Cisco 642-504 Exam - TopITexams.com
Free 642-504 Sample Questions:
Q: 1 Which two technologies can secure the control plane of the Cisco router?
A. BPDU protection
B. role-based access control
C. routing protocol authentication
Answer: C, D
Q: 2 Cisco Secure Access Control Server (ACS) is a highly scalable,
high-performance access control server that provides a comprehensive identity networking solution.
Which of these statements is correct regarding user setup on ACS 4.0?
A. Users are assigned to the default group.
B. A user can belong to more than one group.
C. The username can contain characters such as "#" and "?".
D. The settings at the group level override the settings configured at the user level
Q: 3 The security administrator for XXYYinc Inc. is working on defending the
network against SYN flooding attacks. Which of the following are tools to protect the network from TCP
A. Route authentication
D. TCP intercept
Q: 4 While using the SDM Certificate Enrollment wizard, which two are the
enrollment options? (Choose two.)
D. Cut-and-Paste/Import from PC
Answer: A, D
Q: 5 Which two category types are associated with 5.x signature use in Cisco IOS
IPS? (Choose two.)
Answer: A, B
Q: 6 Select two issues that you should consider when implementing IOS Firewall
IDS. (Choose two)
A. The memory usage
B. The number of DMZs
C. The signature coverage
D. The number of router interfaces
Answer: A, C
Q: 7 Based on the following configuration. Which two statements are correct?
Ip ips name MYIPS
Interface GigabitEthernet 0/1
Ip address 10.1.1.16 255.255.255.0
Ip ip MYIPS IN
A. SDEE alert messages will be enabled
B. The basic signatures will be used
C. The built-in signatures will be used.
D. Cisco IOS IPS will fail-open.
Answer: C, D
Q: 8 Which statement accurately describes the Management Plane Protection
A. Only SSH and SNMP management will be allowed on nondesignated management interfaces.
B. Management Plane Protection is enabled on all interfaces by default.
C. Management Plane Protection offers a default management interface.
D. All incoming packets through the management interface are dropped except for those from the allowed
Q: 9 You are in charge of Securing Networks Cisco Routers and Switches in
xxyyinc.com. Why is the Cisco IOS Firewall authentication proxy not working based on the following
aaa new model
aaa authentication login default group tacacs
aaa authentication auth-proxy default group tacacs+
aaa accounting auth-proxy default start-stop group tacacs+
enable password TeSt_123
ip auto-proxy name pxy http
ip auto-proxy auth-proxy-banner
ip address 192.168.1.1 255.255.255.0
ip auto-proxy pxy
no ip http server
tacacs-server host 192.168.123.14
tacacs-server key cisco
A. The aaa authentication auth-proxy default group tacacs+ command is missing
B. The router local username and password database is not configured.
C. You forgot to enable HTTP server and AAA authentication
D. Cisco IOS authentication proxy not support TACACS+.
Q: 10 Which advantage can be obtained by implementing the Cisco IOS Firewall
A. provides data leakage protection capabilities
B. integrates multiprotocol routing with security policy enforcement
C. is easily deployed and managed by the Cisco Adaptive Security Device Manager
D. acts primarily as a dedicated firewall device
Q: 11 You are in charge of Securing Networks Cisco Routers and Switches in
xxyyinc.com When troubleshooting site-to-site IPsec VPN, you see this console message:
%CRYPTO-6-IKMP_SA_NOT_OFFERED: Remote peer %15i responded with attribute [chars] not
offered or changed.
Which configuration should you verify?
A. the crypto ACL
B. the crypto map
C. the IPsec transform set
D. the ISAKMP policies
Q: 12 Which three descriptions are true about the GET VPN policy management?
A. The key server and group member policy must match.
B. A local policy is defined on each group member.
C. A global policy is defined on the key server, and it is distributed to the group members.
D. The group member appends the global policy to its local policy.
Answer: B, C, D
Q: 13 When you enter the XXYY-S(config)#aaa authentication dot1x default group
radius command on a Cisco Catalyst switch, the Cisco IOS parser returns with the "invalid input
detected" error message. What can be the cause of this error?
A. You must use the dot1x system-auth-control command first to globally enable 802.1x.
B. You must define the RADIUS server IP address first, using the XXYY-S(config)# radius-server host
C. You must enter the aaa new-model command first.
D. The local option is missing in the command.
Q: 14 When an active signature is detected, Cisco IOS IPS can take specific actions.
Which option is correct about the relationship between the action and its correct definition?
1. Deny Attacker Inline
2. Deny Connection Inline
3. Deny Packet Inline
4. Produce Alert
5. Reset TCP Connection
I. Do not transmit this packet (inline only)
II. Drop the packet and all future packets from the TCP flow
III. Send resets to terminate the TCP flow
IV.Create an ACL that denies all traffic from the suspected source IP address
V.Generate an alarm message
Q: 15 You want to increase the security of a newly installed switch. Which Cisco
Catalyst IOS command is used to mitigate a MAC spoofing attack?
A. XXYY-S(config-if)# port-security mac-address 0000.ffff.aaaa
B. XXYY-S(config)# switchport port-security mac-address 0000.ffff.aaaa
C. XXYY-S(config-if)# switchport port-security mac-address 0000.ffff.aaaa
D. XXYY-S(config)# port-security mac-address 0000.ffff.aaaa
Q: 16 The NHRP process allows which requirement to be satisfied in DMVPN?
A. dynamic physical interface IP address at the spoke routers
B. dynamic spoke-to-spoke on-demand tunnels
C. dynamic routing over the DMVPN
D. dual DMVPN hub designs
Q: 17 When you implement Cisco IOS WebVPN on a Cisco router using a
self-signed certificate, you notice that the router is not generating a self-signed certificate. What should
you check to troubleshoot this issue?
A. Verify the ip http server configuration.
B. Verify the WebVPN group policy configuration.
C. Verify the AAA authentication configuration.
D. Verify that the WebVPN gateway is inservice.
Q: 18 Which item is correct about the relationship between the Cisco IOS SEAP
feature and its description? Not all the features are used.
1.signature fidelity rating
2.alert severity rating
3.target value rating
5.event action filers
6.event action overrides
I. user's perceived value of the target host
II. remove action(s) from an event
III. a way to add event actions globally
Q: 19 Cisco IOS Intrusion Prevention System (IPS) is an inline, deep-packet
inspection feature that effectively mitigates a wide range of network attacks .When verifying Cisco IOS
IPS operations, when should you expect Cisco IOS IPS to start loading the signatures?
A. After you configure the ip ips sdf location flash:filename command
B. After you configure the ip ips sdf builtin command
C. After you configure a Cisco IOS IPS rule in the global configuration
D. when the first Cisco IOS IPS rule is enabled
Q: 20 Which router plane can be protected by the CPU and Memory Threshold
Notifications of the Network Foundation Protection feature?
A. data plane
B. management plane
C. network plane
D. control plane
Q: 21 A new XXYYinc switch has been installed and you wish to secure it. Which
Cisco Catalyst IOS command can be used to mitigate a CAM table overflow attack?
A. XXYY-S(config-if)# port-security maximum 1
B. XXYY-S(config)# switchport port-security
C. XXYY-S(config-if)# port-security
D. XXYY-S(config-if)# switchport port-security maximum 1
Q: 22 Please match NFP feature to the correct description
1.Flexible Packet Matching
2.Control Plane Protection
3.Control Plane Policing
(I)applies to all (caggregated) control-plane traffic
(II)applies to a control-plane sub-if,example,host or transit or cef-exception
(III)applies to data plane traffic
A. (I)-1 (II)-2 (III)-3
B. (I)-2 (II)-3 (III)-1
C. (I)-3 (II)-1 (III)-2
D. (I)-3 (II)-2 (III)-1
Q: 23 Cisco IOS Flexible Packet Matching (FPM) uses flexible and granular Layer
2-7 pattern matching deep within the packet header or payload to provide a rapid first line of defense
against network threats and notable worms and viruses. When configuring FPM, what should be the next
step after the PHDFs have been loaded?
A. Configure a class map of type "access-control" for classifying packets.
B. Configure a traffic policy.
C. Configure a service policy.
D. Configure a stack of protocol headers.