100% valid Cisco 642-504 brain dumps with more new added questions.By training the Cisco 642-504 questions, you will save a lot time in preparing the exam.Visit www.Flydumps.com to get the 100% pass ensure!
QUESTION 62
When enabling Cisco IOS IPS using 5.x signatures, which required item can be downloaded from Cisco.com?
A. SDF files (128MB.sdf, 256MB.sdf, attack.drop.sdf)
B. public key
C. built-in signatures
D. Signature Micro-Engines PassGuide.com-Make You Succeed To Pass IT Exams PassGuide 642-504
E. IME
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
QUESTION 63
Cisco IOS Firewall supports which three of the following features? (Choose three.)
A. alerts
B. audit trails
C. multicontext firewalling
D. active/active stateful failover
E. DoS attacks protection
Correct Answer: ABE Section: (none) Explanation
Explanation/Reference:
QUESTION 64
Which information will be shown by entering the command show zone-pair security?
A. zone descriptions and assigned interfaces
B. all service policy maps
C. source and destination zones, and attached policy
D. physical interface members of the zone pair
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
QUESTION 65
Refer to the exhibit.
What is true regarding the IKE security association?
A. The IPsec connection is in an idle state.
B. The IKE association is in the process of being set up.
C. The IKE status is authenticated.
D. The ISAKMP state is waiting for quick mode status to authenticate before IPsec parameters are passed between peers.
Correct Answer: C Section: (none) Explanation Explanation/Reference:
QUESTION 66
Refer to the exhibit. Based on the CLI configuration shown, which two statements are correct? (Choose two.)
PassGuide.com-Make You Succeed To Pass IT Exams PassGuide 642-504
A. Serial0/0/0 is the outside NAT interface.
B. The overload option enables static PAT.
C. The static PAT configuration will not work since the second entry in access-list 1 overlaps the static PAT configuration.
D. All HTTP connections to the Serial0/0/0 interface IP address will be translated to the 172.16.1.2 IP address port 8080.
E. access-list 1 defines the list of inside global IP addresses.
Correct Answer: AD Section: (none) Explanation
Explanation/Reference:
QUESTION 67
When configuring the zone-based firewall feature on a Cisco router, which statement is correct regarding the zone-based firewall policy?
A. The policy is applied unidirectionally between two security zones.
B. Interfaces in the same zone require that a bidirectional traffic policy be applied to permit traffic flow.
C. Traffic between an interface belonging to a zone and an interface that is not a zone member is allowed to pass without the policy being applied to the traffic.
D. Traffic between an interface belonging to a zone and the “self” zone is denied by default unless it is explicitly allowed by a used-defined policy.
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
QUESTION 68
When deploying 802.1X authentication on Cisco Catalyst switches, what are two possible options for authenticating the clients that do not have an 802.1X supplicant? (Choose two.)
A. MAC Authentication Bypass
B. Active Directory Single Sign-On
C. authentication proxy
D. web authentication
E. Protected EAP
Correct Answer: AD Section: (none) Explanation
Explanation/Reference:
QUESTION 69
Which is correct regarding the Management Plane Protection feature?
A. By default, Management Plane Protection is enabled on all interfaces. PassGuide.com-Make You Succeed To Pass IT Exams PassGuide 642-504
B. Management Plane Protection provides for a default management interface.
C. Only SSH and SNMP management will be allowed on nondesignated management interfaces.
D. All incoming packets through the management interface are dropped except for those from the allowed management protocols.
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
QUESTION 70
Which statement is correct regarding Cisco IOS Firewall URL-filtering services on Cisco IOS Release 12.4
(15)T
and later?
A.
Multiple URL lists and URL filter server lists can be configured on the router.
B.
URL filtering with zone-based firewalls is configured using the type “inspect” parameter-map.
C.
Enabling “allow mode” is required when using an external URL-filtering server.
D.
The services support Secure Computing server or Websense server and the local URL list.
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
QUESTION 71
Which two commands are used to allow only SSH traffic to the router Eth0 interface and deny other management traffic (BEEP, FTP, HTTP, HTTPS, SNMP, Telnet, TFTP) to the router interfaces? (Choose two.)
A. interface eth0
B. control-plane host
C. policy-map type port-filter policy-name
D. service-policy type port-filter input policy-name
E. management-interface eth0 allow ssh
F. line vty 0 5 transport input ssh
Correct Answer: BE Section: (none) Explanation
Explanation/Reference:
QUESTION 72
Which is an advantage of implementing the Cisco IOS Firewall feature?
A. provides self-contained end-user authentication capabilities
B. integrates multiprotocol routing with security policy enforcement
C. acts primarily as a dedicated firewall device
D. is easily deployed and managed by the Cisco Adaptive Security Device Manager
E. provides data leakage protection capabilities
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
QUESTION 73
The CPU and Memory Threshold Notifications of the Network Foundation Protection feature
PassGuide.com-Make You Succeed To Pass IT Exams PassGuide 642-504
protects which router plane?
A. control plane
B. management plane
C. data plane
D. network plane
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
QUESTION 74
What configuration task must you perform prior to configuring private VLANs?
A. enable port security on the interface
B. associate all isolated ports to the primary VLAN
C. set the VTP mode to transparent
D. configure PVLAN trunking
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
QUESTION 75
Refer to the exhibit.
Given that the fa0/1 interface is the trusted interface, what could be a reason for users on the trusted inside
networks not to be able to successfully establish outbound HTTP connections?
A. The outgoing ACL on the fa0/1 interface is not set.
B. The FWRULE inspection policy is not inspecting HTTP traffic.
C. ACL 104 is denying the outbound HTTP traffic.
D. The outgoing inspection rule on the fa0/1 interface is not set.
E. ACL 104 is denying the return HTTP traffic. PassGuide.com-Make You Succeed To Pass IT Exams PassGuide 642-504
F. The FWRULE inspection policy is not configured correctly.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
QUESTION 76
What are the two category types associated with 5.x signature use in Cisco IOS IPS? (Choose two.)
A. basic
B. advanced
C. 128MB.sdf
D. 256MB.sdf
E. attack-drop
F. built-in
Correct Answer: AB Section: (none) Explanation
Explanation/Reference:
QUESTION 77
When you add NADs as AAA clients in the ACS, which three parameters are configured for each AAA client? (Choose three.)
A. the NAD IP address
B. the AAA server IP address
C. the EAP type
D. the shared secret key
E. the AAA protocol to use for communication with the NADs
F. the UDP ports to use for communication with the NADs
Correct Answer: ADE Section: (none) Explanation
Explanation/Reference:
QUESTION 78
When configuring the Auto Update feature for Cisco IOS IPS, what is a recommended best practice?
A. Synchronize the router’s clock to the PC before configuring Auto Update.
B. Clear the router’s flash of unused signature files.
C. Enable anonymous TFTP downloads from Cisco.com and specify the download frequency.
D. Create the appropriate directory on the router’s flash memory to store the downloaded signature files.
E. Download the realm-cisco.pub.key file and update the public key stored on the router.
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
QUESTION 79
Which action does the interface configuration command switchport protected enable?
A. groups ports into an isolated community when configured on multiple ports
B. configures the interface for the PVLAN edge PassGuide.com-Make You Succeed To Pass IT Exams PassGuide 642-504
C. provides isolation between two protected ports located on different switches
D. allows traffic on protected ports to be forwarded at Layer 2
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
QUESTION 80
Which two are capabilities of the Cisco IOS Firewall Feature Set? (Choose two.)
A. protects against worms, malicious users, and denial of service
B. provides intrusion protection capabilities
C. when combined with application inspection, performs as an advanced application layer firewall gateway
D. interoperates with Network Address Translation to conserve and simplify network address use
E. provides for secure connectivity between branch offices
Correct Answer: AD Section: (none) Explanation
Explanation/Reference:
QUESTION 81
Refer to the exhibit.
What will result from this zone-based firewall configuration?
A. All traffic from the private zone to the public zone will be dropped.
B. All traffic from the private zone to the public zone will be permitted but not inspected.
C. All traffic from the private zone to the public zone will be permitted and inspected.
D. All traffic from the public zone to the private zone will be permitted but not inspected. PassGuide.com-Make You Succeed To Pass IT Exams PassGuide 642-504
E. Only HTTP and DNS traffic from the private zone to the public zone will be permitted and inspected.
F. Only HTTP and DNS traffic from the public zone to the private zone will be permitted and inspected.
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
QUESTION 82
Which Cisco IOS Firewall feature allows the firewall to function as a Layer 2 bridge on the network?
A. zone-based firewall
B. CBAC
C. firewall ACL bypass
D. transparent firewall
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
QUESTION 83
Which two are technologies that secure the control plane of the Cisco router? (Choose two.)
A. Cisco IOS Flexible Packet Matching
B. uRPF
C. routing protocol authentication
D. CPPr
E. BPDU protection
F. role-based access control
Correct Answer: CD Section: (none) Explanation
Explanation/Reference:
QUESTION 84
Refer to the exhibit. What is wrong with the partial IPsec VPN high-availability configuration shown here?
A. A static crypto map should be used instead of a dynamic crypto map.
B. The crypto map CM interface configuration statement is missing the stateful option.
C. The crypto map interface configuration statement should reference the dynamic crypto map DM.
D. IPsec is not synchronized with HSRP.
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
QUESTION 85
The Cisco SDM IPS migration tool is used for what purpose?
A. to migrate the built-in signatures to the SDF format
B. to migrate from Cisco IOS IPS version 4.0 to Cisco IOS IPS version 5.0
C. to migrate from promiscuous mode IPS to inline IPS PassGuide.com-Make You Succeed To Pass IT Exams PassGuide 642-504
D. to migrate from Cisco IOS IPS to the Cisco AIM-IPS
E. to migrate from the Cisco NM-CIDS to the Cisco AIM-IPS
Correct Answer: B Section: (none) Explanation
Explanation/Reference: QUESTION 86
When configuring FPM, what should be the next step after the PHDFs have been loaded?
A. Define a stack of protocol headers.
B. Define a traffic policy.
C. Define a service policy.
D. Define a class map of type “access-control” for classifying packets.
E. Reload the router.
F. Save the PHDFs to startup-config.
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
QUESTION 87
What are the two enrollment options when using the SDM Certificate Enrollment wizard? (Choose two.)
A. SCEP
B. LDAP
C. OCSP
D. Cut-and-Paste/Import from PC
Correct Answer: AD Section: (none) Explanation
Explanation/Reference:
QUESTION 88
Which parameter is configured under the router(config-isakmp)# configuration mode?
A. use of digital certificates for authentication
B. the IPsec transform set
C. the reference to the crypto ACL
D. the IPsec peer IP address
E. the pre-shared key value
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
QUESTION 89
When implementing EIGRP dynamic routing over DMVPN, what are three configuration tasks required at the hub router tunnel interface? (Choose three.)
A. disabling EIGRP ip next-hop-self
B. disabling EIGRP ip split-horizon
C. disabling EIGRP auto-summary
D. disabling EIGRP stub
E. enabling multipoint GRE PassGuide.com-Make You Succeed To Pass IT Exams
PassGuide 642-504
F. configuring the NHRP next-hop server IP address
Correct Answer: ABE Section: (none) Explanation
Explanation/Reference:
QUESTION 90
Cisco IOS IPS uses which alerting protocol with a pull mechanism for getting IPS alerts to the network management application?
A. HTTPS
B. SMTP
C. SNMP
D. syslog
E. SDEE
F. POP3
Correct Answer: E Section: (none) Explanation
Explanation/Reference:
QUESTION 91
Which two statements are correct regarding Network Address Translation and IPsec interoperability? (Choose two.)
A. ESP does not work with NAT.
B. AH does not work with NAT.
C. ESP does not work with PAT.
D. NAT-T uses TCP port 4500.
E. NAT-T sends NAT discovery packets after IKE Phase 2 establishment.
Correct Answer: BC Section: (none) Explanation
Explanation/Reference:
QUESTION 92
When configuring a Cisco Easy VPN server, what must be configured prior to entering VPN configuration parameters?
A. AAA
B. ISAKMP peer authentication method
C. XAuth
D. SSH
E. crypto ACL
F. NTP
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
QUESTION 93
Which three of these statements are correct regarding DMVPN configuration? (Choose three.)
A. If running EIGRP over DMVPN, the hub router tunnel interface must have “next hop self” enabled: ip next-hop-self eigrp AS-Number
B. If running EIGRP over DMVPN, the hub router tunnel interface must have split horizon PassGuide.com-Make You Succeed To Pass IT Exams PassGuide 642-504 disabled: no ip split-horizon eigrp AS-Number
C. The spoke routers must be configured as the NHRP servers: ip nhrp nhs spoke-tunnel-ip-address
D. At the spoke routers, static NHRP mapping to the hub router is required: ip nhrp map hub-tunnel-ip-address hub-physical-ip-address
E. The GRE tunnel mode must be set to point-to-point mode: tunnel mode gre point-to-point
F. The GRE tunnel must be associated with an IPsec profile: tunnel protection ipsec profile profile-name
Correct Answer: BDF Section: (none) Explanation
Explanation/Reference:
QUESTION 94
Refer to the exhibit.
What is correct based on the partial configuration shown?
A. The policy is configured to use an authentication key of ‘rsa-sig’.
B. The policy is configured to use Diffie-Hellman group sha-1.
C. The policy is configured to use Triple DES IPsec encryption.
D. The policy is configured to use digital certificates.
E. The policy is configured to use access list 101 to identify the IKE-protected traffic.
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
QUESTION 95
Which Cisco IOS VPN feature simplifies IPsec VPN configuration and design by using on-demand virtual access interfaces that are cloned from a virtual template configuration?
A. GET VPN
B. dynamic VTI
C. static VTI
D. GRE tunnels
E. GRE over IPsec tunnels
F. DMVPN
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
PassGuide.com-Make You Succeed To Pass IT Exams PassGuide 642-504
QUESTION 96
When you configure Cisco IOS WebVPN, you can use the port-forward command to enable which function?
A. web-enabled applications
B. Cisco Secure Desktop
C. full-tunnel client
D. thin client
E. CIFS
F. OWA
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
QUESTION 97
Refer to the DMVPN topology diagram in the exhibit. Which two statements are correct? (Choose two.)
A. The hub router needs to have EIGRP split horizon disabled.
B. At the Spoke A router, the next hop to reach the 192.168.2.0/24 network is 10.0.0.1.
C. Before a spoke-to-spoke tunnel can be built, the spoke router needs to send an NHRP query to the hub to resolve the remote spoke router physical interface IP address.
D. At the Spoke B router, the next hop to reach the 192.168.1.0/24 network is 172.17.0.1.
E. The spoke routers act as the NHRP servers for resolving the remote spoke physical interface IP address.
F. At the Spoke A router, the next hop to reach the 192.168.0.0/24 network is 172.17.0.1.
Correct Answer: AC Section: (none) Explanation
Explanation/Reference:
PassGuide.com-Make You Succeed To Pass IT Exams PassGuide 642-504
QUESTION 98
GET VPN uses which secure group keying mechanism?
A. Diffie-Hellman
B. pre-shared
C. Group Domain of Interpretation
D. public and private keys
E. group key agreement
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
QUESTION 99
Which three statements correctly describe the GET VPN policy management? (Choose three.)
A. A central policy is defined at the ACS (AAA) server.
B. A local policy is defined on each group member.
C. A global policy is defined on the key server, and it is distributed to the group members.
D. The key server and group member policy must match.
E. The group member appends the global policy to its local policy.
Correct Answer: BCE Section: (none) Explanation
Explanation/Reference:
QUESTION 100
Cisco Easy VPN Server pushes parameters such as the client internal IP address, DHCP server IP address, and WINS server IP address to the Cisco Easy VPN Remote client during which of these phases?
A. IKE Phase 1 first-message exchange
B. IKE Phase 2 last-message exchange
C. IKE mode configuration
D. IKE XAUTH
E. IKE quick mode
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
QUESTION 101
You are an administrator configuring a Cisco router to enroll with a certificate authority. What is a recommended best practice to perform prior to configuring enrollment parameters?
A. Contact the registration authority to obtain the enrollment URL.
B. Manually verify the PKCS #10 certificate prior to enrollment.
C. Configure the certificate revocation list to ensure that you do not receive revoked CA certificates.
D. Configure Network Time Protocol.
E. If using SCEP, ensure that TCP port 22 traffic is permitted to the router.
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
PassGuide.com-Make You Succeed To Pass IT Exams PassGuide 642-504
QUESTION 102
DMVPN configuration uses which tunnel mode type on the tunnel interface?
A. DVMRP
B. IPsec IPv4
C. NHRP
D. GRE multipoint
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
QUESTION 103
When configuring GRE over IPsec, what is true regarding the GRE tunnel endpoints?
A. A mirror image of the IPsec crypto ACL needs to be configured to permit the interesting end-user traffic between the GRE endpoints.
B. The tunnel interface of both endpoints should be configured to use the outside IP address of the router as the unnumbered IP address.
C. The tunnel interface of both endpoints needs to be in the same IP subnet.
D. For high availability, the GRE tunnel interface should be configured with a primary and a backup tunnel destination IP address.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
QUESTION 104
When using Cisco Easy VPN, what are the three options for entering the XAUTH username and password for establishing the VPN connection from the Cisco Easy VPN remote router? (Choose three.)
A. using the router local user database
B. using an external AAA server
C. entering the information from the router console or SDM
D. entering the information from the PC browser when browsing
E. saving the XAUTH credentials to this router
Correct Answer: CDE Section: (none) Explanation
Explanation/Reference:
QUESTION 105
This item contains three questions that you must answer. In order to answer the question, you need to examine the SDM screens by clicking on the SDM button to the left. View the question by clicking on the Questions button to the left. Then, choose the correct answer from among the options. Note: Not all the SDM screen functions are implemented in this simulation. If a certain method to access the desired SDM screen is not available, please try to use an alternate method to access the required SDM screen to answer the question.
PassGuide.com-Make You Succeed To Pass IT Exams PassGuide 642-504
PassGuide.com-Make You Succeed To Pass IT Exams PassGuide 642-504
PassGuide.com-Make You Succeed To Pass IT Exams PassGuide 642-504
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
QUESTION 106
This item contains three questions that you must answer. You can view the question by clicking on the Questions button to the left. In order to answer the question, you need to examine the SDM screens by clicking on the SDM button to the left. View the question by clicking on the Questions button to the left. Then, choose the correct answer from among the options. Note: Not all the SDM screen functions are implemented in this simulation. If a certain method to access the desired SDM screen is not available, please try to use an alternate method to access the required SDM screen to answer the question.
PassGuide.com-Make You Succeed To Pass IT Exams PassGuide 642-504 PassGuide.com-Make You Succeed To Pass IT Exams PassGuide 642-504
A. PassGuide.com-Make You Succeed To Pass IT Exams PassGuide 642-504
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
QUESTION 107
Drop
A. PassGuide.com-Make You Succeed To Pass IT Exams PassGuide 642-504
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
QUESTION 108
Drop
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
QUESTION 109
Drop PassGuide.com-Make You Succeed To Pass IT Exams PassGuide 642-504
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
QUESTION 110
Drop
PassGuide.com-Make You Succeed To Pass IT Exams PassGuide 642-504
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
PDF format– Printable version, print Cisco 642-504 exam dumps out and study anywhere.Software format– Simulation version, test yourself like Cisco 642-504 exam real test.Credit Guarantee– Passtcert never sell the useless Cisco 642-504 exam dumps out.You will receive our Cisco 642-504 exam dumps in time and get CCIE Certified easily.