Actualtests 642-503
642-503 : Securing Networks with Cisco Routers and Switches Last Updated Friday, August 08, 2008 with 202 Questions
Securing Networks with Cisco Routers and Switches
Exam Number: 642-503 Exam
Associated Certifications: Securing Networks with Cisco Routers and Switches
Duration: 53 Q&As
Free 642-503 Exams’s PDF Download
Free Actualtests offers free demo for 642-503 PDF(Securing Networks with Cisco Routers and Switches). You can check out the interface, question quality and usability of our practice exams . We are the only one site can offer demo for almost all Securing Networks with Cisco Routers and Switches.
Recommended Training about 642-503 exam PDF
The following courses are the recommended training for 642-503 exam PDF.
642-503 Q & A with Explanations
642-503 Audio Exam
642-503 Study Guide
642-503 Preparation Lab
642-503 Exam Preparation from Actualtests with FULL explanations include:
Comprehensive questions with complete details
Detailed explanations of all the questions
Questions accompanied by exhibits
Verified Answers Researched by Industry Experts
Drag and Drop questions as experienced in the Actual Exams
Questions updated on regular basis
These questions and answers are backed by our GUARANTEE.
Like actual certification exams our product is in multiple-choice questions (MCQs).
642-503 Exam: Actualtests’s Securing Networks with Cisco Routers and Switches PDF
The Securing Networks with Cisco Routers and Switches PDF for preparing for the 642-503 exam – Actualtests ’s Securing Networks with Cisco Routers and Switches. Actualtestsg is your premier source for practice tests, and true testing environment. Nothing will prepare you for your next exam like a Actualtests. You find it all here at ciscoexams.org.
QUESTION 1:
Please study the exhibit carefully.
What traffic will be matched to the “qt-class” traffic class?
A. all traffic matched by the “host-protocols” named access list
B. all other traffic arriving at the interface where the “qt-policy” policy map is applied
C. all TCP and UDP protocol ports open on the router not specifically matched
D. all traffic other than SNMP and Telnet to the router
E. all traffic matched by the “host-protocols” nested class map
Answer: A
Explanation:
Defining Queue-threshold Packet Classification Criteria
SUMMARY STEPS
1. enable
2. configure terminal
3. class-map type queue-threshold [match-all | match-any] class name
4. match protocol [bgp | dns | ftp | http | igmp | snmp | ssh | syslog | telnet | tftp] [cr]
642-503
Actualtests.com – The Power of Knowing
DETAILED STEPS
QUESTION 2:
DRAG DROP
You work as a network technician at Certkiller .com. Your boss, miss Certkiller, is
interested in IBNS 802.1x authentication features. Match the proper features with
appropriate descriptions.
Note: not all features are used.
642-503
Actualtests.com – The Power of Knowing
Answer:
642-503
Actualtests.com – The Power of Knowing
QUESTION 3:
Please study the exhibit carefully.
Which two statements are true about the configurations shown? (Choose two.)
A. The clickable links will have a heading entitled “MYLINKS”.
B. ACS will be used for remote-user authentication by default.
C. This is an example of a clientless configuration.
D. The home page will have three clickable links on it.
E. Thin client (port forwarding) has been enabled using the url-text command.
Answer: C,D
QUESTION 4:
Please study the exhibit carefully.
What can you determine about the configuration?
642-503
Actualtests.com – The Power of Knowing
A. 3DES encryption will be used.
B. The authentication method used between the IPsec peers is pre-shared key.
C. This is a dynamic crypto map.
D. Traffic matched by ACL 101 will not be encrypted.
E. HMAC-MD5 authentication will be used.
F. ESP tunnel mode will be used.
Answer: F
Explanation:
Configuring IPsec Policies
After configuring the Phase 1 parameters, configure the Phase 2 parameters. These
parameters include a transform set and global IPsec SA lifetimes. In addition to the
transform set, you can change the mode that the tunnel operates in. There are two modes:
tunnel mode and transport mode. Tunnel mode is the default mode. In tunnel mode, the
original IP addresses are tunneled inside the encrypted header. In transport mode, the
original IP addresses in the header are not encrypted and are used in the routing of the
packet.
Reference: CCSP Quick Reference Sheets
QUESTION 5:
Cisco Easy VPN Server pushes parameters such as the client internal IP address, DHCP
server IP address, and WINS server IP address to the Cisco Easy VPN Remote client
during which of these phases?
A. IKE mode configuration
B. IKE XAUTH
C. IKE Phase 1 first message exchange
D. IKE quick mode
E. IKE Phase 2 last message exchange
Answer: A
Explanation:
Easy VPN Operation
642-503
Actualtests.com – The Power of Knowing
When using the Cisco VPN client, the tunnel is established when the user clicks connect.
When this happens, IKE Phase 1 is initiated. The VPN client sends numerous IKE
proposals in order of the security. When a proposal is agreed upon, the devices perform
hardware authentication using pre-shared keys or digital certificates. The next step is
often called IKE Phase 1.5. In this phase, the user is authenticated. The user sees a popup
window with fields to enter the username and password. Once authenticated, the client
then requests mode config. Mode config is when the Easy VPN server pushes down
parameters to the user. These parameters include an IP address, split-tunneling list,
Domain Name System (DNS), Windows Internet Naming Service (WINS), and any other
parameters that are needed by the user. After mode config completes, IKE Phase 2 is
negotiated. After the VPN SAs have been established, the connection is up and traffic can
pass. In addition, with the reverse route injection (RRI), a host route is injected into the
routing process, and devices on the internal network can now find their way back to the
VPN client.
Reference: CCSP SNRS Quick Reference Sheets
QUESTION 6:
The PHDF stored in the router flash memory is required for which of these applications
to function?
A. PAM
B. Zone-Based Firewall
C. CPPr
D. CoPP
E. NBAR
F. FPM
Answer: F
Explanation:
Securing the Data Plane
The data plane, also called the forwarding plane, is what moves most of your traffic that
passes through the router. You can prevent certain attacks by denying them from passing
through the router. To secure the data plane on Cisco routers, use Flexible Packet
Matching (FPM). FPM provides deeper inspection than standard IOS tools to protect
against data plane attacks such as Code Red, Nimda, the SQL Slammer, and Blaster.
FPM uses Protocol Header Definition File (PHDF), which is nothing more than an
Extensible Markup Language (XML) file that is ready-packaged by Cisco and used to
match patterns in traffic.
Reference: CCSP SNRS Quick Reference Sheets
QUESTION 7:
Which three of these statements are correct regarding DMVPN configuration? (Choose
642-503
Actualtests.com – The Power of Knowing
three.)
A. The GRE tunnel mode must be set to point-to-point mode: tunnel mode gre
point-to-point
B. The GRE tunnel must be associated with an IPsec profile: tunnel protection ipsec
profile profile-name
C. At the spoke routers, static NHRP mapping to the hub router is required: ip nhrp map
hub-tunnel-ip-address hub-physical-ip-address
D. The spoke routers must be configured as the NHRP servers: ip nhrp nhs
spoke-tunnel-ip-address
E. If running EIGRP over DMVPN, the hub router tunnel interface must have “next hop
self” enabled: ip next-hop-self eigrp AS-Number
F. If running EIGRP over DMVPN, the hub router tunnel interface must have split
horizon disabled: no ip split-horizon eigrp AS-Number
Answer: B,C,F
QUESTION 8:
Please study the exhibit carefully.
Which two configuration commands are used to apply an inspect policy map for traffic
traversing from the E0 or E1 interface to the S3 interface? (Choose two.)
A. ip inspect myfwpolicy in
B. interface E0
C. ip inspect myfwpolicy out
D. service-policy type inspect myfwpolicy
E. zone-pair security test source Z1 destination Z2
F. policy-map myfwpolicy class class-default inspect
Answer: D,E
QUESTION 9:
Which of these statements is correct regarding user setup on ACS 4.0?
642-503
Actualtests.com – The Power of Knowing
A. In the case of conflicting settings, the settings at the group level override the settings
configured at the user level.
B. The ACS PAP password cannot be used as the CHAP password also.
C. By default, users are assigned to the default group.
D. The username can contain characters such as “#” and “?”.
E. A user can belong to more than one group.
Answer: C
QUESTION 10:
What are two benefits of using an IPsec GRE tunnel? (Choose two.)
A. It has less overhead than running IPsec in tunnel mode.
B. It supports the use of dynamic crypto maps to reduce configuration complexity.
C. It requires a more restrictive crypto ACL to provide finer security control.
D. It allows dynamic routing protocol to run over the tunnel interface.
E. It allows IP multicast traffic.
Answer: D,E
Explanation:
GRE, although a tunneling protocol, is not secure because it does not perform encryption.
To add to the security of GRE, we can encrypt it with IPsec. This is a common
configuration when trying to run dynamic routing protocols such as Enhanced Interior
Gateway Routing Protocol (EIGRP) or Open Shortest Path First (OSPF) Protocol
between sites across the Internet. Routing protocols such as EIGRP and OSPF send
packets to multicast destination addresses. Multicast packets cannot be encrypted by
IPsec. We first tunnel the multicast packet in a GRE header, and then encrypt the GRE
packet (because GRE uses unicast addressing).
Reference: CCSP SNRS Quick Reference Sheets
| Cisco Braindumps Free Downloads |
|
Type |
Exam Bible | New Questions & Answers |
Latest Updated |
Download link |
 |
All Cisco 's Exam Pack |
589 |
1 days ago | Download |
