Official 2014 Latest Cisco 640-554 Dump Free Download(101-108)!

QUESTION 101
When using a stateful firewall, which information is stored in the stateful session flow table?

A.    the outbound and inbound access rules (ACL entries)
B.    the source and destination IP addresses, port numbers, TCP sequencing information, and additional
flags for each TCP or UDP connection associated with a particular session
C.    all TCP and UDP header information only
D.    all TCP SYN packets and the associated return ACK packets only
E.    the inside private IP address and the translated inside global IP address

Answer: B

QUESTION 102
Which statement is true about configuring access control lists to control Telnet traffic destined to the router itself?

A.    The ACL is applied to the Telnet port with the ip access-group command.
B.    The ACL should be applied to all vty lines in the in direction to prevent an unwanted user from connecting
to an unsecured port.
C.    The ACL applied to the vty lines has no in or out option like ACL being applied to an interface.
D.    The ACL must be applied to each vty line individually.

Answer: B

QUESTION 103
When configuring role-based CLI on a Cisco router, which step is performed first?

A.    Log in to the router as the root user.
B.    Create a parser view called “root view.”
C.    Enable role-based CLI globally on the router using the privileged EXEC mode Cisco IOS command.
D.    Enable the root view on the router.
E.    Enable AAA authentication and authorization using the local database.
F.    Create a root local user in the local database.

Answer: D

QUESTION 104
Which characteristic is a potential security weakness of a traditional stateful firewall?

A.    It cannot support UDP flows.
B.    It cannot detect application-layer attacks.
C.    It cannot ensure each TCP connection follows a legitimate TCP three-way handshake.
D.    It works only in promiscuous mode.
E.    The status of TCP sessions is retained in the state table after the sessions terminate.
F.    It has low performance due to the use of syn-cookies.

Answer: B

QUESTION 105
What will be disabled as a result of the no service password-recovery command?

A.    changes to the config-register setting
B.    ROMMON
C.    password encryption service
D.    aaa new-model global configuration command
E.    the xmodem privilege EXEC mode command to recover the Cisco IOS image

Answer: B

QUESTION 106
What does the MD5 algorithm do?

A.    takes a message less than 2^64 bits as input and produces a 160-bit message digest
B.    takes a variable-length message and produces a 168-bit message digest
C.    takes a variable-length message and produces a 128-bit message digest
D.    takes a fixed-length message and produces a 128-bit message digest

Answer: C

QUESTION 107
You have configured a standard access control list on a router and applied it to interface Serial 0 in an outbound direction. No ACL is applied to Interface Serial 1 on the same router. What happens when traffic being filtered by the access list does not match the configured ACL statements for Serial 0?

A.    The resulting action is determined by the destination IP address.
B.    The resulting action is determined by the destination IP address and port number.
C.    The source IP address is checked, and, if a match is not found, traffic is routed out interface Serial 1.
D.    The traffic is dropped.

Answer: D

QUESTION 108
Which two functions are required for IPsec operation? (Choose two.)

A.    using SHA for encryption
B.    using PKI for pre-shared-key authentication
C.    using IKE to negotiate the SA
D.    using AH protocols for encryption and authentication
E.    using Diffie-Hellman to establish a shared-secret key

Answer: CE

If you want to pass the Cisco 640-554 Exam sucessfully, recommend to read latest Cisco 640-554 Dump full version.

clip_image001

Official 2014 Latest Cisco 640-554 Dump Free Download(91-100)!

QUESTION 91
Which Layer 2 protocol provides loop resolution by managing the physical paths to given network segments?

A.    root guard
B.    port fast
C.    HSRP
D.    STP

Answer: D

QUESTION 92
Which statement is true when you have generated RSA keys on your Cisco router to prepare for secure device management?

A.    You must then zeroize the keys to reset secure shell before configuring other parameters.
B.    The SSH protocol is automatically enabled.
C.    You must then specify the general-purpose key size used for authentication with the crypto key generate
rsa general-keys modulus command.
D.    All vty ports are automatically enabled for SSH to provide secure management.

Answer: B

QUESTION 93
What is the key difference between host-based and network-based intrusion prevention?

A.    Network-based IPS is better suited for inspection of SSL and TLS encrypted data flows.
B.    Network-based IPS provides better protection against OS kernel-level attacks against hosts and servers.
C.    Network-based IPS can provide protection to desktops and servers without the need of installing
specialized software on the end hosts and servers.
D.    Host-based IPS can work in promiscuous mode or inline mode.
E.    Host-based IPS is more scalable then network-based IPS.
F.    Host-based IPS deployment requires less planning than network-based IPS.

Answer: C

QUESTION 94
Refer to the exhibit. You are a network manager for your organization. You are looking at your Syslog server reports. Based on the Syslog message shown, which two statements are true? (Choose two.)
A.    Service timestamps have been globally enabled.
B.    This is a normal system-generated information message and does not require further investigation.
C.    This message is unimportant and can be ignored.
D.    This message is a level 5 notification message.

Answer: AD

QUESTION 95
Which four methods are used by hackers? (Choose four.)

A.    footprint analysis attack
B.    privilege escalation attack
C.    buffer Unicode attack
D.    front door attacks
E.    social engineering attack
F.    Trojan horse attack

Answer: ABEF

QUESTION 96
Which statement about Cisco IOS IPS on Cisco IOS Release 12.4(11)T and later is true?

A.    uses Cisco IPS 5.x signature format
B.    requires the Basic or Advanced Signature Definition File
C.    supports both inline and promiscuous mode
D.    requires IEV for monitoring Cisco IPS alerts
E.    uses the built-in signatures that come with the Cisco IOS image as backup
F.    supports SDEE, SYSLOG, and SNMP for sending Cisco IPS alerts

Answer: A

QUESTION 97
Which characteristic is the foundation of Cisco Self-Defending Network technology?

A.    secure connectivity
B.    threat control and containment
C.    policy management
D.    secure network platform

Answer: D

QUESTION 98
Which kind of table do most firewalls use today to keep track of the connections through the firewall?

A.    dynamic ACL
B.    reflexive ACL
C.    netflow
D.    queuing
E.    state
F.    express forwarding

Answer: E

QUESTION 99
Which Cisco IOS command is used to verify that either the Cisco IOS image, the configuration files, or both have been properly backed up and secured?

A.    show archive
B.    show secure bootset
C.    show flash
D.    show file systems
E.    dir
F.    dir archive

Answer: B

QUESTION 100
What does the secure boot-config global configuration accomplish?

A.    enables Cisco IOS image resilience
B.    backs up the Cisco IOS image from flash to a TFTP server
C.    takes a snapshot of the router running configuration and securely archives it in persistent storage
D.    backs up the router running configuration to a TFTP server
E.    stores a secured copy of the Cisco IOS image in its persistent storage

Answer: C

If you want to pass the Cisco 640-554 Exam sucessfully, recommend to read latest Cisco 640-554 Dump full version.

clip_image001

Official 2014 Latest Cisco 640-554 Dump Free Download(81-90)!

QUESTION 81
A Cisco ASA appliance has three interfaces configured. The first interface is the inside interface with a security level of 100. The second interface is the DMZ interface with a security level of 50. The third interface is the outside interface with a security level of 0.
By default, without any access list configured, which five types of traffic are permitted? (Choose five.)

A.    outbound traffic initiated from the inside to the DMZ
B.    outbound traffic initiated from the DMZ to the outside
C.    outbound traffic initiated from the inside to the outside
D.    inbound traffic initiated from the outside to the DMZ
E.    inbound traffic initiated from the outside to the inside
F.    inbound traffic initiated from the DMZ to the inside
G.    HTTP return traffic originating from the inside network and returning via the outside interface
H.    HTTP return traffic originating from the inside network and returning via the DMZ interface
I.    HTTP return traffic originating from the DMZ network and returning via the inside interface
J.    HTTP return traffic originating from the outside network and returning via the inside interface

Answer: ABCGH

QUESTION 82
Which two protocols enable Cisco Configuration Professional to pull IPS alerts from a Cisco ISR router? (Choose two.)

A.    syslog
B.    SDEE
C.    FTP
D.    TFTP
E.    SSH
F.    HTTPS

Answer: BF

QUESTION 83
Which two functions are required for IPsec operation? (Choose two.)

A.    using SHA for encryption
B.    using PKI for pre-shared key authentication
C.    using IKE to negotiate the SA
D.    using AH protocols for encryption and authentication
E.    using Diffie-Hellman to establish a shared-secret key

Answer: CE

QUESTION 84
Which statement about disabled signatures when using Cisco IOS IPS is true?

A.    They do not take any actions, but do produce alerts.
B.    They are not scanned or processed.
C.    They still consume router resources.
D.    They are considered to be “retired” signatures.

Answer: C

QUESTION 85
Which type of intrusion prevention technology is the primary type used by the Cisco IPS security appliances?

A.    profile-based
B.    rule-based
C.    protocol analysis-based
D.    signature-based
E.    NetFlow anomaly-based

Answer: D

QUESTION 86
Which two services are provided by IPsec? (Choose two.)

A.    Confidentiality
B.    Encapsulating Security Payload
C.    Data Integrity
D.    Authentication Header
E.    Internet Key Exchange

Answer: AC

QUESTION 87
Which type of Cisco IOS access control list is identified by 100 to 199 and 2000 to 2699?

A.    standard
B.    extended
C.    named
D.    IPv4 for 100 to 199 and IPv6 for 2000 to 2699

Answer: B

QUESTION 88
Which priority is most important when you plan out access control lists?

A.    Build ACLs based upon your security policy.
B.    Always put the ACL closest to the source of origination.
C.    Place deny statements near the top of the ACL to prevent unwanted traffic from passing through the router.
D.    Always test ACLs in a small, controlled production environment before you roll it out into the larger
production network.

Answer: A

QUESTION 89
Which step is important to take when implementing secure network management?

A.    Implement in-band management whenever possible.
B.    Implement telnet for encrypted device management access.
C.    Implement SNMP with read/write access for troubleshooting purposes.
D.    Synchronize clocks on hosts and devices.
E.    Implement management plane protection using routing protocol authentication.

Answer: D

QUESTION 90
Which statement best represents the characteristics of a VLAN?

A.    Ports in a VLAN will not share broadcasts amongst physically separate switches.
B.    A VLAN can only connect across a LAN within the same building.
C.    A VLAN is a logical broadcast domain that can span multiple physical LAN segments.
D.    A VLAN provides individual port security.

Answer: C

If you want to pass the Cisco 640-554 Exam sucessfully, recommend to read latest Cisco 640-554 Dump full version.

clip_image001

Official 2014 Latest Cisco 640-554 Dump Free Download(71-80)!

QUESTION 71
You are the security administrator for a large enterprise network with many remote locations. You have been given the assignment to deploy a Cisco IPS solution.
Where in the network would be the best place to deploy Cisco IOS IPS?

A.    inside the firewall of the corporate headquarters Internet connection
B.    at the entry point into the data center
C.    outside the firewall of the corporate headquarters Internet connection
D.    at remote branch offices

Answer: D

QUESTION 72
Which IPS technique commonly is used to improve accuracy and context awareness, aiming to detect and respond to relevant incidents only and therefore, reduce noise?

A.    attack relevancy
B.    target asset value
C.    signature accuracy
D.    risk rating

Answer: D

QUESTION 73
Which two statements about SSL-based VPNs are true? (Choose two.)

A.    Asymmetric algorithms are used for authentication and key exchange.
B.    SSL VPNs and IPsec VPNs cannot be configured concurrently on the same router.
C.    The application programming interface can be used to modify extensively the SSL client software for
use in special applications.
D.    The authentication process uses hashing technologies.
E.    Both client and clientless SSL VPNs require special-purpose client software to be installed on the
client machine.

Answer: AD

QUESTION 74
Which option describes the purpose of Diffie-Hellman?

A.    used between the initiator and the responder to establish a basic security policy
B.    used to verify the identity of the peer
C.    used for asymmetric public key encryption
D.    used to establish a symmetric shared key via a public key exchange process

Answer: D

QUESTION 75
Which three statements about the IPsec ESP modes of operation are true? (Choose three.)

A.    Tunnel mode is used between a host and a security gateway.
B.    Tunnel mode is used between two security gateways.
C.    Tunnel mode only encrypts and authenticates the data.
D.    Transport mode authenticates the IP header.
E.    Transport mode leaves the original IP header in the clear.

Answer: ABE

QUESTION 76
When configuring SSL VPN on the Cisco ASA appliance, which configuration step is required only for Cisco AnyConnect full tunnel SSL VPN access and not required for clientless SSL VPN?

A.    user authentication
B.    group policy
C.    IP address pool
D.    SSL VPN interface
E.    connection profile

Answer: C

QUESTION 77
For what purpose is the Cisco ASA appliance web launch SSL VPN feature used?

A.    to enable split tunneling when using clientless SSL VPN access
B.    to enable users to login to a web portal to download and launch the AnyConnect client
C.    to enable smart tunnel access for applications that are not web-based
D.    to optimize the SSL VPN connections using DTLS
E.    to enable single-sign-on so the SSL VPN users need only log in once

Answer: B

QUESTION 78
Which statement describes how VPN traffic is encrypted to provide confidentiality when using asymmetric encryption?

A.    The sender encrypts the data using the sender’s private key, and the receiver decrypts the data using
the sender’s public key.
B.    The sender encrypts the data using the sender’s public key, and the receiver decrypts the data using
the sender’s private key.
C.    The sender encrypts the data using the sender’s public key, and the receiver decrypts the data using
the receiver’s public key.
D.    The sender encrypts the data using the receiver’s private key, and the receiver decrypts the data using
the receiver’s public key.
E.    The sender encrypts the data using the receiver’s public key, and the receiver decrypts the data using
the receiver’s private key.
F.    The sender encrypts the data using the receiver’s private key, and the receiver decrypts the data using
the sender’s public key.

Answer: E

QUESTION 79
Which four types of VPN are supported using Cisco ISRs and Cisco ASA appliances? (Choose four.)

A.    SSL clientless remote-access VPNs
B.    SSL full-tunnel client remote-access VPNs
C.    SSL site-to-site VPNs
D.    IPsec site-to-site VPNs
E.    IPsec client remote-access VPNs
F.    IPsec clientless remote-access VPNs

Answer: ABDE

QUESTION 80
Which option is the resulting action in a zone-based policy firewall configuration with these conditions?
Source: Zone 1
Destination: Zone 2
Zone pair exists?: Yes
Policy exists?: No

A.    no impact to zoning or policy
B.    no policy lookup (pass)
C.    drop
D.    apply default policy

Answer: C

If you want to pass the Cisco 640-554 Exam sucessfully, recommend to read latest Cisco 640-554 Dump full version.

clip_image001

Official 2014 Latest Cisco 640-554 Dump Free Download(61-70)!

QUESTION 61
Which two characteristics of the TACACS+ protocol are true? (Choose two.)

A.    uses UDP ports 1645 or 1812
B.    separates AAA functions
C.    encrypts the body of every packet
D.    offers extensive accounting capabilities
E.    is an open RFC standard protocol

Answer: BC

QUESTION 62
Refer to the exhibit. Which statement about this partial CLI configuration of an access control list is true?

clip_image001

A.    The access list accepts all traffic on the 10.0.0.0 subnets.
B.    All traffic from the 10.10.0.0 subnets is denied.
C.    Only traffic from 10.10.0.10 is allowed.
D.    This configuration is invalid. It should be configured as an extended ACL to permit the associated
wildcard mask.
E.    From the 10.10.0.0 subnet, only traffic sourced from 10.10.0.10 is allowed; traffic sourced from the
other 10.0.0.0 subnets also is allowed.
F.    The access list permits traffic destined to the 10.10.0.10 host on FastEthernet0/0 from any source.

Answer: E

QUESTION 63
Which type of Cisco ASA access list entry can be configured to match multiple entries in a single statement?

A.    nested object-class
B.    class-map
C.    extended wildcard matching
D.    object groups

Answer: D

QUESTION 64
Which statement about an access control list that is applied to a router interface is true?

A.    It only filters traffic that passes through the router.
B.    It filters pass-through and router-generated traffic.
C.    An empty ACL blocks all traffic.
D.    It filters traffic in the inbound and outbound directions.

Answer: A

QUESTION 65
You have been tasked by your manager to implement syslog in your network. Which option is an important factor to consider in your implementation?

A.    Use SSH to access your syslog information.
B.    Enable the highest level of syslog function available to ensure that all possible event messages are logged.
C.    Log all messages to the system buffer so that they can be displayed when accessing the router.
D.    Synchronize clocks on the network with a protocol such as Network Time Protocol.

Answer: D

QUESTION 66
Which protocol secures router management session traffic?

A.    SSTP
B.    POP
C.    Telnet
D.    SSH

Answer: D

QUESTION 67
Which two considerations about secure network management are important? (Choose two.)

A.    log tampering
B.    encryption algorithm strength
C.    accurate time stamping
D.    off-site storage
E.    Use RADIUS for router commands authorization.
F.    Do not use a loopback interface for device management access.

Answer: AC

QUESTION 68
Which command enables Cisco IOS image resilience?

A.    secure boot-<IOS image filename>
B.    secure boot-running-config
C.    secure boot-start
D.    secure boot-image

Answer: D

QUESTION 69
Which router management feature provides for the ability to configure multiple administrative views?

A.    role-based CLI
B.    virtual routing and forwarding
C.    secure config privilege {level}
D.    parser view view name

Answer: A

QUESTION 70
You suspect that an attacker in your network has configured a rogue Layer 2 device to intercept traffic from multiple VLANs, which allows the attacker to capture potentially sensitive data.
Which two methods will help to mitigate this type of activity? (Choose two.)

A.    Turn off all trunk ports and manually configure each VLAN as required on each port
B.    Disable DTP on ports that require trunking
C.    Secure the native VLAN, VLAN 1 with encryption
D.    Set the native VLAN on the trunk ports to an unused VLAN
E.    Place unused active ports in an unused VLAN

Answer: BD

If you want to pass the Cisco 640-554 Exam sucessfully, recommend to read latest Cisco 640-554 Dump full version.

clip_image001

Official 2014 Latest Cisco 640-554 Dump Free Download(51-60)!

QUESTION 51
Which type of NAT would you configure if a host on the external network required access to an internal host?

A.    outside global NAT
B.    NAT overload
C.    dynamic outside NAT
D.    static NAT

Answer: D

QUESTION 52
Which two features are supported by Cisco IronPort Security Gateway? (Choose two.)

A.    spam protection
B.    outbreak intelligence
C.    HTTP and HTTPS scanning
D.    email encryption
E.    DDoS protection

Answer: AD

QUESTION 53
Which option is a feature of Cisco ScanSafe technology?

A.    spam protection
B.    consistent cloud-based policy
C.    DDoS protection
D.    RSA Email DLP

Answer: B

QUESTION 54
Which two characteristics represent a blended threat? (Choose two.)

A.    man-in-the-middle attack
B.    trojan horse attack
C.    pharming attack
D.    denial of service attack
E.    day zero attack

Answer: BE

QUESTION 55
Under which higher-level policy is a VPN security policy categorized?

A.    application policy
B.    DLP policy
C.    remote access policy
D.    compliance policy
E.    corporate WAN policy

Answer: C

QUESTION 56
What does level 5 in this enable secret global configuration mode command indicate?

A.    router#enable secret level 5 password
B.    The enable secret password is hashed using MD5.
C.    The enable secret password is hashed using SHA.
D.    The enable secret password is encrypted using Cisco proprietary level 5 encryption.
E.    Set the enable secret command to privilege level 5.
F.    The enable secret password is for accessing exec privilege level 5.

Answer: E

QUESTION 57
Which Cisco management tool provides the ability to centrally provision all aspects of device configuration across the Cisco family of security products?

A.    Cisco Configuration Professional
B.    Security Device Manager
C.    Cisco Security Manager
D.    Cisco Secure Management Server

Answer: C

QUESTION 58
Which option is the correct representation of the IPv6 address 2001:0000:150C:0000:0000:41B1:45A3:041D?

A.    2001::150c::41b1:45a3:041d
B.    2001:0:150c:0::41b1:45a3:04d1
C.    2001:150c::41b1:45a3::41d
D.    2001:0:150c::41b1:45a3:41d

Answer: D

QUESTION 59
Which three options are common examples of AAA implementation on Cisco routers? (Choose
three.)

A.    authenticating remote users who are accessing the corporate LAN through IPsec VPN connections
B.    authenticating administrator access to the router console port, auxiliary port, and vty ports
C.    implementing PKI to authenticate and authorize IPsec VPN peers using digital certificates
D.    tracking Cisco NetFlow accounting statistics
E.    securing the router by locking down all unused services
F.    performing router commands authorization using TACACS+

Answer: ABF

QUESTION 60
When AAA login authentication is configured on Cisco routers, which two authentication methods should be used as the final method to ensure that the administrator can still log in to the router in case the external AAA server fails? (Choose two.)

A.    group RADIUS
B.    group TACACS+
C.    local
D.    krb5
E.    enable
F.    if-authenticated

Answer: CE

If you want to pass the Cisco 640-554 Exam sucessfully, recommend to read latest Cisco 640-554 Dump full version.

clip_image001

Official 2014 Latest Cisco 640-554 Dump Free Download(41-50)!

QUESTION 41
Refer to the exhibit.
*** Exhibit is Missing ***
This Cisco IOS access list has been configured on the FA0/0 interface in the inbound direction.
Which four TCP packets sourced from 10.1.1.1 port 1030 and routed to the FA0/0 interface are permitted? (Choose four.)

A.    destination ip address: 192.168.15.37 destination port: 22
B.    destination ip address: 192.168.15.80 destination port: 23
C.    destination ip address: 192.168.15.66 destination port: 8080
D.    destination ip address: 192.168.15.36 destination port: 80
E.    destination ip address: 192.168.15.63 destination port: 80
F.    destination ip address: 192.168.15.40 destination port: 21

Answer: BCDE

QUESTION 42
You use Cisco Configuration Professional to enable Cisco IOS IPS. Which state must a signature be in before any actions can be taken when an attack matches that signature?

A.    enabled
B.    unretired
C.    successfully complied
D.    successfully complied and unretired
E.    successfully complied and enabled
F.    unretired and enabled
G.    enabled, unretired, and successfully complied

Answer: G

QUESTION 43
Which statement describes how the sender of the message is verified when asymmetric encryption is used?

A.    The sender encrypts the message using the sender’s public key, and the receiver decrypts the message
using the sender’s private key.
B.    The sender encrypts the message using the sender’s private key, and the receiver decrypts the message
using the sender’s public key.
C.    The sender encrypts the message using the receiver’s public key, and the receiver decrypts the message
using the receiver’s private key.
D.    The sender encrypts the message using the receiver’s private key, and the receiver decrypts the message
using the receiver’s public key.
E.    The sender encrypts the message using the receiver’s public key, and the receiver decrypts the message
using the sender’s public key.

Answer: B

QUESTION 44
Refer to the exhibit.
***Exhibit is Missing***
Which three statements about these three show outputs are true? (Choose three.)

A.    Traffic matched by ACL 110 is encrypted.
B.    The IPsec transform set uses SHA for data confidentiality.
C.    The crypto map shown is for an IPsec site-to-site VPN tunnel.
D.    The default ISAKMP policy uses a digital certificate to authenticate the IPsec peer.
E.    The IPsec transform set specifies the use of GRE over IPsec tunnel mode.
F.    The default ISAKMP policy has higher priority than the other two ISAKMP policies with a priority of 1 and 2

Answer: ACD

QUESTION 45
Which type of security control is defense in depth?

A.    threat mitigation
B.    risk analysis
C.    botnet mitigation
D.    overt and covert channels

Answer: A

QUESTION 46
Which two options are two of the built-in features of IPv6? (Choose two.)

A.    VLSM
B.    native IPsec
C.    controlled broadcasts
D.    mobile IP
E.    NAT

Answer: BD

QUESTION 47
Which option is a characteristic of the RADIUS protocol?

A.    uses TCP
B.    offers multiprotocol support
C.    combines authentication and authorization in one process
D.    supports bi-directional challenge

Answer: C

QUESTION 48
Refer to the exhibit.
***Exhibit is Missing***
Which statement about this debug output is true?

A.    The requesting authentication request came from username GETUSER.
B.    The TACACS+ authentication request came from a valid user.
C.    The TACACS+ authentication request passed, but for some reason the user’s connection was closed
immediately.
D.    The initiating connection request was being spoofed by a different source address.

Answer: B

QUESTION 49
When STP mitigation features are configured, where should the root guard feature be deployed?

A.    toward ports that connect to switches that should not be the root bridge
B.    on all switch ports
C.    toward user-facing ports
D.    Root guard should be configured globally on the switch.

Answer: A

QUESTION 50
Which option is a characteristic of a stateful firewall?

A.    can analyze traffic at the application layer
B.    allows modification of security rule sets in real time to allow return traffic
C.    will allow outbound communication, but return traffic must be explicitly permitted
D.    supports user authentication

Answer: B

 

If you want to pass the Cisco 640-554 Exam sucessfully, recommend to read latest Cisco 640-554 Dump full version.

clip_image001

Official 2014 Latest Cisco 640-554 Dump Free Download(31-40)!

QUESTION 31
Which security measure must you take for native VLANs on a trunk port?

A.    Native VLANs for trunk ports should never be used anywhere else on the switch.
B.    The native VLAN for trunk ports should be VLAN 1.
C.    Native VLANs for trunk ports should match access VLANs to ensure that cross-VLAN traffic from
multiple switches can be delivered to physically disparate switches.
D.    Native VLANs for trunk ports should be tagged with 802.1Q.

Answer: A

QUESTION 32
Refer to the exhibit.
***Exhibit is Missing***
Which switch is designated as the root bridge in this topology?

A.    It depends on which switch came on line first.
B.    Neither switch would assume the role of root bridge because they have the same default priority.
C.    switch X
D.    switch Y

Answer: C

QUESTION 33
Which type of firewall technology is considered the versatile and commonly used firewall technology?

A.    static packet filter firewall
B.    application layer firewall
C.    stateful packet filter firewall
D.    proxy firewall
E.    adaptive layer firewall

Answer: C

QUESTION 34
Which type of NAT is used where you translate multiple internal IP addresses to a single global, routable IP address?

A.    policy NAT
B.    dynamic PAT
C.    static NAT
D.    dynamic NAT
E.    policy PAT

Answer: B

QUESTION 35
Which Cisco IPS product offers an inline, deep-packet inspection feature that is available in integrated services routers?

A.    Cisco iSDM
B.    Cisco AIM
C.    Cisco IOS IPS
D.    Cisco AIP-SSM

Answer: C

QUESTION 36
Which three modes of access can be delivered by SSL VPN? (Choose three.)

A.    full tunnel client
B.    IPsec SSL
C.    TLS transport mode
D.    thin client
E.    clientless
F.    TLS tunnel mode

Answer: ADE

QUESTION 37
During role-based CLI configuration, what must be enabled before any user views can be created?

A.    multiple privilege levels
B.    usernames and passwords
C.    aaa new-model command
D.    secret password for the root user
E.    HTTP and/or HTTPS server
F.    TACACS server group

Answer: C

QUESTION 38
Which three statements about applying access control lists to a Cisco router are true? (Choose three.)

A.    Place more specific ACL entries at the top of the ACL.
B.    Place generic ACL entries at the top of the ACL to filter general traffic and thereby reduce “noise” on
the network.
C.    ACLs always search for the most specific entry before taking any filtering action.
D.    Router-generated packets cannot be filtered by ACLs on the router.
E.    If an access list is applied but it is not configured, all traffic passes.

Answer: ADE

QUESTION 39
When port security is enabled on a Cisco Catalyst switch, what is the default action when the configured maximum number of allowed MAC addresses value is exceeded?

A.    The port remains enabled, but bandwidth is throttled until old MAC addresses are aged out.
B.    The port is shut down.
C.    The MAC address table is cleared and the new MAC address is entered into the table.
D.    The violation mode of the port is set to restrict.

Answer: B

QUESTION 40
Which three statements about the Cisco ASA appliance are true? (Choose three.)

A.    The DMZ interface(s) on the Cisco ASA appliance most typically use a security level between 1 and 99.
B.    The Cisco ASA appliance supports Active/Active or Active/Standby failover.
C.    The Cisco ASA appliance has no default MPF configurations.
D.    The Cisco ASA appliance uses security contexts to virtually partition the ASA into multiple virtual firewalls.
E.    The Cisco ASA appliance supports user-based access control using 802.1x.
F.    An SSM is required on the Cisco ASA appliance to support Botnet Traffic Filtering.

Answer: ABD

If you want to pass the Cisco 640-554 Exam sucessfully, recommend to read latest Cisco 640-554 Dump full version.

clip_image001

Official 2014 Latest Cisco 640-554 Dump Free Download(21-30)!

QUESTION 21
Which option can be used to authenticate the IPsec peers during IKE Phase 1?

A.    Diffie-Hellman Nonce
B.    pre-shared key
C.    XAUTH
D.    integrity check value
E.    ACS
F.    AH

Answer: B

QUESTION 22
Which single Cisco IOS ACL entry permits IP addresses from 172.16.80.0 to 172.16.87.255?

A.    permit 172.16.80.0 0.0.3.255
B.    permit 172.16.80.0 0.0.7.255
C.    permit 172.16.80.0 0.0.248.255
D.    permit 176.16.80.0 255.255.252.0
E.    permit 172.16.80.0 255.255.248.0
F.    permit 172.16.80.0 255.255.240.0

Answer: B

QUESTION 23
You want to use the Cisco Configuration Professional site-to-site VPN wizard to implement a site- to-site IPsec VPN using pre-shared key.
Which four configurations are required (with no defaults)? (Choose four.)

A.    the interface for the VPN connection
B.    the VPN peer IP address
C.    the IPsec transform-set
D.    the IKE policy
E.    the interesting traffic (the traffic to be protected)
F.    the pre-shared key

Answer: ABEF

QUESTION 24
Which two options represent a threat to the physical installation of an enterprise network? (Choose two.)

A.    surveillance camera
B.    security guards
C.    electrical power
D.    computer room access
E.    change control

Answer: CD

QUESTION 25
Which option represents a step that should be taken when a security policy is developed?

A.    Perform penetration testing.
B.    Determine device risk scores.
C.    Implement a security monitoring system.
D.    Perform quantitative risk analysis.

Answer: D

QUESTION 26
Which type of network masking is used when Cisco IOS access control lists are configured?

A.    extended subnet masking
B.    standard subnet masking
C.    priority masking
D.    wildcard masking

Answer: D

QUESTION 27
How are Cisco IOS access control lists processed?

A.    Standard ACLs are processed first.
B.    The best match ACL is matched first.
C.    Permit ACL entries are matched first before the deny ACL entries.
D.    ACLs are matched from top down.
E.    The global ACL is matched first before the interface ACL.

Answer: D

QUESTION 28
Which type of management reporting is defined by separating management traffic from production traffic?

A.    IPsec encrypted
B.    in-band
C.    out-of-band
D.    SSH

Answer: C

QUESTION 29
Which syslog level is associated with LOG_WARNING?

A.    1
B.    2
C.    3
D.    4
E.    5
F.    6

Answer: D

QUESTION 30
In which type of Layer 2 attack does an attacker broadcast BDPUs with a lower switch priority?

A.    MAC spoofing attack
B.    CAM overflow attack
C.    VLAN hopping attack
D.    STP attack

Answer: D

If you want to pass the Cisco 640-554 Exam sucessfully, recommend to read latest Cisco 640-554 Dump full version.

clip_image001

Official 2014 Latest Cisco 640-554 Dump Free Download(11-20)!

QUESTION 11
Which four tasks are required when you configure Cisco IOS IPS using the Cisco Configuration Professional IPS wizard? (Choose four.)

A.    Select the interface(s) to apply the IPS rule.
B.    Select the traffic flow direction that should be applied by the IPS rule.
C.    Add or remove IPS alerts actions based on the risk rating.
D.    Specify the signature file and the Cisco public key.
E.    Select the IPS bypass mode (fail-open or fail-close).
F.    Specify the configuration location and select the category of signatures to be applied to the selected
interface(s).

Answer: ABDF

QUESTION 12
Which statement is a benefit of using Cisco IOS IPS?

A.    It uses the underlying routing infrastructure to provide an additional layer of security.
B.    It works in passive mode so as not to impact traffic flow.
C.    It supports the complete signature database as a Cisco IPS sensor appliance.
D.    The signature database is tied closely with the Cisco IOS image.

Answer: A

QUESTION 13
Which description of the Diffie-Hellman protocol is true?

A.    It uses symmetrical encryption to provide data confidentiality over an unsecured communications channel.
B.    It uses asymmetrical encryption to provide authentication over an unsecured communications channel.
C.    It is used within the IKE Phase 1 exchange to provide peer authentication.
D.    It provides a way for two peers to establish a shared-secret key, which only they will know, even though
they are communicating over an unsecured channel.
E.    It is a data integrity algorithm that is used within the IKE exchanges to guarantee the integrity of the
message of the IKE exchanges.

Answer: D

QUESTION 14
Which IPsec transform set provides the strongest protection?

A.    crypto ipsec transform-set 1 esp-3des esp-sha-hmac
B.    crypto ipsec transform-set 2 esp-3des esp-md5-hmac
C.    crypto ipsec transform-set 3 esp-aes 256 esp-sha-hmac
D.    crypto ipsec transform-set 4 esp-aes esp-md5-hmac
E.    crypto ipsec transform-set 5 esp-des esp-sha-hmac
F.    crypto ipsec transform-set 6 esp-des esp-md5-hmac

Answer: C

QUESTION 15
Which two options are characteristics of the Cisco Configuration Professional Security Audit wizard? (Choose two.)

A.    displays a screen with fix-it check boxes to let you choose which potential security-related configuration
changes to implement
B.    has two modes of operation: interactive and non-interactive
C.    automatically enables Cisco IOS firewall and Cisco IOS IPS to secure the router
D.    uses interactive dialogs and prompts to implement role-based CLI
E.    requires users to first identify which router interfaces connect to the inside network and which connect to
the outside network

Answer: AE

QUESTION 16
Which statement describes a result of securing the Cisco IOS image using the Cisco IOS image resilience feature?

A.    The show version command does not show the Cisco IOS image file location.
B.    The Cisco IOS image file is not visible in the output from the show flash command.
C.    When the router boots up, the Cisco IOS image is loaded from a secured FTP location.
D.    The running Cisco IOS image is encrypted and then automatically backed up to the NVRAM.
E.    The running Cisco IOS image is encrypted and then automatically backed up to a TFTP server.

Answer: B

QUESTION 17
Which aaa accounting command is used to enable logging of the start and stop records for user terminal sessions on the router?

A.    aaa accounting network start-stop tacacs+
B.    aaa accounting system start-stop tacacs+
C.    aaa accounting exec start-stop tacacs+
D.    aaa accounting connection start-stop tacacs+
E.    aaa accounting commands 15 start-stop tacacs+

Answer: C

QUESTION 18
Which access list permits HTTP traffic sourced from host 10.1.129.100 port 3030 destined to host 192.168.1.10?

A.    access-list 101 permit tcp any eq 3030
B.    access-list 101 permit tcp 10.1.128.0 0.0.1.255 eq 3030 192.168.1.0 0.0.0.15 eq www
C.    access-list 101 permit tcp 10.1.129.0 0.0.0.255 eq www 192.168.1.10 0.0.0.0 eq www
D.    access-list 101 permit tcp host 192.168.1.10 eq 80 10.1.0.0 0.0.255.255 eq 3030
E.    access-list 101 permit tcp 192.168.1.10 0.0.0.0 eq 80 10.1.0.0 0.0.255.255
F.    access-list 101 permit ip host 10.1.129.100 eq 3030 host 192.168.1.100 eq 80

Answer: B

QUESTION 19
Which location is recommended for extended or extended named ACLs?

A.    an intermediate location to filter as much traffic as possible
B.    a location as close to the destination traffic as possible
C.    when using the established keyword, a location close to the destination point to ensure that return traffic
is allowed
D.    a location as close to the source traffic as possible

Answer: D

QUESTION 20
Which statement about asymmetric encryption algorithms is true?

A.    They use the same key for encryption and decryption of data.
B.    They use the same key for decryption but different keys for encryption of data.
C.    They use different keys for encryption and decryption of data.
D.    They use different keys for decryption but the same key for encryption of data.

Answer: C

If you want to pass the Cisco 640-554 Exam sucessfully, recommend to read latest Cisco 640-554 Dump full version.

clip_image001

1 2