Pass4sure Cisco CCSP Exam 642-503 v2.83
Securing Networks with Cisco Routers and Switches : 642-503 Exam
Exam Number/Code: 642-503
Exam Name: Securing Networks with Cisco Routers and Switches
Exam : Cisco 642503
Title :
Cisco® Securing Networks with
Cisco Routers and Switches
Update : Demo
1. Which two statements are true regarding classic Cisco IOS Firewall configurations? (Choose two.)
A. You can apply the IP inspection rule in the inbound direction on the trusted interface.
B. You can apply the IP inspection rule in the outbound direction on the untrusted interface.
C. For temporary openings to be created dynamically by Cisco IOS Firewall, the access list for the returning traffic must be a standard ACL.
D. For temporary openings to be created dynamically by Cisco IOS Firewall, you must apply the IP
inspectionrule to the trusted interface.
E. For temporary openings to be created dynamically by Cisco IOS Firewall, the inbound access list on the trustedinterface must be an extended ACL.
Answer: AB
2. Refer to the exhibit. Why is the Cisco IOS Firewall authentication proxy not working?
A. The aaa authentication authproxy default group tacacs+ command is missing in the configuration.
B. The router local username and password database is not configured.
C. Cisco IOS authentication proxy only supports RADIUS and not TACACS+. D. HTTP server and AAA authentication for the HTTP server is not enabled.
E. The AAA method lists used for authentication proxy should be named “pxy” rather than “default” to match the authentication proxy rule name.
Answer: D
3. Refer to the exhibit. What additional configuration is required for the Cisco IOS Firewall to reset the
TCPconnection if any peertopeer, tunneling, or instant messaging traffic is detected over HTTP?
A. classmap configuration for matching peertopeer, tunneling, and instant messaging traffic over HTTP,
and a policy map specifying the reset action
B. the portmisuse default action reset alarm command in the HTTP application firewall policy configuration
C. the PAM configuration for mapping the peertopeer, tunneling, and instant messaging TCP ports to the
HTTPapplication
D. the ip inspect name firewall im, ip inspect name firewall p2p, and ip inspect name firewall tunnel commands
E. the service default action reset command in the HTTP application firewall policy configuration
Answer: B
4. Refer to the exhibit. Why is the Total Active Signatures count zero?
A. The 128MB.sdf file in flash is corrupted.
B. IPS is in failopen mode.
C. IPS is in failclosed mode.
D. IPS has not been enabled on an interface yet.
E. The flash:/128MB.sdf needs to be merged with the builtin signatures first. Answer: D
5. Which three configurations are required to enable the Cisco IOS Firewall to inspect a userdefined application which uses TCP ports 8000 and 8001? (Choose three.)
A. accesslist 101 permit tcp any any eq 8000 accesslist 101 permit tcp any any eq 8001 classmap user10 match accessgroup 101
B. policymap user10 class user10 inspect
C. ip portmap user10 port tcp 8000 8001 description “TEST PROTOCOL” D. ip inspect name test appfw user10
E. ip inspect name test user10
F. int {type|number} ip inpsect name test in
Answer: CEF
6. What are two benefits of using an IPsec GRE tunnel? (Choose two.) A. It allows dynamic routing protocol to run over the tunnel interface.
B. It has less overhead than running IPsec in tunnel mode. C. It allows IP multicast traffic.
D. It requires a more restrictive crypto ACL to provide finer security control.
E. It supports the use of dynamic crypto maps to reduce configuration complexity.
Answer: AC
7. Refer to the DMVPN topology diagram in the exhibit. Which two statements are correct? (Choose two.)
A. The hub router needs to have EIGRP split horizon disabled.
B. At the Spoke A router, the next hop to reach the 192.168.2.0/24 network is 10.0.0.1.
C. Before a spoketospoke tunnel can be built, the spoke router needs to send an NHRP query to the hub toresolve the remote spoke router physical interface IP address.
D. At the Spoke B router, the next hop to reach the 192.168.1.0/24 network is 172.17.0.1.
E. The spoke routers act as the NHRP servers for resolving the remote spoke physical interface IP
address.
F. At the Spoke A router, the next hop to reach the 192.168.0.0/24 network is 172.17.0.1. Answer: AC
8. Referring to a DMVPN hub router tunnel interface configuration, what can happen if the ip nhrp map multicastdynamic command is missing on the tunnel interface?
A. The NHRP request and response between the spoke router and hub router will fail.
B. The GRE tunnel between the hub router and the spoke router will be down. C. The IPsec peering between the hub router and the spoke router will fail.
D. The dynamic routing protocol between the hub router and the spoke router will fail. E. The NHRP mappings at the spoke routers will be incorrect.
F. The NHRP mappings at the hub router will be incorrect. Answer: D
9. Which three of these statements are correct regarding DMVPN configuration? (Choose three.)
A. If running EIGRP over DMVPN, the hub router tunnel interface must have “next hop self” enabled: ip
nexthopself eigrp ASNumber
B. If running EIGRP over DMVPN, the hub router tunnel interface must have split horizon disabled: no ip splithorizon eigrp ASNumber
C. The spoke routers must be configured as the NHRP servers: ip nhrp nhs spoketunnelipaddress
D. At the spoke routers, static NHRP mapping to the hub router is required: ip nhrp map hubtunnelipaddress hubphysicalipaddress
E. The GRE tunnel mode must be set to pointtopoint mode: tunnel mode gre pointtopoint
F. The GRE tunnel must be associated with an IPsec profile: tunnel protection ipsec profile profilename
Answer: BDF
10. When you configure Cisco IOS WebVPN, you can use the portforward command to enable which function?
A. webenabled applications
B. Cisco Secure Desktop
C. fulltunnel client
D. thin clientE. CIFS F. OWA
Answer: D
11. Refer to the exhibit. What additional configuration is required to enable split tunneling?
A. the reverseroute command under “crypto dynamicmap mode 1″
B. the includelocallan under “crypto dynamicmap mode 1″
C. the match address 199 command under “crypto dynamicmap mode 1″
D. the acl 199 command under “crypto isakmp client configuration group cisco”
E. the includelocallan command under “crypto isakmp client configuration group cisco”
F. the reverseroute command under “crypto isakmp client configuration group cisco” Answer: D
12. Refer to the exhibit. Which two statements are true about the configurations shown? (Choose two.)
A. The clickable links will have a heading entitled “MYLINKS”.
B. The home page will have three clickable links on it.
C. ACS will be used for remoteuser authentication by default. D. This is an example of a clientless configuration.
E. Thin client (port forwarding) has been enabled using the urltext command. Answer: BD
13. Which two commands are used to only allow SSH traffic to the router Eth0 interface and deny othermanagement traffic (BEEP, FTP, HTTP, HTTPS, SNMP, Telnet, TFTP) to the router interfaces?
(Choose two.)
A. interface eth0
B. controlplane host
C. policymap type portfilter policyname
D. servicepolicy type portfilter input policyname
E. managementinterface eth0 allow sshF. line vty 0 5transport input ssh
Answer: BE
14. Refer to the exhibit. Which optional AAA or RADIUS configuration command is used to support 802.1x guestVLAN functionality?
A. aaa authentication dot1x default group radius
B. aaa authorization network default group radius
C. aaa accounting dot1x default startstop group radius
D. aaa accounting system default startstop group radius
E. radiusserver host 10.1.1.1 authport 1812 acctport 1813
Answer: B
15. When configuring FPM, what should be the next step after the PHDFs have been loaded?
A. Define a stack of protocol headers. B. Define a traffic policy.
C. Define a service policy.
D. Define a class map of type “accesscontrol” for classifying packets. E. Reload the router.
F. Save the PHDFs to startupconfig. Answer: A
16. Refer to the exhibit. What traffic will be matched to the “qtclass” traffic class?
A. all traffic matched by the “hostprotocols” named access list
B. all traffic matched by the “hostprotocols” nested class map
C. all TCP and UDP protocol ports open on the router not specifically matched
D. all traffic other than SNMP and Telnet to the router
E. all other traffic arriving at the interface where the “qtpolicy” policy map is applied Answer: C
17. When configuring ACS 4.0 Network Access Profiles (NAPs), which three things can be used to determinehow an access request is classified and mapped to a profile? (Choose three.)
A. Network Access Filters (NAFs)
B. RADIUS Authorization Components (RACs) C. the authentication method
D. the protocol types
E. advance filtering F. RADIUS VSAs Answer: ADE
18. Cisco Easy VPN Server pushes parameters such as the client internal IP address, DHCP server IP address, andWINS server IP address to the Cisco Easy VPN Remote client during which of these phases?
A. IKE Phase 1 first message exchange B. IKE Phase 2 last message exchange C. IKE mode configuration
D. IKE XAUTH E. IKE quick mode
Answer: C
19. Which of these statements is correct regarding user setup on ACS 4.0?
A. In the case of conflicting settings, the settings at the group level override the settings configured at the user level.
B. A user can belong to more than one group.
C. The username can contain characters such as “#” and “?”. D. By default, users are assigned to the default group.
E. The ACS PAP password cannot be used as the CHAP password also. Answer: D
20. Refer to the exhibit. When you configure DHCP snooping, which ports should be configured as
trusted ?
A. port A only
B. port E only
C. ports B and C
D. ports A, B, and C E. ports B, C, and E
F. ports A, B, C, and E Answer: D
21. When you implement IBNS (802.1x authentication), what is defined using the
TunnelPrivateGroupID (81)RADIUS attribute?
A. the EAP type
B. the shared secret key
C. the ACL name
D. the VLAN name
E. the NAPF. the NAF Answer: D
22. Refer to the partial classic Cisco IOS Firewall configuration shown in the exhibit. Which three are the correctmissing configuration commands? (Choose three.)
A. 1=ip inspect myfw in
B. 1=ip accessgroup 51 in C. 2=ip accessgroup 101 in D. 2=ip inspect myfw out
E. 3=ip accessgroup 111 in F. 3=ip inspect myfw in Answer: ACE
23. Refer to the exhibit. Given that the fa0/1 interface is the trusted interface, what could be a reason for users onthe trusted inside networks not to be able to successfully establish outbound HTTP connections?
A. The outgoing ACL on the fa0/1 interface is not set.
B. The FWRULE inspection policy is not inspecting HTTP traffic. C. ACL 104 is denying the outbound HTTP traffic.
D. The outgoing inspection rule on the fa0/1 interface is not set. E. ACL 104 is denying the return HTTP traffic.
F. The FWRULE inspection policy is not configured correctly. Answer: C
24. Cisco IOS ZoneBased Firewall uses which of these to identify a service or application from traffic flowingthrough the firewall?
A. NBAR
B. extended access list
C. PAM table
D. deep packet inspection
E. application layer inspection
F. CEF table
Answer: C
25. Refer to the exhibit. Why is authproxy not working?
A. The AAA authentication methodlist is not configured.
B. HTTPS is not enabled on the router.
C. The local username and password database is not configured. D. The aaa authorization command is not correct.
E. The ip authproxy HQU interface configuration command is missing the in direction option.F. AAA
accounting is not enabled. Answer: D
26. Refer to the exhibit. Which two configuration commands are used to apply an inspect policy map for traffic traversing from the E0 or E1 interface to the S3 interface? (Choose two.)
A. zonepair security test source Z1 destination Z2
B. interface E0
C. policymap myfwpolicy class classdefault inspect
D. ip inspect myfwpolicy out
E. ip inspect myfwpolicy in
F. servicepolicy type inspect myfwpolicy
Answer: AF
27. Refer to the exhibit. What will result from this zonebased firewall configuration?
A. All traffic from the private zone to the public zone will be dropped.
B. All traffic from the private zone to the public zone will be permitted but not inspected.
C. All traffic from the private zone to the public zone will be permitted and inspected.
D. All traffic from the public zone to the private zone will be permitted but not inspected.
E. Only HTTP and DNS traffic from the private zone to the public zone will be permitted and inspected.
F. Only HTTP and DNS traffic from the public zone to the private zone will be permitted and inspected. Answer: A
28. What does this command do?router(config)# ip portmap user1 port tcp 4001
A. enables application firewall inspection on a userdefined application that is mapped to TCP port 4001
B. enables NBAR to recognize a userdefined application on TCP port 4001
C. enables the Cisco IOS Firewall to inspect TCP port 4001 as part of the ip inspect name xxx TCP
inspection rule
D. defines a user application in the PAM table where the userdefined application is called “user1″ and that application is mapped to TCP port 4001
Answer: D
29. Refer to the exhibit. Which two statements are correct? (Choose two.)
A. Cisco IOS IPS will failopen.
B. The basic signatures (previously known as 128MB.sdf) will be used if the builtin signatures fail to load.
C. The builtin signatures will be used.
D. SDEE alert messages will be enabled.E. syslog alert messages will be enabled. Answer: AC
30. When verifying Cisco IOS IPS operations, when should you expect Cisco IOS IPS to start loading the signatures?
A. immediately after you configure the ip ips sdf location flash:filename command
B. immediately after you configure the ip ips sdf builtin command
C. after you configure a Cisco IOS IPS rule in the global configuration
D. after traffic reaches the interface with Cisco IOS IPS enabled
E. when the first Cisco IOS IPS rule is enabled on an interface
F. when the SMEs are put into active state using the ip ips name rulename command Answer: E
KillTest.com was founded in 2006. The safer,easier way to help you pass any IT
Certification exams . We provide high quality IT Certification exams practice questions and answers(Q&A). Especially Adob e, Apple, Cit rix, Compt ia, EM C,
HP, Hu aW ei, LPI, No rtel, Oracle , SUN, Vmw are and so on. And help you pass any IT Certification exams at the first try.
You can reach us at any of the email addresses listed below. English Customer: Chinese Customer: Sales : sales@Killtest.com sales@Killtest.net
Support: support@Killtest.com support@Killtest.com
“Securing Networks with Cisco Routers and Switches”, also known as 642-503 exam, is a Cisco certification.
Preparing for the 642-503 exam ? Searching 642-503 Test Questions, 642-503 Practice Exam, 642-503 Dumps?
With the complete collection of questions and answers, Pass4sure has assembled to take you through 53 Q&As to your 642-503 Exam preparation. In the 642-503 exam resources, you will cover every field and category in CCSP helping to ready you for your successful Cisco Certification.
Questions and Answers : 53 Q&As
Updated: 2008-06-29
Market Price: $125.99
Member Price: $99.99
Free Down:Pass4sure Cisco CCSP Exam 642-503 v2.83
Free Down:Testking cisco ccsp 642-503 exam
Password:www.ciscoexams.org
| Cisco Braindumps Free Downloads |
|
Type |
Exam Bible | New Questions & Answers |
Latest Updated |
Download link |
 |
All Cisco 's Exam Pack |
589 |
1 days ago | Download |
[...] download: testking 642-503 Free download: pass4sure 642-503 Free download: actualtest 642-503 Free download: testinside [...]