I passed the Cisco 642-551 exam this week with nearly 920 pts.I prepared myself with 140 Q&As, all questions from this dump.Cisco 642-551 questions, 2hrs time limit.New questions in Exampass like “AD FS components in the environment”,“Windows PowerShell cmdlet ” “Office 365”.Just know all new Cisco 642-551 questions you will be fine.

QUESTION 30
Which command would be used on the Cisco PIX Security Appliance to show the pool of addresses to be translated?
A. show nat
B. show xlate
C. show global
D. show conn

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
The show global command displays the global pool (or pools) of addresses configured in the PIX Security
Appliance.
Incorrect:
Show NAT
Use the show nat command to display a single host or range of hosts to be translated.

Show Xlate
The show xlate command displays the contents of the translation slot.
Show Conn
Displays all active connections.

QUESTION 31
Click and drag the Cisco IDS/IPS engine categories on the left to their function on the right.

A.
B.
C.
D.

Correct Answer: Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 32
To which router platform can Turbo ACLs be applied?
A. Cisco 800 Router
B. Cisco 2600 series router
C. Cisco 3500
D. Cisco 7200 Router

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
The Turbo ACL feature, supported by Cisco 7200 Series, 7500 Series and 12000 Series routers,
processesaccess lists into lookup tables. Packet headers are used to access these tables in a small, fixed
number of lookups, independent of the existing number of ACL entries.
The benefits of the Turbo ACL feature are:

1. For ACLs larger than 3 entries, the CPU load required to match the packet to the predetermined packet-
matching rule is lessened.
The CPU load is fixed, regardless of the size of the ACL, which allows for larger ACLswithout incurring
additional CPU overhead penalties.
The larger the ACL, the greater the benefit.

1. The time taken to match the packet is fixed, so that latency of the packets are smaller (significantly in
the case of large ACLs) and more importantly, the time taken to match Is consistent, which allows better
network stability and more accurate transit times.

QUESTION 33
Which Cisco IDS/IPS feature enables the appliance to aggregate alarms?
A. FireOnce
B. Response actions
C. Alarm summarization
D. Threshold configuration
Correct Answer: C Section: (none) Explanation

Explanation/Reference:
Explanation:
Alarm summarization
This feature enables the sensor to aggregate alarms to limit the number of times an alarm is sent when the
signature is triggered.
Incorrect:
FireOnce
Sends the first alarm and then deletes the inspector.
This technique is used to limit alarm firings.
Response actions
This capability enables the sensor to take an action when the signature is triggered.
Threshold configuration
This capability enables a signature to be tuned to perform optimally in a network.

QUESTION 34
What would the following command indocate if it were used on the Cisco PIX Security Appliance? nameifethernet2 dmz security50
A. The administrator is naming an Ethernet interface only.
B. The administrator is assigning a security level only.
C. The administrator is removing a named interface.
D. The administrator is naming an interface and assigning a security level to it.

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
The nameif command assigns a name to each interface on the PIX Security Appliance and specifies its
security level (except for the inside and outside PIX Security Appliance interfaces, which are named by
default).
The first two interfaces have the default names .inside. and .outside.. The inside interface has a default
security level of 100; the outside interface has a default security level of 0.

Here, interface ethernet2 was assigned a name of DMZ with a security level of 50.
The syntax for the nameif command is as follows:
nameifhardware_id if_name security_level

QUESTION 35
Which connections does stateful packet filtering handle?
A. TCP and UDP
B. Packet
C. TCP only
D. ICMP

Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
Unlike static packet filtering, which examines a packet based on the information in its header, stateful
inspection tracks each connection traversing all interfaces of the firewall and makes sure they are valid.
A stateful firewall may examine not just the header information but also the contents of the packet up
through the application layer in order to determine more about the packet than just information about its
source and destination.

QUESTION 36
Which Cisco IOS command enables the AAA access-control commands and functions on the router, and overrides the older TACACS and extended TACACS commands?
A. no aaa authentication login default enable
B. aaa authentication login default local
C. aaa new-model
D. login authentication default
E. no login authentication default

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
The aaa new-model command forces the router to override every other authentication method previously
configured for the router lines.
Warning!
If an administrative Telnet or console session is lost while enabling AAA on a Cisco router, and no local
AAA user authentication account and method exists, the administrator will be locked out of the router.

QUESTION 37
Which type of access control list can secure multichannel operations that are based on upper-layer information?
A. dynamic
B. CBAC
C. Reflexive
D. Time-based

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation: CBAC can secure multichannel operations based on upper-layer information. CBAC examines packets as they enter or leave router interfaces, and determines which application protocols to allow. CBAC access lists are available starting in Cisco IOS Software Release 12.0T as part of the firewall feature set. Incorrect: Dynamic Dynamic access lists (also known as lock and key), create specific, temporary openings in response to user authentication. Reflexive These access lists create dynamic entries for IP traffic on one interface of the routerbased upon sessions originating from a different interface of the router. Time-based These access lists are simply numbered or named access lists that are implemented based upon the time of day or the day of the week.
QUESTION 38
Which CSA object contains associations with policies and can accept hosts as members?
A. Groups
B. Policies
C. Variables
D. Agent Kits
Correct Answer: A Section: (none) Explanation

Explanation/Reference:
Explanation:

Groups:
Groups contain associations with policies and can accept hosts as members.
Incorrect:
Policies
Policies contain rules and are applied to a group or multiple groups.
Variables, Application Classes, and Actions
These elements are combined to create rules.
Agent Kits
Agent kits contain groups and (optionally) the network shim. Agent kits are deployed to hosts to install the
CSA software and all of the policies and rules that have been built into them.

QUESTION 39
Which command is used to configure syslog on a Cisco router?
A. syslog
B. logging
C. logging-host
D. syslog-host

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
Use the logging command in global configuration mode to set the destination (log) hosts.
The syntax for the logging command is as follows:
logging [host-name | ip-address]

QUESTION 40
Where is the Cisco Security Agent installed?
A. on a router
B. on a switch
C. on a host
D. on a hub
Correct Answer: C Section: (none) Explanation

Explanation/Reference:
Explanation: The CSA software that is installed in the host systems (for example, workstations, laptops, servers, and so on) across the network. This software continually monitors local system activity and analyzes the operations of that system. The CSA takes proactive action to block attempted malicious activity and polls the CSA MC at configurable intervals for policy updates.
QUESTION 41
When Cisco routers are configured for SSH, how do they act?
A. as SSH servers
B. as SSH clients
C. as SSH and SSL servers
D. as SSH and SSL clients
E. as SSH accelerators
F. as SsH proxies

Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
SSH version 1 is supported in Cisco IOS Software Releases 12.1(1)T and later. SSH version 2 is
supported in Cisco IOS Software Releases 12.3(4)T and later.
Cisco routers configured for SSH act as SSH servers.

QUESTION 42
What is the purpose of the global command on the Cisco PIX Security Appliance?
A. to set up the IP addresses on an interface
B. to enable global configuration mode
C. to create a pool of one or more IP addresses for use in NAT and PAT
D. to enable global NAT

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation: Creates a pool of one or more IP addresses for use in NAT and port address translation (PAT). Incorrect: To set up the IP addresses on an interface ipaddress <int name> 192.168.0.254 255.255.255.0 To enable global configuration mode Configure terminal To enable global NAT
QUESTION 43
What are the four critical services of IPSec functions? (Choose four.)
A. replay protection
B. confidentiality
C. data integrity
D. data mining
E. origin authentication
F. anti-replay protection

Correct Answer: BCEF Section: (none) Explanation
Explanation/Reference:
Explanation:

QUESTION 44
You are the network security administrator for Certkiller .com. Certkiller .com recently acquired Gamma Technologies. Your company wants you to add an interface to the Cisco PIX Security Appliance to support a dedicated network for the new employees. Your task is to enable the ethernet1 interface for 100-Mbps full-duplex communication and configure it with the following parameters: The configuration will be as follows: Name: aikman Security level: 60 IP address: 192.168.127.1 Netmask 255.255.255.0 You will not be able to ping the inside PIX interface from an interface connected to an inside host. The Firewall is named New Delhi The enable password is cisco

A.
B.
C.
D.

Correct Answer: Section: (none) Explanation
Explanation/Reference:
Explanation: enable password: cisco # conf t # (config) name if ethernet1 aikman security 60 (Name’s Interface and set’s security level) # (config) interface ethernet1 100full (Set’s Interface to 100 Full) # (config) ip address aikman
192.168.127.1 255.255.255.0 (Give the named interface an IP and subnet) # (config) exit # write mem
1.
NAMEIF ETHERNET1 AIKMAN SECURITY60 (Name’s Interface and set’s security level)

2.
INTERFACE ETHERNET1 100FULL (Set’s Interface to 100 Full)

3.
IP ADDRESS AIKMAN 192.168.127.1 255.255.255.0 (Give the named interface an IP and subnet) Alternative correct answer: New Delhi >enable Password:cisco New Delhi #configure terminal New Delhi (conifg)# interface e1 New Delhi (conifg-if)# nameif aikman New Delhi (conifg-if)#ip address 192.168.127.1 255.255.255.0 New Delhi (conifg-if)#speed 100 New Delhi (conifg-if)#duplex full New Delhi (conifg-if)#security 60 New Delhi (conifg-if)#no shut New Delhi (conifg-if)#exit New Delhi (config)#show interface New Delhi (config)#show ip address New Delhi (config)#write memory
QUESTION 45
Which method does the Cisco IDM use to communicate with the sensor?
A. Telnet
B. HTTP
C. SSH
D. SSL

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
IDM is accessed securely via Secure Sockets Layer (SSL) and Transport Layer Security (TLS) using a
Netscape or Internet Explorer web browser.

QUESTION 46
Which command globally disables CDP?
A. no dcp
B. cdp disable
C. no cdp enable
D. no cdp run

Correct Answer: D Section: (none) Explanation Explanation/Reference:
Explanation:
Disable CDP globally on the router using the no cdp run command in global configuration mode as shown
in the figure.

QUESTION 47
What are three common types of user accounts on the Cisco IDS/IPS? (Choose three.)
A. administrator
B. guest
C. operator
D. viewer
E. privileged
F. executive

Correct Answer: ACD Section: (none) Explanation
Explanation/Reference:
Explanation:

QUESTION 48
What is a set of conditions that, when met, indicates that an intrusion is occurring or has occurred?
A. rules
B. state tables
C. signatures
D. master parameters

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
Cisco IDS and IPS use over a hundred signatures to detect patterns of misuse in network traffic to identify
of the most common attacks. Simple signatures check the value of a header field.
More complex signatures may track the state of a connection or perform extensive protocol analysis on the
traffic.

QUESTION 49
If you choose Add from the Allowed Hosts panel in Cisco IDM, which two fields are available for the configuration? (Choose two.)
A. Static Routes
B. Dynamic Routes
C. IP Address
D. Default Route
E. Netmask

Correct Answer: CE Section: (none) Explanation
Explanation/Reference:
Explanation:

QUESTION 50
With IPSec operation, what happens when a basic set of security services are negotiated and agreed upon between peers?
A. data transfer
B. IKE Phase 1
C. IPSec tunnel termination
D. IKE Phase 2

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation: IPSec operation can be broken down into five simple steps. Step 1 Interesting traffic: Traffic is deemed interesting when the VPN device recognizes that the traffic you want to send needs to be protected. Step 2 IKE phase 1: A basic set of security services are negotiated and agreed upon betweenpeers. This basic set of security services protects all subsequent communications between the peers. Step 3 IKE phase 2: IKE negotiates IPSec SA parameters and sets up matching IPSec SAs in the peers. These security parameters are used to protect data and messages exchangedbetween endpoints. The final result
of IKE phase 1 and phase 2 is a securecommunications channel between peers.
Step 4
Data transfer: Data is transferred between IPSec peers based on the IPSec parametersand keys stored in
the SA database.
Step 5
IPSec tunnel termination: IPSec SAs terminate through deletion or by timing out.

QUESTION 51
Which browser-based configuration device can be used to monitor and manage multiple Cisco PIX Security Appliance?
A. Cisco PIX Device Manager
B. Cisco ASA Device Manager
C. Firewall Management Center
D. PIX Management Center

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation: The PDM monitors and configures a single PIX Security Appliance. You can use the PDM to create a new configuration and to monitor and maintain current PIX Security Appliances. You can point your browser to more than one PIX Security Appliance and administer several PIX Security Appliances from a single workstation. MC has a look and feel similar to the PDM; however, with Firewall MC, you can CiscoWorks 2000 Management Center for Firewalls (Firewall MC) is a web-based interface for configuring and managing multiple Cisco PIX Security Appliances. Firewall configure multiple firewalls instead of configuring only one at a time. Firewall MC centralizes and accelerates the deployment and management of multiple PIX Security Appliances.
QUESTION 52
You are the network security administrator for Certkiller .com. Certkiller .com has just added TACACS+ AAA authentication to the remote-access topology, requiring you to add two TACACS+ servers to the Austin router configuration. First, enable the AAA access-control model for the router, and then add the two TACACS+ servers and their respective keys. Use the following value as necessary: Parameter Value TACACS+ server A : IP address 10.0.71.2 TACACS+ server A : Key aaatest TACACS+ server B : IP address 10.0.71.3 TACACS+ server B : Key aaahide The enable secret keyword is cisco
A.
B.
C.
D.

Correct Answer: Section: (none) Explanation
Explanation/Reference:
1.
AAA NEW-MODEL (Enable’s AAA on the Router)

2.
TACACS-SERVER HOST 10.0.71.2 KEY AAATEST (Add Tacacs+ Server with key)

3.
TACACS-SERVER HOST 10.0.71.3 KEY AAAHIDE (as above)
QUESTION 53
What is the default security-level definition setting for the outside interface for the Cisco PIX Security Appliance?
B. 100
C. 50
D. 25

Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:

QUESTION 54
Which method of authentication is considered the strongest?
A. S/Key (OTP for terminal login)
B. Username and password (aging)
C. Token cards or SofTokens using OTP
D. Username and password (static)

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
A stronger method that provides the most secure username and password authentication. Most OTP
systems are based on a .secret pass-phrase,. which is used to generate a list of passwords. They are only
good for one login, and are therefore, not usefull to anyone who manages to eavesdrop and capture it.
QUESTION 55
Which command sets the minimum length of all Cisco IOS passwords?
A. password min-length length
B. min-length security length
C. enable secret min-length
D. security passwords min-length length

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
securitypasswords min-length
IMPORTANT:
It has no effect on older passwords until you reboot the router. (This is an important item for you to note
when you configure your router passwords, and it is the reason why it is a good idea to set the minimum
password length first.)

QUESTION 56
Click and drag the VPN solution on the left to its definition on the right.

A.
B.
C.
D.

Correct Answer: Section: (none) Explanation
Explanation/Reference:
Explanation:

QUESTION 57
The DH exchange used to generate the shared secret keys occurs in which IKE and exchange phase?
A. first exchange
B. second exchange
C. third exchange
D. fourth exchange

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
Main mode has three two-way exchanges between the initiator and receiver:
First exchange:
The algorithms and hashes used to secure the IKE communications are negotiated.
Second exchange:
A DH exchange generates shared secret keys.
Third exchange:
This exchange verifies the identity of the other side to make sure they are communicating with the devices
with which they think they are communicating.

QUESTION 58
Which administrative access mode for the Cisco PIX Security Appliance allows you to change the current settings?
A. unprivileged mode
B. privileged mode
C. configuration mode
D. monitor mode

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
The PIX Security Appliance contains a command set based on Cisco IOS software, and provides these

four administrative access modes:
Unprivileged mode:
This mode is available when you first access the PIX Security Appliance.
The > prompt is displayed.
This mode provides a restricted and limited view of PIX Security Appliance settings.
Privileged mode:
This mode displays the # prompt and enables you to change the current settings. Any unprivileged
command also works in privileged mode.
Configuration mode:
This mode displays the (config)# prompt and enables you to change system configurations.
All privileged, unprivileged, and configuration commands work in this mode.
Monitor mode:
This is a special mode that enables you to update the image over the network or to perform password
recovery. While in the monitor mode, you can enter commands specifying the location of the TFTP server
and the PIX Security Appliance software image or password recovery binary file to download.

QUESTION 59
Which management protocol is used to synchronize the clocks across a network?
A. SNMP
B. Syslog
C. NTP
D. TFTP

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
Network Time Protocol (NTP) is used to synchronize the clocks of various devices across a network.
Synchronization of the clocks within a network is critical for digital certificates and for correct interpretation
of events within syslog data.

QUESTION 60
Which two protocols does Cisco Secure ACS use for AAA services? (Choose two.)
A. TACACS+
B. Telnet
C. SSH
D. RADIUS
E. SSL
F. SMP

Correct Answer: AD Section: (none) Explanation
Explanation/Reference:
Explanation:
Cisco Secure ACS uses two distinct protocols for AAA services:

1.
Remote Authentication Dial-In User Service (RADIUS) and

2.
Terminal Access Controller Access Control System (TACACS+)
QUESTION 61
Which administrative access mode for the Cisco PIX Security Appliance allows you to view a restricted and limited view of current settings?
A. unprivileged mode
B. privileged mode
C. configuration mode
D. monitor mode

Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
Unprivileged mode:
This mode is available when you first access the PIX Security Appliance.
The > prompt is displayed.
This mode provides a restricted and limited view of PIX Security Appliance settings.
Privileged mode:
This mode displays the # prompt and enables you to change the current settings. Any unprivileged
command also works in privileged mode.
Configuration mode:
This mode displays the (config)# prompt and enables you to change system configurations.
All privileged, unprivileged, and configuration commands work in this mode.
Monitor mode:
This is a special mode that enables you to update the image over the network or to perform password
recovery. While in the monitor mode, you can enter commands specifying the location of the TFTP server
and the PIX Security Appliance software image or password recovery binary file to download.

QUESTION 62
Which type of VPN is considered an extension of a classic WAN?
A. remote-access VPN
B. site-to-site VPN
C. GRE VPN
D. L2TP VPN

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
VPN site-to-site can be used to connect corporate sites. With Internet access, leased lines and frame relay
lines can be replaced with site-to-site VPN for network connection. VPN can support company intranets
and business partner extranets.
Site-to-site VPN is an extension of the classic WAN.
CCNA Exam Certification Guide is a best-of-breed Cisco 642-551 exam study guide that has been completely updated to focus specifically on the objectives.Senior instructor and best-selling author Wendell Odom shares preparation hints and Cisco 642-551 tips to help you identify areas of weakness and improve both your conceptual and hands-on knowledge.Cisco 642-551 Material is presented in a concise manner,focusing on increasing your understanding and retention of exam topics.