New VCE and PDF– You can prepare Cisco https://www.pass4itsure.com/642-504.html exam in an easy way with Flydumps Cisco 642-504 questions and answers.By training our vce dumps with all Cisco 642-504 the latest questions,you can pass the exam in the first attempt.
QUESTION 45
The Company network is using an 802.IX implementation, in an 802.lx implementation the supplicant directly connects to, and obtains network access permission through which device?
A. Host
B. Authenticator
C. PC
D. Authentication server
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
QUESTION 46
The Easy VPN Server feature allows Cisco IOS routers, Cisco Adaptive Security Appliances (ASA), and Cisco PIX Security Appliances to act as head-end devices in site-to-site or remote- access VPNs The feature pushes security policies defined at the central site to the remote device during which of these phases?
A. IKE Phase 1 first message exchange
B. IKE Phase 2 first message exchange
C. IKE Phase 2 last message exchange
D. IKE mode configuration
Correct Answer: D Section: (none) Explanation
QUESTION 47
You are in charge of Securing Networks Cisco Routers and Switches in your company please point out two benefits of using an IPsec GRE tunnel. (Choose two,)
A. It requires a more restrictive crypto ACL to provide finer security control
B. It has less overhead than runningIPsec in tunnel mode.
C. It allows IP multicast traffic. ActualTests.com
D. It allows dynamic routing protocol to run over the tunnel interface.
Correct Answer: CD Section: (none) Explanation
QUESTION 48
Which two capabilities are of the Cisco IOS Firewall Feature Set? (Choose two,)
A. protects against worms, malicious users, and denial of service
B. provides for secure connectivity between branch offices
C. provides intrusion protection capabilities
D. interoperates with Network Address Translation to conserve and simplify network address use “Pass Any Exam. Any Time.” – www.actualtests.com 31 Cisco 642-504: Practice Exam
Correct Answer: AD Section: (none) Explanation
QUESTION 49
Which two are typical Layer 2 attacks? (Choose two.)
A. MAC spoofing
B. CAM table overflow
C. Route poisoning
D. DHCP Starvation
Correct Answer: AB Section: (none) Explanation
QUESTION 50
You are the Cisco Configuration Assistant in your company.Which two commands would you use to only allow SSH traffic to the router EthO interface and deny other management traffic (BEEP, FTP, HTTP, HTTPS, SNMP, Telnet, TFTP) to the router interfaces? (Choose two.)
A. control-plane host
B. interfaceethO
C. policy-map type port-filter policy-name
D. management-interfaceethO allow ssh
Correct Answer: AD Section: (none) Explanation
QUESTION 51
You want to increase the security levels at layer 2 within the Company switched LAN. Which three are typical Layer 2 attack mitigation techniques? (Select three)
A. 802.lx authentication
B. Port security
C. ARP snooping
D. DHCP snooping
Correct Answer: ABD Section: (none) Explanation
Explanation/Reference:
QUESTION 52
Which alerting protocol is used by Cisco IOS IPS with a pull mechanism for getting IPS alerts to the network management application?
A. SNMP
B. syslog
C. SDEE
D. POP3
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
QUESTION 53
You are the Cisco Configuration Assistant in your company.When you enter the switch(config)£aaa authentication dotlx default group radius command on a Cisco Catalyst switch, You get the error message “invalid input detected”, What is the most likely reason?
A. Enable 802.lx.first
B. Define the RADIUS server IP address first, using theswitch(config)# radius-server host ip- address command.
C. Method-list name is missing
D. Enter theaaa new-model command first,
Correct Answer: D Section: (none) Explanation
QUESTION 54
When configuring FPM, which is the next step after loading the PHDFs?
A. Define a stack of protocol headers. ActualTests.com
B. Define a class map of type “access-control” for classifying packets,
C. Reload the router.
D. Save the PHDFs to startup-config,
Correct Answer: A Section: (none) Explanation
QUESTION 55
The Company security administrator is in charge of creating a security policy for the company. Which two statements about the creation of a security policy are true? (Choose two)
A. It helps Chief Information Officers determine the return on investment of network security at Company Inc.
B. It defines how to track down and prosecute policy offenders at Company Inc.
C. It provides a process to audit existing network security at Company Inc.
D. It defines which behavior is and is not allowed at Company Inc.
Correct Answer: CD Section: (none) Explanation
Explanation/Reference:
QUESTION 56
Which secure group keying mechanism is used by GET VPN?
A. public and private keys
B. Diffle-Hellman
C. Group Domain of Interpretation
D. group key agreement
Correct Answer: C Section: (none) Explanation
QUESTION 57
You are the network consultant from your company. Cisco IOS Zone-Based Firewall uses which of the following to identify a service or application from traffic flowing through the firewall?
A. Network Based Application Recognition
B. extended access list
C. deep packet inspection
D. PAM table ActualTests.com
Correct Answer: D Section: (none) Explanation
QUESTION 58
Which best practice is recommended while configuring the Auto Update feature for Cisco IOS IPS?
A. Synchronize the router’s clock to the PC before configuring Auto Update,
B. Download the realm-cisco.pub.key file and update the public key stored on the router.
C. Clear the router’s flash of unused signature files.
D. Enable anonymous TFTP downloads from Cisco.com and specify the download frequency. “Pass Any Exam. Any Time.” – www.actualtests.com 34 Cisco 642-504: Practice Exam
Correct Answer: A Section: (none) Explanation
QUESTION 59
Router CK1 is configured with the IOS firewall feature set to prevent TCP based attacks. How many incomplete connections must this router have by default before TCP Intercept will start dropping incomplete connections?
A. 500
B. 1100
C. 700
D. 900
Correct Answer: B Section: (none) Explanation
QUESTION 60
Which statement is correct about the GRE tunnel endpoints while configuring GRE over IPsec?
A. For high availability, the GRE tunnel interface should be configured with aprimaty and a backup tunnel destination IP address.
B. A mirror image of theIPsec crypto ACL needs to be configured to permit the interesting end- user traffic between the GRE endpoints.
C. The tunnel interface of both endpoints needs to be in the same IP subnet,
D. The tunnel interface of both endpoints should be configured to use the outside IP address of the router as the unnumbered IP address.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
ActualTests.com
QUESTION 61
Which of the following represents the behavior of the CBAC aggressive mode in a Cisco IOS firewall?
A. Delete all half-open session
B. Re-initiate half open session
C. Complete all half open sessions make the full open session
D. Delete half-open session as needed to accommodate new connection requests
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
“Pass Any Exam. Any Time.” – www.actualtests.com 35 Cisco 642-504: Practice Exam
QUESTION 62
You are in charge of Securing Networks Cisco Routers and Switches in your company Given that the faO/1 interface is the trusted interface, what could be a reason for users on the trusted inside networks not to be able to successfully establish outbound HTTP connections based on the following configuration?
A. access-list on the faO/1intetface is not set.
B. The RVRULE inspection policy is not inspecting HTTP traffic.
C. access-list 104 is denying the outbound HTTP traffic.
D. The outgoing inspection rule on the fa0/1 interface is not set, ActualTests.com
Correct Answer: C Section: (none) Explanation
QUESTION 63
The Dynamic Multipoint VPN (DMVPN) feature allows users to better scale large and small IP Security (IPsec) Virtual Private Networks (VPNs) by combining generic routing encapsulation (GRE) tunnels, IPsec encryption, and Next Hop Resolution Protocol (NHRP).Referring to a DMVPN hub router tunnel interface configuration, what will fail if the ip nhrp map multicast dynamic command is missing on the tunnel interface?
A. The NHRP request and response. “Pass Any Exam. Any Time.” – www.actualtests.com 36 Cisco 642-504: Practice Exam
B. The GRE tunnel
C. The IPsec peering
D. The dynamic routing protocol.
Correct Answer: D Section: (none) Explanation
QUESTION 64
What is the objective of the Cisco SDM IPS migration tool?
A. to migrate from promiscuous mode IPS to inline IPS
B. to migrate from Cisco IOS IPS version 4.0 to Cisco IOS IPS version 5.0
C. to migrate from Cisco IOS IPS to the Cisco AIM-IPS
D. to migrate from the Cisco NM-CIDS to the Cisco AIM-IPS
Correct Answer: B Section: (none) Explanation
QUESTION 65
What OSI layers can CBAC filter on? Select all that apply.
A. Layer 4
B. Layer 3
C. Layer 2
D. Layer 7
Correct Answer: ABD Section: (none) Explanation
Explanation/Reference:
ActualTests.com
QUESTION 66
Which description is true about the Cisco IOS IPS configuration output shown in the following exhibit?
“Pass Any Exam. Any Time.” – www.actualtests.com 37 Cisco 642-504: Practice Exam
A. The SDF will be loaded from the IPS directory in flash.
B. The built-in signatures will be used.
C. The router is using the advanced IPS signature set.
D. The SMEs are stored in the IPS directory in flash.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
ActualTests.com
QUESTION 67
Router CK1 has been upgraded with the Cisco firewall IOS. Which of the following cannot be configured on a router unless the IOS Firewall feature set is installed? (Select all that apply)
A. PAM
B. Authentication Proxy
C. IDS
D. CBAC “Pass Any Exam. Any Time.” – www.actualtests.com 38 Cisco 642-504: Practice Exam
Correct Answer: ABCD Section: (none) Explanation
QUESTION 68
For the following Cisco IOS Firewall features, which one allows the firewall to function as a Layer 2 bridge on the network?
A. firewall ACL bypass
B. zone-based firewall
C. CBAC
D. transparent firewall
Correct Answer: D Section: (none) Explanation
QUESTION 69
While logged into a Company router, which of the following commands specifies that the IOS Firewall IDS engine drops packets and resets TCP connections for information signatures?
A. ip audit name auditi info attack drop reset
B. ip audit name auditi info action drop reset
C. ip audit name auditi info sig action drop reset
D. ip audit name auditi sig info drop reset
Correct Answer: D Section: (none) Explanation
QUESTION 70
Which statement best describes Cisco IOS Firewall URL-filtering services on Cisco IOS Release 12,4(15)T and later?
A. Enabling “allow mode” is required when using an external URL-filtering server.
B. Multiple URL lists and URL filter server lists can be configured on the router.
C. URL filtering with zone-based firewalls is configured using the type “inspect” parameter-map.
D. The services support Secure Computing server orWebsense server and the local URL list.
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
QUESTION 71
You are the Cisco Configuration Assistant in your company. Which command will would you use totrigger the router to request certificates from the CA for the router RSA key pair?
A. cryptopki enroll CA-Name
B. enrollmenturl http://CA-Name:SO
C. cryptopki trustpoint CA-Name
D. cryptopki authenticate CA-Name
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
QUESTION 72
Which tow statements are correct according to the CLI configuration displayed in the exhibit? (Choose tow.)
A. SerialO/0/0 is the outside NAT interface.
B. access-list 1 defines the list of inside global IP addresses.
C. The overload option enables static PAT,
D. All HTTP connections to the SerialO/0/0 interface IP address will be translated to the 172.16.1.2 IP address port 8080,
Correct Answer: AD Section: (none) Explanation
Explanation/Reference:
ActualTests.com
QUESTION 73
The Company network is concerned about SPAM and wants to use IDS tools to prevent SPAM attacks. By default, how many message recipients must an email have for the IOS Firewall to consider it a spam attack?
A. 250
B. 500
C. 100
D. 25
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
“Pass Any Exam. Any Time.” – www.actualtests.com 40 Cisco 642-504: Practice Exam
QUESTION 74
Cisco Easy VPN greatly simplifies virtual private network (VPN) deployment for remote offices and teleworkers. While using Cisco Easy VPN, which three options are for entering the XAUTH username and password for establishing the VPN connection from the Cisco Easy VPN remote router? (Choose three.)
A. using an external AAA server
B. saving the XAUTH credentials to this router
C. entering the information from the router console or SDM
D. entering the information from the PC browser when browsing
Correct Answer: BCD Section: (none) Explanation
QUESTION 75
You are the Cisco Configuration Assistant in your company. You are configuring ACS 4.0 Network Access Profiles, which three things can be used to determine how an access request is classified and mapped to a profile? (Choose three)
A. Network Access Filters
B. RADIUS Authorization Components
C. the protocol types
D. advance filtering
Correct Answer: ACD Section: (none) Explanation
Explanation/Reference:
ActualTests.com
QUESTION 76
For the following Cisco IOS IPS risk rating components, which one uses a law value of 75, a medium value of 100, a high value of 150, and a mission-critical value of 200?
A. Attack Relevancy Rating
B. Promiscuous Delta
C. Target Value Rating
D. Watch List Rating
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
“Pass Any Exam. Any Time.” – www.actualtests.com 41 Cisco 642-504: Practice Exam
QUESTION 77
The security administrator at Company is seeing a large number of half opened TCP sessions, what are half open TCP sessions?
A. Sessions that were denied,
B. Sessions that have not reached the established state.
C. Sessions where the three-way handshake has been completed.
D. Sessions where the firewall detected return traffic.
Correct Answer: B Section: (none) Explanation
QUESTION 78
Which item is true about the zone-based firewall policy while configuring the zone-based firewall feature on a Cisco router?
A. The policy is appliedunidirectionally between two security zones.
B. Traffic between an interface belonging to a zone and the “self zone is denied by default unless it is explicitly allowed by a used-defined policy.
C. Interfaces in the same zone require that a bidirectional traffic policy be applied to permit traffic flow,
D. Traffic between an interface belonging to a zone and an interface that is not a zone member is allowed to pass without the policy being applied to the traffic,
Correct Answer: A Section: (none) Explanation
QUESTION 79
You are the Cisco Configuration Assistant in your company, what additional configuration is required for the Cisco IOS Firewall to reset the TCP connection if any peer-to-peer, tunneling, or instant messaging traffic is detected over HTTP based on the following configuration?
appfw policy-name my policy application http strict-http action reset alarm content-length maximum 1 action reset alarm content-type-verification match-req-rsp action reset alarm max-header-length request 1 response 1 action reset alarm max-url-length 1 laction reset alarm request-method rfc put action reset alarm transfer-encoding type default reset alarm !
ip inspect name firewall appfw mypolicy ip inspect name firewall http ! Interface FastEthernetO/0 ip inspect firewall in
A. class-map configuration
B. the PAM configuration
C. theip inspect name firewall im, ip inspect name firewall p2p, and ip inspect name firewall tunnel commands
D. the port-misuse default action reset alarm command in the HTTP application firewall policy configuration
Correct Answer: D Section: (none) Explanation Explanation/Reference:
QUESTION 80
While adding NADs as AAA clients in the ACS, which three parameters are configured for each AAA client? (Choose three,)
A. the NAD IP address
B. theEAPtype
C. the shared secret key
D. the AAA protocol to use for communication with the NADs
Correct Answer: ACD Section: (none) Explanation
QUESTION 81
What command configures the amount of time CBAC will wait for a TCP session to become ActualTests.com established before dropping the connection in the state table?
A. ip inspect global syn-establish (seconds)
B. ip inspect tcp global syn-time (seconds)
C. ip inspect global tcp syn (seconds)
D. ip inspect tcp synwait-time (seconds)
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
QUESTION 82
Which one of the following Cisco IOS VPN features simplifies IPsec VPN configuration and design by use of on-demand virtual access interfaces cloned from a virtual template configuration?
A. DMVPN
B. dynamic VTI
C. GRE tunnels
D. GRE overIPsec tunnels
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
QUESTION 83
You are the Cisco Configuration Assistant in your company. What can you determine based on the following configuration? Crypto ipsec transform-set MINE esp-des ! Crypto map MYMAP 10 ipsec-isakmp Set peer 172.30.5.2 Set transform-set MINE Match address 101
A. The authentication method used between theIPsec peers is pre-shared key.
B. ESP tunnel mode will not be used.
C. This is a dynamic crypto map.
D. ESP tunnel mode will be used.
Correct Answer: D Section: (none) Explanation
QUESTION 84
Which option is correct about the output of the Cisco IOS IPS configuration displayed in the ActualTests.com following exhibit?
A. Inline IPS is applied in the outbound direction on the interfaces.
B. The router will drop all packets if the IPS engine is unable to scan data,
C. The basic signatures set has been disabled,
D. The signature delta file is stored in the IPS directory in flash.
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
ActualTests.com
QUESTION 85
You have been tasked with setting up a new router with CBAC. How do you configure the CBAC global UDP idle session timeout?
A. ip inspect udp-session-timeout (seconds)
B. ip inspect udp-idle (seconds)
C. ip inspect udp-timeout (seconds)
D. ip inspect udp idle-time (seconds)
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
“Pass Any Exam. Any Time.” – www.actualtests.com 45 Cisco 642-504: Practice Exam
QUESTION 86
While deploying S02.1X authentication on Cisco Catalyst switches, which traffic can be passed between the client PC and the Cisco Catalyst switch over the uncontrolled port?
A. DHCP
B. TACACS+
C. HTTP
D. EAPoLAN
Correct Answer: D Section: (none) Explanation
QUESTION 87
You have been tasked with setting up a new Company router with CBAC. How do you set the threshold of half-open sessions CBAC will allow per minute before deleting them?
A. ip inspect one-minute incomplete (number)
B. ip inspect one-minute (number)
C. ip inspect one-minute high (number)
D. ip inspect one-minute high incomplete (number)
Correct Answer: C Section: (none) Explanation
QUESTION 88
According to the partial configuration displayed in the following exhibit, which additional ActualTests.com configuration parameter is required under the GET VPN group member GDOI configuration?
A. key server IP address
B. mapping of theIPsec transform set to the GDOI group
C. mapping of theIPsec profile to the IPsec SA
D. local priority
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
QUESTION 89
You are the Cisco Configuration Assistant in your company. Which TCP port would you use to access the Cisco ACS web interface?
A. 22
B. SO
C. 127
D. 2002
Correct Answer: D Section: (none) Explanation
QUESTION 90
Which action can be enabled by the interface configuration command switchport protected?
A. allows traffic on protected ports to be forwarded at Layer 2
B. configures the interface for the PVLAN edge
C. groups ports into an isolated community when configured on multiplepotts
D. provides isolation between two protected ports located on different switches
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Flydumps.com
The actual Cisco https://www.pass4itsure.com/642-504.html exam questions and answers will sharpen your skills and expand your knowledge to obtain a definite success.save your money and time on your preparation for your Cisco 642-504 certification exam. You will find we are a trustful partner if you choose us as your assistance on your Cisco 642-504 certification exam. Now we add the latest Cisco 642-504 content and to print and share content.