0/0 in an inbound direction. B. ACL 112 should have been applied to interface Fa0/1 in an outbound direction. C. The last statement of ACL 112 should have been access-list 112 deny icmp any 10.1.1.0 0.0.0.255. D. The last statement of ACL 112 should have been access-list 112 deny icmp any 10.2.1.0 0.0.0.255. E. The first three statements of ACL 112 should have permitted the ICMP traffic and the last statement should deny the identified traffic. F. The last statement of ACL 112 should have been access-list 112 permit icmp any 10.2.1.0 0.0.0.255. Answer: F Questions: 255 A Companay network administrator is troubleshooting an ADSL connection. For which OSI layer is the ping atm interface command useful for probing problems? A. Layer 1 B. Layer 2 C. Layer 3 D. Layer 4 Answer: B Page 136 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 Questions: 256 Study the exhibit carefully. Routers P4S-A and P4S-B are customer routers. Routers P4S-1, P4S-2, P4S-3, and P4S-4 are provider routers. The routers are operating with various IOS versions. Which frame mode MPLS configuration statement is true? A. Before MPLS is enabled, the ip cef command is only required on routers P4S-1 and P4S-4. B. After MPLS is enabled, the ip cef command is only required on routers P4S-1 and P4S-4. C. Before MPLS is enabled, the ip cef command is only required on the Ethernet 0 interfaces of routers P4S-1 and P4S-4. D. After MPLS is enabled, the ip cef command is only required on the Ethernet 0 interfaces of routers P4S-1 and P4S-4. E. Before MPLS is enabled, the ip cef command must be applied to all provider routers. Answer: E Question: 257 You are a network engineer at Company.com ,refer to the exhibit. The DM IPS Policies wizard is displaying the Select Interfaces window. Which procedure is best for pplying IPS rules to interfaces? A. Apply the IPS rules in the outbound direction on interfaces where incoming malicious traffic is likely. B. Apply the rules in the inbound direction on interfaces where outgoing malicious traffic is likely. C. Apply the IPS rules in the inbound direction on interfaces where incoming malicious traffic is likely. D. Apply the IPS rules in the outbound direction on interfaces where outgoing malicious traffic is likely. Page 137 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 Answer: C Question: 258 As the Company network technician ,in order to prevent a Dos TCP SYN ttack from a spoofed source into the internal network, you need to configure ACL on the Company-R router, based on the exhibit below. Which ACL configuration will realize the plan? A. Company-R (config)# access-list 120 deny icmp any any echo log Company-R (config)# access-list 120 deny icmp any any redirect log Company-R (config)# access-list 120 permit icmp any 10.0.0.0 0.0.0.255 Company-R (config)# interface Serial0/0 Company-R (config-if)# ip access-group 120 in B. Company-R(config)# access-list 120 deny udp 10.0.0.0 0.0.255.255 host 255.255.255.255 eq 512 Company-R (config)# interface Serial0/0 Company-R (config-if)# ip access-group 120 in C. Company-R (config)# access-list 120 deny ip any host 10.0.0.255 log Company-R (config)# access-list 120 permit ip any 10.0.0.0 0.0.0.255 log Company-R (config)# interface Serial0/0 Company-R (config-if)# ip access-group 120 in D. Company-R (config)# access-list 120 permit tcp any 172.16.10.0 0.0.0.255 established Company-R (config)# access-list 120 deny ip any any log Company-R (config)# interface FastEthernet0/0 Company-R (config-if)# ip access-group 120 in Answer: D Question: 259 You are a network technician at Company.com , examine the exhibit carefully. When editing the Invalid DHCP Packet signature by use of security device manager (SDM), which additional severity levels can be chosen? (Choose three.) Page 138 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 A. Low B. Urgent C. High D. Informational Answer: A, C, D Question: 260 After study the exhibit, can you tell me which description is true about Security Device Event Exchange (SDEE)? Page 139 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 A. It is an application level communications protocol that is used to exchange IPS messages between IPS clients and servers. B. It is a process for ensuring IPS communication between the SDM-enabled devices. C. It is a suite of protocols for ensuring IPS communication between the SDM-enabled devices. D. It is an OSI level-7 protocol, and it is used to exchange IPS messages between IPS agents. Answer: A Question: 261 Look at the following statements. Which two actions can be taken by a Cisco IOS Firewall when the threshold for the number of half-opened TCP sessions is exceeded? (Choose two.) A. It can send a reset message to the endpoints of the oldest half-opened session. B. It can send a reset message to the endpoints of the newest half-opened session. C. It can send a reset message to the endpoints of a random half-opened session. D. It can block all SYN packets temporarily for the duration configured by the threshold value Answer: A, D Question: 262 Which Cisco IOS Firewall Feature Set allows a per-user policy to be downloaded dynamically to a router from a TACACS+ or RADIUS server using AAA services? A. Intrusion Prevention System B. Reflexive ACLs C. Authentication Proxy D. Lock-and-Key (dynamic ACLs) Answer: C Page 140 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 Question: 263 Examine the exhibit below carefully, then answer the following question: which network threat would the configuration in the exhibit mitigate? A. DoS ping attacks B. DoS TCP SYN attack C. IP address spoofing attack - inbound D. IP address spoofing attack - outbound Answer: A Question: 264 Part of Company network topology is shown below, according to the exhibit information, which two statements about the Network Time Protocol (NTP) are correct? (Choose wo.) Page 141 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 A. Router Company-B will adjust for eastern daylight savings time. B. To enable authentication, the ntp authenticate command is required on routers Company-B and Company-A. C. Only NTP time requests are allowed from the host with IP address 10.1.1.1. D. To enable NTP, the ntp master command must be configured on routers Company-B and Company-A. Answer: A, B Question: 265 The out of the show cryto isakmp as command is shown below, based on this information, Which two options are correct?(Choose two.) A. QM_idle indicates an active IKE SA. B. QM_idle indicates an active IPsec SA. C. QM_idle indicates an inactive IKE SA. D. The settings of the current SAs are displayed. E. All current security associations (SA) are displayed. Answer: A, E Question: 266 Based on the exhibit below. Which of the configuration tasks will make you quickly deploy default signatures? Page 142 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 A. Firewall and ACLs B. Security audit C. Routing D. Intrusion prevention Answer: D Question: 267 You are a network technician, for the following statements. Which Cisco SDM feature expedites the deployment of the default IPS settings and provides configuration steps for interface and traffic flow selection, SDF location, and signature deployment? A. IPS Edit menu B. IPS Command wizard C. IPS Policies wizard D. IPS Signature wizard Answer: C Question: 268 On the basis of this exhibit. Which three tasks can be configured by use of the IPS Policies wizard via the Cisco Security Device Manager(SDM)? (Choose three.) Page 143 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 A. The configuration of an IP address and the enabling of the interface B. The location of the signature definition file (SDF) to be used by the router C. The selection of the interface to apply the IPS rule D. The selection of the traffic flow direction that should be inspected by the IPS rules Answer: B, C, D Question: 269 In terms of the exhibit. Which two descriptions about the SDF Locations window of the IPS Rule wizard are correct? (Choose two.) Page 144 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 A. The Use Built-In Signatures (as backup) check box is selected by default. B. The Autosave feature automatically saves the SDF alarms if the router crashes. C. The Autosave feature is automatically enabled for the default built-in signature file. D. If all specified SDF locations fail to load, the signature file that is named default.sdf will be loaded. E. The name of the built-in signature file is default.sdf. F. An HTTP SDF file location can be specified by clicking the Add button. Answer: A, F Question: 270 You work as a technician for Company.com and responsible the Company network. You have configured MPLS on all routers in the domain. Please study the exhibit carefully, in order for P4S-2 and P4S-3 to forward frames between them with label headers, what additional configuration will be required on devices that are attached to the LAN segment? Page 145 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 A. No additional configuration is required. Frames with larger MTU size will be automatically fragmented and forwarded on all LAN segments. B. Increase the maximum MTU requirements on all router interfaces that are attached to the LAN segment. C. Decrease the maximum MTU requirements on all router interfaces that are attached to the LAN segment. D. No additional configuration is required. Interface MTU size will be automatically adjusted to accommodate the larger size frames. Answer: B Question: 271 Drag the correct statements about MPLS-based VPN on the left to the boxes on the right .(Not all statements will be used) Answer: Page 146 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 Question: 272 Study the exhibit carefully. Which type of security solution will be provided for the inside network? A. The ACL will block all ICMP echo requests coming from an external host. B. The ACL will allow TCP connections into the inside network, but will reset the connections in case of a TCP SYN attack. C. The ACL will filter all packets whose TCP headers have the SYN flag set. D. The ACL will prevent router P4S-R from forwarding broadcast traffic to the inside LAN network. Answer: C Question: 273 Page 147 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 You are a network engineer at Company.com,refer to the exhibit. Which description is correct about the two-interface Cisco IOS firewall configuration? A. Blocks all incoming traffic except ICMP unreachable 'packet-too-big' messages that support MTU Path Discovery B. Inspects the inbound packets on the fa0/0 interface and automatically allows the corresponding return traffic C. Permits all TCP, UDP, and ICMP traffic when the three types of traffic are initiated from outside the network D. Blocks all ICMP unreachable 'packet-too-big' messages from reaching the inside network Answer: A Question: 274 The out of the debug aaa authentication command is shown below. Based on the information, which statement is true about the authentication process? A. A user attempted to log in to the router via the tty51 port and tried to access the user mode (privilege level 1) using the named list ADMIN. The user's access was permitted. Page 148 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 B. A user attempted to log in to the router via the tty51 port and tried to access the user mode (privilege level 1) using the default list for authentication against the local user database. The user's access was permitted. C. A user attempted to log in to the router via the tty51 port and tried to access the user mode (privilege level 1) using the default list for authentication against the local user database. The user's access was denied. D. A user attempted to log in to the router via the tty51 port and tried to access the user mode (privilege level 1) using named list ADMIN. The user's access was denied. Answer: D Question: 275 Which two statements correctly describe the transmission of signals over a cable network? (Choose two.) A. Downstream signals travel from the cable operator to the subscriber and use frequencies in the range of 5 to 42 MHz. B. Upstream signals travel from the subscriber to the cable operator and use frequencies in the range of 5 to 42 MHz. C. Upstream signals travel from the subscriber to the cable operator and use frequencies in the range of 50 to 860 MHz. D. Downstream signals travel from the cable operator to the subscriber and use frequencies in the range of 50 to 860 MHz. Answer: B, D Question: 276 You work as a network engineer, Look at the following statements. Which three of these would be classified as access attacks? (Choose three.) A. Ping sweeps B. Port scans C. Trust exploitation D. Port redirection E. Man-in-the-middle attacks Answer: C, D, E Question: 277 Why is the ping between the P4S-HQ router and the 192.168.1.193 interface on the P4S-Branch2 router failing? Page 149 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 A. The default route is missing from the P4S-Branch2 router. B. When running EIGRP over GRE tunnels, you must manually configure the neighbor address using the eigrp neighbor ipaddress command. C. The tunnel numbers for the tunnel between the P4S-HQ router and the P4S-Branch2 router do not match. D. The tunnel source is incorrect on the P4S-Branch2 router. It should be serial 2/0. Answer: B Question: 278 What is preventing a successful ping between the P4S-HQ router and the 192.168.1.10 interface on the P4S-Branch3 router? A. The default route is missing from the P4S-Branch3 router. B. The tunnel interface numbers for the tunnel between the P4S-HQ router and the P4S-Branch3 router do not match. C. The tunnel source is incorrect on the P4S-Branch3 router. It should be serial 2/0. D. The IP address on the tunnel interface for the P4S-Branch3 router has wrong IP mask. It should be 255.255.255.252. E. The network statement under router EIGRP on the P4S-Branch3 router is incorrect. It should be network 192.168.2.0.0.0.0.255. Answer: E Question: 279 What is preventing the P4S-HQ router and the P4S-Branch1 router from establishing an EIGRP neighbor relationship? Page 150 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 A. When running EIGRP over GRE tunnels, you must manually configure the neighbor address using the eigrp neighbor ipaddress command. B. The tunnel destination address is incorrect on the P4S-HQ router. It should be 10.2.1.1 to match the interface address of the P4S-Branch1 router. C. The tunnel source is incorrect on the P4S-Branch1 router. It should be serial 2/0. D. The default route is missing from the P4S-Branch1 router. Answer: A Question: 280 What is the reason that tunnel 5 on the P4S-HQ router down while its companion tunnel on the P4S-Branch5 router is up? A. The IP address on the tunnel interface on P4S-Branch5 is incorrect. It shoud be 192.168.1.16 255.255.255.252. B. The tunnel source for tunnel 5 is incorrect on the P4S-HQ router. It should be serial 2/0. C. The tunnel numbers for tunnel between the P4S-HQ router and the P4S-Branch5 router do not match. D. The tunnel destination address for tunnel 5 is incorrect on the P4S-HQ router. It should be 10.2.5.1 to match the interface address of the P4S-Branch5 router. Answer: C Question: 281 What is preventing the 192.168.1.150 network from showing up in the P4S-HQ router's routing table? A. The default route is missing from the P4S-Branch4 router. B. The IP address on the E0/0 interface for the P4S-Branch4 router has the wrong IP mask. It should be 255.255.255.252 C. The network statement under router EIGRP on the P4S-Branch4 router is incorrect. It should be network 192.168.1.0.0.0.255. D. When running EIGRP over GRE tunnels, you must manually configure the neighbor address using the eigrp neighbor ipaddress command. Answer: B Question: 282 Which description is correct in terms of this exhibit? Page 151 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 A. A PPPoE session is established. B. A PPPoE session is rejected because of the per-MAC session limit. C. The MAC address of the remote router is 0001.c9f0.0c1c. D. The CPE router is configured as a PPPoE client over an Ethernet interface. Answer: A Question: 283 Which two devices are used as the main endpoint components in a DSL data service network? (Choose two.) A. POTS splitter B. ATU-C C. ATU-R D. SOHO workstation Answer: B, C Question: 284 Study the exhibit carefully. In the SDM Site-to-Site VPN wizard, what are three requirements that are accessed by the Add button? (Choose three.) Page 152 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 A. IKE lifetime B. IPsec proposal priority C. Keyed-hash message authentication code D. IPsec authentication method E. Diffie-Hellman group Answer: A, C, E Question: 285 As a network engineer, can you tell me which four outbound ICMP message types would normally be permitted? (Choose four.) A. Time exceeded B. Echo reply C. Echo D. Parameter problem E. Packet too big F. Source quench Answer: C, D, E, F Question: 286 Study the exhibit below carefully. Based on the information in the exhibit, which two statements are true? (Choose two.) Page 153 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 A. The Edit IPS window is currently displaying the Global Settings information. B. The Edit IPS window is currently displaying the signatures in Details view. C. Any traffic matching signature 1107 will generate an alarm, reset the connection, and be dropped. D. Signature 1102 has been triggered because of matching traffic. E. Signature 1102 has been modified, but the changes have not been applied to the router. Answer: B, E Question: 287 Refer to the exhibit. On the basis of the partial output that is shown in the exhibit, which two statements are correct? (Choose two.) Page 154 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 A. The output is the result of the debug ppp negotiation command. B. The output is the result of the debug pppoe events command. C. This is the CPE router. D. The ISP router initiated the connection to the CPE router. E. The output is the result of the debug ppp authentication command. Answer: C, E Question: 288 Part of the Company WAN is shown below, please study the exhibit carefully. Based on the presented information, which statement is correct? A. ACL 109 is designed to prevent outbound IP address spoofing attacks. B. ACL 109 is designed to prevent any inbound packets with the ACK flag set from entering the router. C. ACL 109 is designed to prevent any inbound packets with the SYN flag set from entering the router. D. ACL 109 is designed to allow packets with the ACK flag set to enter the router. Answer: D Page 155 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 Question: 289 You work as a network engineer at Company.com, refer to the exhibit. What is the reason for the third hop that only has one label? A. MPLS is not enabled on that link, so only the VPN label is needed. B. MPLS is not enabled on that link, so only the LSP label is needed. C. The PHP process on that link has removed the VPN label, leaving only the LSP label. D. That link is directly connected to the customer, so only the VPN label is needed. E. The PHP process on that link has removed the LSP label, leaving only the VPN label. Answer: E Question: 290 Drag the IPsec protocol description from the above to the correct protocol type on the below.(Not all descriptions will be used) Drag and Drop question, drag each item to its proper location. ] Answer: Page 156 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 Question: 291 Drag and drop each management protocol on the above to the correct category on the below. Answer: Page 157 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 Question: 292 You work as a network engineer at Company.com, refer to the exhibit. The SDM IPS Policies wizard is displaying the Select Interfaces window. Which procedure correctly describes the application of IPS rules to interfaces? A. Apply the IPS rules both in the inbound and outbound direction on all interfaces. B. Apply the rules in the inbound direction on interfaces where outgoing malicious traffic is likely. C. Apply the IPS rules in the inbound direction on interfaces where incoming malicious traffic is likely. D. Apply the IPS rules in the outbound direction on interfaces where outgoing malicious traffic is likely. Answer: C Question: 293 Which two options about the Data-over-Cable Service Interface Specifications are correct? (Choose two.) A. Euro-DOCSIS requires the European cable channels to conform to PAL-based standards, whereas DOCSIS requires the North American cable channels to conform to the NTSC standard. Page 158 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 B. DOCSIS defines a set of frequency allocation bands that are common to both U.S. and European cable systems C. DOCSIS is an international standard developed by CableLabs. D. DOCSIS defines cable operations at Layer 1, Layer 2, and Layer 3 of the OSI model. Answer: A, C Question: 294 Drag and drop each function on the above to the hybrid fiber-coaxial architecture component that it describes on the below. Question: 295 What is an MPLS forwarding equivalence class? A. A set of source networks forwarded to the same egress router B. A set of destination networks forwarded to the same egress router C. A set of destination networks forwarded from the same ingress router D. A set of source networks forwarded from the same ingress router Answer: B Question: 296 The Network Time Protocol (NTP) is widely used to synchronize a computer to Internet time servers or other sources, such as a radio or satellite receiver or telephone modem service. If you want to authenticate the NTP associations with other systems for security purposes, which key type algorithm or algorithms are supported? Page 159 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 A. MD5 only B. MD7 only C. Plain text and MD5 D. Plain text and MD7 Answer: A Question: 297 Drag the DSL technologies on the left to their maximum(down/up) data rate values on the below. Answer: Page 160 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 Question: 298 Drag the DSL local loop topic on the left to the correct descriptions on the right. Answer: Page 161 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 Question: 299 You are a network technician at Company.com, study the exhibit carefully. The configured access list is being used in conjunction with an IPsec VPN. Which traffic will be passed through the IPSec VPN? A. A TFTP file transfer from host 10.1.1.25 to server 10.1.2.1 B. Telnet traffic from host 10.1.1.1 to host 10.1.2.1 C. A ping from host 10.1.1.1 to host 10.1.2.1 D. A routing update from a router on the 10.1.1.0 network to a router on network 10.1.2.1 Page 162 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 Answer: B Question: 300 Drag the IOS commands from the left that would be used to implement a GRE tunnel using the 10.1.1.0.30 network on interface serial 0/0 to the correct target area on the right. Answer: Page 163 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 Question: 301 Identify the recommended steps for worm attack mitigation by dragging and dropping them into the target area in the correct order. Page 164 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 Answer: Question: 302 Study the exhibit carefully. On the basis of the configuration, what will happen to the IPSec VPN between the Remote router and the Head-End router with IP address 172.31.1.100 if receiving no dead-peer detection hello Page 165 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 messages for 20 seconds? A. The IPSec VPN will transition to a peering relationship with the Head-End router at 172.31.1.200, with a down-time determined by the time required to tear-down and build the peerings. B. The IPSec VPN will terminate but will rebuild with the same peer because 3 hello messages have not yet been missed. C. The IPSec VPN will not be affected. D. The IPSec VPN will transition with no down-time to a peering relationship with the Head-End router at 172.31.1.200. Answer: C Question: 303 Based on the exhibit below. Which one of these options is the ACL used to mitigate in this configuration? Page 166 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 A. ICMP message attacks B. DOS smurf attacks C. Traceroute message attacks D. IP address spoofing attacks Answer: D Question: 304 Company is a small export company .This firm has an existing enterprise network that is made up exclusively of routers that are using EIGRP as the IGP. Its network is up and operating normally. As part of its network expansion, Company has decided to connect to the internet by a broadband cable ISP. Your task is to enable this connection by use of the information below. Connection Encapsulation: PPP Connection Type: PPPoE client Connection Authentication: None Connection MTU: 1492 bytes Address: Dynamically assigned by the ISP Outbound Interface: E0/0 You will know that the connection has been successfully enabled when you can ping the simulated Internet address of 172.16.1.1 Note: Routing to the ISP: Manually configured default route P4S-R# show ip route .... Gateway of last resort is not set 192.168.1.0/27 is subnetted, 7 subnets C 192.168.1.0 is directly connected, Ethernet0/1 D 192.168.1.32 [90/307200] via 192.168.1.2, 00:02:16,Ethernet0/1 D 192.168.1.64 [90/307200] via 192.168.1.2, 00:02:17,Ethernet0/1 D 192.168.1.96 [90/307200] via 192.168.1.2, 00:02:17,Ethernet0/1 D 192.168.1.128 [90/307200] via 192.168.1.3, 00:02:17,Ethernet0/1 D 192.168.1.192 [90/307200] via 192.168.1.3, 00:02:17,Ethernet0/1 D 192.168.1.224 [90/307200] via 192.168.1.3, 00:02:17,Ethernet0/1 Page 167 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 P4S-R# show run .... no service password-encryption ! hostname P4S-R ! boot-start-marker boot-end-marker ! no aaa new-model resource policy clock timezone PST 0 ip subnet-zero no ip dhcp use vrf connected www.examways.com - 193 - ! interface Ethernet0/0 description link to cable modem no ip address shutdown ! interface Ethernet0/1 description link to corporate nework ip address 192.168.1.1 255.255.255.224 ! interface Ethernet0/2 no ip address ! interface Ethernet0/3 no ip address shutdown ! router eigrp 1 network 192.168.1.0 auto-summary ! line con 0 line vty 0 15 end Page 168 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 A. Configuration sequence: P4S-R(config)#int e0/0 P4S-R(config-if)#pppoe enable P4S-R(config-if)#pppoe-client dial-pool-number 1 P4S-R(config-if)#no sh P4S-R(config-if)#exit P4S-R(config)#vpdn enable P4S-R(config)#vpdn-group 1 P4S-R(config-vpdn)#request-dialin P4S-R(config-vpdn-req-in)#protocol pppoe P4S-R(config-vpdn-req-in)#exit P4S-R(config-vpdn)#exit P4S-R(config)#dialer-list 1 protocol ip permit P4S-R(config)#int dialer 1 P4S-R(config-if)#encapsulation ppp P4S-R(config-if)#ip address negotiated P4S-R(config-if)#dialer pool 1 P4S-R(config-if)#dialer-group 1 P4S-R(config-if)#ip mtu 1492 P4S-R(config-if)#exit Answer: A Question: 305 This exhibit is about firewall implementation, inside users should be permitted to browse the Internet. However, users have indicated that all attempts fail. As a result of troubleshooting, you have determined that the issue is related to the firewall implementation. What corrective action should you take? Page 169 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 A. Add the global command line ip inspect name OUTSIDE www. B. Add the global command line ip inspect name INSIDE www. C. Add the ACL command line permit tcp any any eq 80 to INSIDEACL. D. Change the access group on Fa0/0 from the inbound direction to the outbound direction. Answer: C Question: 306 Study the exhibit carefully. Which statement best describes this Cisco IOS Firewall configuration? Page 170 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 A. OUTSIDEACL permits outbound HTTP sessions; OUTSIDEACL is applied to the inside interface in the inbound direction. B. INSIDEACL permits inbound SMTP and HTTP; INSIDEACL is applied to the outside interface in the inbound direction. C. Outside hosts are allowed to initiate sessions with the SMTP server (200.1.2.1) and HTTP server (200.1.2.2) located in the enterprise DMZ. D. The inspection rules include the generic TCP inspection and are applied to outbound connections on the inside interface and to inbound sessions on the outside interface Answer: C Question: 307 Which statement is correct in terms of the exhibit? A. The router failed to train or successfully initialize because of a Layer 1 issue. B. The router failed to train or successfully initialize because of a PPP negotiation issue. Page 171 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 C. The router cannot activate the line because the ISP has not provided the requested IP address. D. The router cannot activate the line because of a Layer 2 authentication issue. Answer: A Question: 308 You are a network technician at Company.com, study the exhibit carefully. Which type of attack does the ACL prevent the internal user from successfully launching? A. TCP SYN DOS attacks B. DOS smurf attack C. Traceroute message attacks D. IP address spoofing attack Answer: D Question: 309 Drag and drop the xDSL type on the above to the appropriate xDSL description on the below. Page 172 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 Answer: Question: 310 Match the xDSL type on the above to the most appropriate implementation on the below. Page 173 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 Answer: Question: 311 Drag each element of the Cisco IOS Firewall Feature Set from the above and drop onto its description on the below. Page 174 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 Answer: Question: 312 Drag the protocols that are used to distribute MPLS labels from the above to the target area on the below.(Not all options will be used) Page 175 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 Answer: Questions: 313 As a network engineer, do you know which three techniques should be used to secure management protocols? (Choose three.) A. Configure SNMP with only read-only community strings. B. Encrypt TFTP and syslog traffic in an IPSec tunnel. C. Implement RFC 3704 filtering at the perimeter router when allowing syslog access from devices on the outside of a firewall. D. Use SNMP version 2. Answer: A, B, C Questions: 314 Study the exhibit carefully. The Cisco IOS? IPsec High Availability (IPsec HA) Enhancements feature provides an infrastructure for reliable and secure networks to provide transparent availability of the VPN gateways---that is, Cisco IOS Software-based routers. What are the two options that are used to provide High Availability IPsec? (Choose two.) Page 176 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 A. HSRP B. Dual Router Mode (DRM) IPsec C. IPsec Backup Peerings D. RRI Answer: A, D Page 177 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 Case Study#1 Scenerio: This item involves some questions that you need to answer. You can click on the Questions button to the left to view these question. Change questions by clicking the numbers to the left of each question. In order to finish the questions, you will need to refer to the SDM and the topology, neither of which is currently visible. In order to gain access to either the topology or the SDM, click on the button to left side of the screen that corresponds to the section you wish to access. When you have completed viewing the topology or the SDM, you can return to your questions by clicking on the Questions button to the left. Cruising industries is a large worldwide diving charter. Recently, this firm has upgraded its internet connectivity. As a new network technician, you have been tasked with documenting the active Firewall configurations on the P4S-R router using the Cisco Router and Security Device Manager (SDM) utility. Using the SDM output from Firewall and ACL Tasks under the Configure tab, answer the following questions: Topology: Page 178 of 179

Exam Name: Implementing Secure Converged Wide Area Networks Exam Type: Cisco Case Study 1 Exam Code: 642-825 Total Questions: 317 Case Study# 1 (Questions) Question: 1 Which option is Correct? A. Both FastEthernet 0/0 and Serial 0/0/0 are trusted interface. B. Both FastEthernet 0/0 and Serial 0/0/0 are untrusted interface. C. FastEthernet 0/0 is a trusted interface and Serial 0/0/0 is an untrusted interface. D. FastEthernet 0/0 is an untrusted interface and Serial 0/0/0 is a trusted interface. Answer: C Question: 2 Which two statements best describe a permissible incoming TCP packet on an untrusted interface in this configuration?(Choose two) A. The packet has a source address of 172.16.29.12 B. The packet has a source address of 10.94.61.29 C. The session originated from a trusted interface. D. The application is not specified within the inspection rule SDM_LOW. E. The packet has a source address of 198.133.219.144 Answer: C, E Question: 3 Which two statements would specify a permissible incoming TCP packet a trusted interface in this configuration?(choose two) A. The packet has a source address of 10.94.61.118 B. The packet has a source address of 172.16.29.12 C. The packet has a source address of 198.133.219.16 D. The destination address is not specified within the inspection rule SDM_LOW. E. The destination address is specified within the inspection rule SDM_LOW. Answer: A, C End of Document Page 179 of 179

Certifyme 642-825

by guest195e1b

Accessibility

Categories

Upload Details

Usage Rights

1 Embed 1

Statistics

Certifyme 642-825 Document Transcript