Adobe certification Adobe
Apple certification Apple
Avaya certification Avaya
Check Point certification Check Point
Cisco certification Cisco
Citrix certification Citrix
CIW certification CIW
CompTIA certification CompTIA
CWNP certification CWNP
EC-Council certification EC-Council
EMC certification EMC
Exin certification Exin
F5 certification F5
Fortinet certification Fortinet
GIAC certification GIAC
Hitachi certification Hitachi
HP certification HP
IBM certification IBM
Isaca certification Isaca
ISC certification ISC
ISEB certification ISEB
Juniper certification Juniper
LPI certification LPI
Microsoft certification Microsoft
Oracle certification Oracle
PMI certification PMI
Riverbed certification Riverbed
SAP certification SAP
Sun certification Sun
Sybase certification Sybase
Symantec certification Symantec
VMware certification VMware
All Exams

Cisco 642-504 Exam -

Free 642-504 Sample Questions:

Q: 1 Which two technologies can secure the control plane of the Cisco router? (Choose two.)
A. BPDU protection
B. role-based access control
C. routing protocol authentication
Answer: C, D

Q: 2 Cisco Secure Access Control Server (ACS) is a highly scalable, high-performance access control server that provides a comprehensive identity networking solution.
Which of these statements is correct regarding user setup on ACS 4.0?
A. Users are assigned to the default group.
B. A user can belong to more than one group.
C. The username can contain characters such as "#" and "?".
D. The settings at the group level override the settings configured at the user level
Answer: A

Q: 3 The security administrator for XXYYinc Inc. is working on defending the network against SYN flooding attacks. Which of the following are tools to protect the network from TCP SYN attacks?
A. Route authentication
B. Encryption
D. TCP intercept
Answer: D

Q: 4 While using the SDM Certificate Enrollment wizard, which two are the enrollment options? (Choose two.)
D. Cut-and-Paste/Import from PC
Answer: A, D

Q: 5 Which two category types are associated with 5.x signature use in Cisco IOS IPS? (Choose two.)
A. basic
B. advanced
C. attack-drop
D. built-in
Answer: A, B

Q: 6 Select two issues that you should consider when implementing IOS Firewall IDS. (Choose two)
A. The memory usage
B. The number of DMZs
C. The signature coverage
D. The number of router interfaces
Answer: A, C

Q: 7 Based on the following configuration. Which two statements are correct? (Choose two.)
Ip ips name MYIPS
Interface GigabitEthernet 0/1
Ip address
A. SDEE alert messages will be enabled
B. The basic signatures will be used
C. The built-in signatures will be used.
D. Cisco IOS IPS will fail-open.
Answer: C, D

Q: 8 Which statement accurately describes the Management Plane Protection feature?
A. Only SSH and SNMP management will be allowed on nondesignated management interfaces.
B. Management Plane Protection is enabled on all interfaces by default.
C. Management Plane Protection offers a default management interface.
D. All incoming packets through the management interface are dropped except for those from the allowed management protocols.
Answer: D

Q: 9 You are in charge of Securing Networks Cisco Routers and Switches in Why is the Cisco IOS Firewall authentication proxy not working based on the following configuration?
aaa new model
aaa authentication login default group tacacs
aaa authentication auth-proxy default group tacacs+
aaa accounting auth-proxy default start-stop group tacacs+
enable password TeSt_123
ip auto-proxy name pxy http
ip auto-proxy auth-proxy-banner
interface Ethernet0/1
ip address
ip auto-proxy pxy
no ip http server
tacacs-server host
tacacs-server key cisco
!Output omitted
A. The aaa authentication auth-proxy default group tacacs+ command is missing
B. The router local username and password database is not configured.
C. You forgot to enable HTTP server and AAA authentication
D. Cisco IOS authentication proxy not support TACACS+.
Answer: C

Q: 10 Which advantage can be obtained by implementing the Cisco IOS Firewall feature?
A. provides data leakage protection capabilities
B. integrates multiprotocol routing with security policy enforcement
C. is easily deployed and managed by the Cisco Adaptive Security Device Manager
D. acts primarily as a dedicated firewall device
Answer: B

Q: 11 You are in charge of Securing Networks Cisco Routers and Switches in When troubleshooting site-to-site IPsec VPN, you see this console message:
%CRYPTO-6-IKMP_SA_NOT_OFFERED: Remote peer %15i responded with attribute [chars] not offered or changed.
Which configuration should you verify?
A. the crypto ACL
B. the crypto map
C. the IPsec transform set
D. the ISAKMP policies
Answer: D

Q: 12 Which three descriptions are true about the GET VPN policy management? (Choose three.)
A. The key server and group member policy must match.
B. A local policy is defined on each group member.
C. A global policy is defined on the key server, and it is distributed to the group members.
D. The group member appends the global policy to its local policy.
Answer: B, C, D

Q: 13 When you enter the XXYY-S(config)#aaa authentication dot1x default group radius command on a Cisco Catalyst switch, the Cisco IOS parser returns with the "invalid input detected" error message. What can be the cause of this error?
A. You must use the dot1x system-auth-control command first to globally enable 802.1x.
B. You must define the RADIUS server IP address first, using the XXYY-S(config)# radius-server host ip-address command.
C. You must enter the aaa new-model command first.
D. The local option is missing in the command.
Answer: C

Q: 14 When an active signature is detected, Cisco IOS IPS can take specific actions.
Which option is correct about the relationship between the action and its correct definition?
1. Deny Attacker Inline
2. Deny Connection Inline
3. Deny Packet Inline
4. Produce Alert
5. Reset TCP Connection
I. Do not transmit this packet (inline only)
II. Drop the packet and all future packets from the TCP flow
III. Send resets to terminate the TCP flow
IV.Create an ACL that denies all traffic from the suspected source IP address
V.Generate an alarm message
A. I-3,II-5,III-2,IV-1,V-4
B. I-3,II-5,III-2,IV-4,V-1
C. I-3,II-5,III-1,IV-2,V-4
D. I-3,II-5,III-1,IV-4,V-2
Answer: A

Q: 15 You want to increase the security of a newly installed switch. Which Cisco Catalyst IOS command is used to mitigate a MAC spoofing attack?
A. XXYY-S(config-if)# port-security mac-address 0000.ffff.aaaa
B. XXYY-S(config)# switchport port-security mac-address 0000.ffff.aaaa
C. XXYY-S(config-if)# switchport port-security mac-address 0000.ffff.aaaa
D. XXYY-S(config)# port-security mac-address 0000.ffff.aaaa
Answer: C

Q: 16 The NHRP process allows which requirement to be satisfied in DMVPN?
A. dynamic physical interface IP address at the spoke routers
B. dynamic spoke-to-spoke on-demand tunnels
C. dynamic routing over the DMVPN
D. dual DMVPN hub designs
Answer: A

Q: 17 When you implement Cisco IOS WebVPN on a Cisco router using a self-signed certificate, you notice that the router is not generating a self-signed certificate. What should you check to troubleshoot this issue?
A. Verify the ip http server configuration.
B. Verify the WebVPN group policy configuration.
C. Verify the AAA authentication configuration.
D. Verify that the WebVPN gateway is inservice.
Answer: D

Q: 18 Which item is correct about the relationship between the Cisco IOS SEAP feature and its description? Not all the features are used.
1.signature fidelity rating
2.alert severity rating value rating
4.risk rating
5.event action filers
6.event action overrides
I. user's perceived value of the target host
II. remove action(s) from an event
III. a way to add event actions globally
A. I-3,II-5,III-6
B. I-3,II-6,III-5
C. I-2,II-5,III-6
D. I-2,II-6,III-5
Answer: A

Q: 19 Cisco IOS Intrusion Prevention System (IPS) is an inline, deep-packet inspection feature that effectively mitigates a wide range of network attacks .When verifying Cisco IOS IPS operations, when should you expect Cisco IOS IPS to start loading the signatures?
A. After you configure the ip ips sdf location flash:filename command
B. After you configure the ip ips sdf builtin command
C. After you configure a Cisco IOS IPS rule in the global configuration
D. when the first Cisco IOS IPS rule is enabled
Answer: D

Q: 20 Which router plane can be protected by the CPU and Memory Threshold Notifications of the Network Foundation Protection feature?
A. data plane
B. management plane
C. network plane
D. control plane
Answer: B

Q: 21 A new XXYYinc switch has been installed and you wish to secure it. Which Cisco Catalyst IOS command can be used to mitigate a CAM table overflow attack?
A. XXYY-S(config-if)# port-security maximum 1
B. XXYY-S(config)# switchport port-security
C. XXYY-S(config-if)# port-security
D. XXYY-S(config-if)# switchport port-security maximum 1
Answer: D

Q: 22 Please match NFP feature to the correct description
1.Flexible Packet Matching
2.Control Plane Protection
3.Control Plane Policing
(I)applies to all (caggregated) control-plane traffic
(II)applies to a control-plane sub-if,example,host or transit or cef-exception
(III)applies to data plane traffic
A. (I)-1 (II)-2 (III)-3
B. (I)-2 (II)-3 (III)-1
C. (I)-3 (II)-1 (III)-2
D. (I)-3 (II)-2 (III)-1
Answer: D

Q: 23 Cisco IOS Flexible Packet Matching (FPM) uses flexible and granular Layer 2-7 pattern matching deep within the packet header or payload to provide a rapid first line of defense against network threats and notable worms and viruses. When configuring FPM, what should be the next step after the PHDFs have been loaded?
A. Configure a class map of type "access-control" for classifying packets.
B. Configure a traffic policy.
C. Configure a service policy.
D. Configure a stack of protocol headers.
Answer: D