New VCE and PDF– If you want to pass Cisco 642-501 exam successfully,do not miss to test Cisco latest Cisco 642-501 brain dumps.All Cisco 642-501 the new questions and answers were timely added, visit Flydumps.com to free download VCE player and PDF files.
Exam A
QUESTION 1
Exhibit: servicepassword-encryption ! aaa new-model aaa authentication login default line aaa authentication login nologin name aaa authentication login admin tacacs+ enable aaa authentication ppp default tacacs+ ! enable secret 5 $1$WogB$7.0FLEFgB8Wp.C9eqNX9L/ !! interface Group-Async ip unnumbered Loopback0 ip tcp header-compression passive encapsulation ppp async mode interactive John at Certkiller Inc. is looking at this configuration to figure out what method authenticates through the vty port. Which method is correct?
A. no access permitted
B. line password
C. no authentication required
D. default authentication used
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
Enabling Authentication for LoginUsing the aaaauthentication logincommand and the following keywords,
you create one or more lists of authentication methods that are tried at login. The lists are used with the
login authenticationline configuration command.
Enter the following command in global configuration mode to enable authentication for login:
Switch# aaa authentication login {default |list-name} method1 […[method3]]The keyword list-name is any
character string used to name the list you are creating. The method keyword refers to the actual method
the authentication algorithm tries, in the sequence entered. You can enter up to three methods:
Reference: http://www.cisco.com/en/US/products/hw/switches/ps637/ products_configuration_guide_chapter09186a008007 f03
QUESTION 2
James the administrator on Certkiller is trying to figure out which router table is modified or prevented from updating, if a rerouting attack occurs. (Choose one)
A. ARP
B. address
C. bridging
D. routing
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
Route filters can be set up on any interface to prevent learning or propagating routing information
inappropriately. Some routing protocols (such as EIGRP) allow you to insert a filter on the routes being
advertised so that certain routes are not advertised in some parts of the network.
Reference:
Managing Cisco Network Security (Ciscopress) page 233
QUESTION 3
Brain the security administrator is in charge of creating a security policy for Certkiller Inc. Which two statements about the creation of a security policy are true? (Choose two)
A. It helps Chief Information Officers determine the return on investment of network security at Certkiller Inc.
B. It defines how to track down and prosecute policy offenders at Certkiller Inc.
C. It helps determine which vendor security equipment or software is better than others.
D. It clears the general security framework so you can implement network security at Certkiller Inc.
E. It provides a process to audit existing network security at Certkiller Inc.
F. It defines which behavior is and is not allowed at Certkiller Inc.
Correct Answer: EF Section: (none) Explanation
Explanation/Reference:
Explanation:
Reasons to create a network security policy:
1.
Provides a process to audit existing network security
2.
Provides a general security framework for implementing network security
3.
Defines which behavior is and is not allowed
4.
Often helps determine which tools and procedures are needed for the organization
5.
Helps communicate consensus among a group of key decision-makers and defines responsibilities of users and administrators
6.
Defines a process for handling network security incidents
7.
Enables global security implementation and enforcement
8.
Creates a basis for legal action if necessary
Reference:
Managing Cisco Network Security (Ciscopress) page 43
QUESTION 4
Johnthe administrator at Certkiller Inc. is working on securing the router passwords. Which IOS command encrypts all clear text passwords in a router configuration?
A. service password-encryption
B. service password md5
C. encrypt passwords
D. enable password-encryption
E. service password-encrypted
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
servicepassword-encryption To encrypt passwords, use the service password-encryption global
configuration command. Use the no form of this command to disable this service.
Reference:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1826/
products_command_summary_chapter09186a00800 d9c26.ht
QUESTION 5
Johnthe administrator wants to know which type of key exchange mechanism is Diffie-Hellman.
A. Private key exchange
B. RSA keying
C. Public key exchange
D. AES key exchange
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
Diffie-Hellman is used to securely exchange public keys so that shared secret keys can be securely
generated for use as DES keys.
Reference:
Managing Cisco Network Security (Ciscopress) page 467
QUESTION 6
John the security administrator for Certkiller Inc. needs to identify three character mode access methods. Choose three character mode access methods.
A. ppp
B. tty
C. vty
D. async
E. acl
F. aux
Correct Answer: BCF Section: (none) Explanation
Explanation/Reference:
Explanation:
AAA and Character-Mode Traffic – AAA secure character-mode traffic during login sessions via the lines”
1.
Aux
2.
Console
3.
TTY
4.
VTY
Reference:
Managing Cisco Network Security (Ciscopress) page 113
QUESTION 7
Kathy the security administrator for Certkiller Inc. is working on defending the network.
One of the attacks she is working to defend is SYN flooding and is looking to know which Cisco IOS
feature defends against SYN flooding DoS attacks.
A. Route authentication
B. Encryption
C. ACLs
D. TCP intercept
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
The TCP intercept feature in Cisco IOS software protects TCP servers from SYN-flooding attacks, a type
of DoS attack.
Reference:
Managing Cisco Network Security (Ciscopress) page 239
QUESTION 8
The security team at Certkiller Inc. was asked the question, what attack is most often used in social engineering. They all answered this wrong. What is the correct answer?
A. Session fragment
B. Unauthorized access
C. Data manipulation
D. Malicious applets
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
Social engineering is when someone attempts to manipulate others to access information or access
without authorization. Social engineering has many levels, but they all have the same goal of gaining
unauthorized information or access.
QUESTION 9
Jason the security administrator Certkiller Inc. wants to know by default, how long does a router wait before terminating an unattended line connection?
A. 5 minutes
B. 10 minutes
C. 20 minutes
D. 30 minutes
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
In the page 76 of the MCNS book you see the right data is 10 minutes.
QUESTION 10
Which of the following are Cisco firewall features? (Choose three.)
A. PIX firewall
B. authentication proxy
C. flash memory
D. CBAC
E. stateful failover
F. IDS
Correct Answer: BDF Section: (none) Explanation
Explanation/Reference:
Explanation:
The Cisco IOS firewall feature set was first introduced as CiscoSecure Integrated Software (CSIS). The
Cisco IOS firewall overview lists the following features:
1) Standard and extended access lists
2) Dynamic access lists
3) Reflexive access lists
4) System auditing
5) TCP intercept
6) Java blocking
7) Context-based access control – CBAC examines traffic passing through the firewall at all layers (up to
the application layer). CBAC is used to generate dynamic accesslists.
8) Cisco IOS firewall IDS.
9) DoS mitigation
10) Authentication proxy – Authentication proxy is used to proxy authentication requests to AAA server.
This allows authentication to occur on a per-user basis.
11) Network Address Translation
12) IPSec network security
13) Neighbor router authentication
14) Event logging
15) User authentication and authorization
6) Real-time alerts
Reference:
CCSP SECUR exam certification guide p.69-70
QUESTION 11
Which of the following IOS commands will you advice the Certkiller trainee technician to use when setting the timeout for router terminal line?
A. exec-timeout minute [seconds]
B. line-timeout minute [seconds]
C. timeout console minute [seconds]
D. exec-time minutes [seconds]
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
http://www.cisco.com/warp/public/793/access_dial/comm_server.html
QUESTION 12
What is another name for packet mode when working in a NAS environment?
A. Interface
B. PPP
C. CTY
D. Async
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
http://www.cisco.com/warp/public/707/32.html
QUESTION 13
Which of the following represents the two files that are necessary to run SDM on a Cisco Router? (Select two)
A. secure.shtml
B. sdm.shtml
C. sdm.exe
D. sdm.tar
E. home.tar
Correct Answer: BD Section: (none) Explanation
Explanation/Reference:
Explanation:
The answer are B sdm.shtml and D sdm.tar Do show flash on cisco router sdm the single files available
are sdm.tar, sdm.shtml and sdmconfig.cfg All these fiel are necessary to run the SDM on the router,
instead of the SDM.exe is to install the application on router but not to run the application
CCSP Self-Study Securing Cisco IOS Network (Secur) CiscoPress.comJohn F Roland Page 541
Note:
Copy the SDM files on the TFTP server to the router Flash memory, using the following CLI commands:
Router# copy tftp://<tftp server IP address>/sdm.tar flash:
Router# copy tftp://<tftp server IP address>/sdm.shtml flash:
Router# copy tftp://<tftp server IP address>/home.tar flash:
Router# copy tftp://<tftp server IP address>/home.html flash
QUESTION 14
Choose the command that you will advice the new Certkiller trainee technician to use to verify that SDM has been installed on a Cisco router.
A. show manager
B. show version
C. show flash
D. show sdm
E. show running-config
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
The quickest test is to connect your PC to the lowest-numbered Ethernet port with a cross-over cable and browse to http://<router ip-address> and see if Cisco SDM launch point is present on the resulting web page. If you have a Cisco 83x, 1701, 1710, 1711, or 1712 router, configure the PC to obtain an IP address automatically. If you have any other supported router, configure the PC with the static IP address 10.10.10.2. Alternatively, you can use the CLI to check that the Cisco SDM files are present in the router Flash memory: enter show flash and look for the Cisco SDM file set: sdm.tar, sdm.shtml, sdmconfig-xxxx.cfg. If the files are present, then confirm that the router configuration is set to support Cisco SDM. The configuration requirements are explained in the document Downloading and Installing SDM.
QUESTION 15
Which of the following protocols can you use to provide secure communications between a target router and SDM? (Select two.)
A. HTTPS
B. RCP
C. Telnet
D. SSH
E. HTTP
F. AES
Correct Answer: AD Section: (none) Explanation
Explanation/Reference:
Cisco SDM communicates with routers for two purposes: to access the Cisco SDM application files for download to the PC and to read and write the router configuration and status. Cisco SDM uses HTTP(s) to download the application files to the PC. A combination of HTTP(s), Telnet/SSH is used to read and write the router configuration.
QUESTION 16
Which of the following actions can you take to prevent newly configured commands from being sent to a target router?
A. delete
B. remove
C. undo
D. clear-commands
E. refresh
Correct Answer: E Section: (none) Explanation
Explanation/Reference:
To send the commands, you have to do a Deliver. However, if you do a refresh, then the router is polled and the current configuration on the router is brought back to the SDM and any changes that were not yet delivered would be lost. Therefore, the answer is REFRESH – E
QUESTION 17
Which one of the following actions can you take to enable SDM generated commands to reach the target router?
A. You could refresh.
B. You could save.
C. You could deliver.
D. You could download.
E. You could copy-config.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
If you are working in Advanced mode, you must save your work by clicking the Deliver button on the SDM toolbar. The Deliver window allows you to preview the commands that you are sending to the router, and allows you to specify that you want the commands saved to the router’s startup configuration.
QUESTION 18
Which of the following URLs is used to securely access SDM on a router with an IP address of 10.0.5.12?
A. https://10.0.5.12/flash/sdm.tar
B. https://10.0.5.12/flash/sdm.html
C. https://10.0.5.12/flash/sdm.shtml
D. https://10.0.5.12/flash/sdm
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Start SDM SDM is stored in the router Flash memory. It is invoked by executing an HTML file in the router
archive, which then loads the signed SDM Java file. To launch SDM:
——————————— Step 1 From your browser, type in the following universal resource locator (URL):
https://<router IP address> https://… specifies that the Secure Socket Layer (SSL) protocol be used for a
secure connection
QUESTION 19
What is the maximum amount of routers SDM can manage simultaneously?
A. 1
B. 5
C. 50
D. 100
E. determined by router model
F. all of the above
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
One. Cisco SDM is a tool for configuring, managing, and monitoring a single Cisco router. Each Cisco router is accessible with its own copy of Cisco SDM.
QUESTION 20
Which of the following is the minimum IOS release that is capable of supporting SDM?
A. 11.2
B. 12.0
C. 12.1
D. 12.2
E. 6.1
Correct Answer: D Section: (none) Explanation
QUESTION 21
How many devices can Cisco SDM administer?
A. 1
B. 2
C. 3
D. 4
E. There is no limit.
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Cisco SDM is a tool for configuring, managing, and monitoring a single Cisco router. Each Cisco router is accessible with its own copy of Cisco SDM.
QUESTION 22
Which of the following configurations restricts telnet access to a router by requiring the password cisco?
A. line vty 0 4 login cisco
B. line vty 0 4 set password cisco login
C. line vty 0 4 password cisco login
D. line vty 0 4 set login set password cisco
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
To restrict telnet access to a Cisco router, you must configure the virtual terminal lines (VTY) that telnet
uses.
Require a login with the login line configuration command (enabled on vty lines by default). You must also
set a password with the password (password) line configuration command, or remote user telnet
connections will be refused, informing them that a login is required, but no password is set.
QUESTION 23
Which of the following commands encrypts all router passwords?
A. service config-passwords
B. service running-encryption
C. service password-encryption
D. service encrypt-passwords
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
Using the global configuration command service password-encryption, causes all passwords to be
encrypted so they are unreadable when the router configuration is viewed.
QUESTION 24
Which of the following configuration register values will allow a Cisco router to go immediately into ROM mode at any time during a routers operation?
A. 0x2101
B. 0x2002
C. 0x2210
D. 0x2102
Correct Answer: B Section: (none) Explanation Explanation/Reference:
Explanation:
If bit 8 of the configuration register is off (0x2002) the router can be sent directly into ROM mode at any
time if the break key is issued, losing the running configuration. If bit 8 is turned on (0x2102), the break key
can only be issued within the first 60 seconds of router boot up.
QUESTION 25
By default, how many message recipients must an email have for the IOS Firewall to consider it a spam attack?
A. 250
B. 500
C. 100
D. 25
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
By default, the Cisco IOS Firewall will fire an alarm for a spam attack if an email contains 250 or more
recipients.
QUESTION 26
Which of the following AAA security server protocols can the IOS Firewall support? Select all that apply.
A. MD5
B. RSA Signatures
C. TACACS+
D. RADIUS
E. CA
Correct Answer: CD Section: (none) Explanation
Explanation/Reference:
Explanation:
The IOS Firewall can communicate with a AAA server running either RADIUS or TACACS+.
QUESTION 27
What is the default mode TCP Intercept operates in?
A. intercept
B. aggressive
C. 3-way
D. responsive
E. watch
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation: TCP Intercept can be in either intercept mode or passive watch mode. In intercept mode, each TCP SYN packet will be intercepted and responded to on behalf of the server it is protecting. With passive watch mode, TCP Intercept monitors the connection to the server to make sure the connection becomes complete. If the server cannot complete the connection within a configurable time period, TCP Intercept will send a reset packet to the server, clearing up the server’s resources.
QUESTION 28
What is the range of the number of characters the IOS enable secret password can be?
A. 1-20
B. 1-25
C. 4-24
D. 4-30
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
An IOS enable secret password must be between 1 and 25 characters long. The first character cannot be
a number.
QUESTION 29
Which of the following commands enables TCP Intercept?
A. tcp intercept enable
B. ip tcp intercept enable
C. ip tcp intercept enable list
D. ip tcp intercept list
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
To enable TCP Intercept define an access list for hosts you want to protect, then reference that list with the
ip tcp intercept list (list) command.
QUESTION 30
What must you change the configuration register value to, when you need to perform password recovery on a router?
A. 0x2102
B. 0x2142
C. 0x2241
D. 0x2410
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
Setting the configuration register value to 0x2142 will force the router upon a reboot, to boot the image
from flash, but to ignore the startup configuration. This allows you to set an enable secret, then to copy the
running configuration to the startup configuration, thus performing password recovery.
Cisco 642-501 Interactive Testing Engine is an engine that can be downloaded and installed on your PC. This Cisco 642-501 is not only advanced and equipped with much more features, it is also not internet dependent, once installed.It enables you to see Interconnecting Cisco Networking Devices Part 1 questions and answers in a simulated Cisco 642-501 exam environment. Working with Cisco 642-501 Interactive Testing Engine is like passing an actual Cisco 642-501 exam.