Cisco 642-637

Securing Networks with Cisco Routers and Switches (SECURE) v1.0

Version: 6.0

Cisco 642-637 Exam QUESTION NO: 1 Refer to the exhibit. Given the partial output of the debug command, what can be determined?

A. There is no ID payload in the packet, as indicated by the message ID = 0. B. The peer has not matched any offered profiles. C. This is an IKE quick mode negotiation. D. This is normal output of a successful Phase 1 IKE exchange. Answer: B Explanation:

QUESTION NO: 2 DRAG DROP

Answer:

"Pass Any Exam. Any Time." - www.actualtests.com

Cisco 642-637 Exam

Explanation: Existing lists of LAN switches Existing user credentials Existing addressing scheme Existing transport protocols used in the environment.

QUESTION NO: 3

"Pass Any Exam. Any Time." - www.actualtests.com

Cisco 642-637 Exam

Refer to the exhibit. Which two Cisco IOS WebVPN features are enabled with the partial configuration shown? (Choose two.) A. The end-user Cisco AnyConnect VPN software will remain installed on the end system. B. If the Cisco AnyConnect VPN software fails to install on the end-user PC, the end user cannot use other modes. C. Client based full tunnel access has been enabled. D. Traffic destined to the 10.0.0.0/8 network will not be tunneled and will be allowed access via a split tunnel. E. Clients will be assigned IP addresses in the 10.10.0.0/16 range. Answer: A,C Explanation:

QUESTION NO: 4 Which two of these are benefits of implementing a zone-based policy firewall in transparent mode? (Choose two.)

"Pass Any Exam. Any Time." - www.actualtests.com

Cisco 642-637 Exam A. Less firewall management is needed. B. It can be easily introduced into an existing network. C. IP readdressing is unnecessary. D. It adds the ability to statefully inspect non-IP traffic. E. It has less impact on data flows. Answer: B,C Explanation:

QUESTION NO: 5 When configuring a zone-based policy firewall, what will be the resulting action if you do not specify any zone pairs for a possible pair of zones? A. All sessions will pass through the zone without being inspected. B. All sessions will be denied between these two zones by default. C. All sessions will have to pass through the router "self zone" for inspection before being allowed to pass to the destination zone. D. This configuration statelessly allows packets to be delivered to the destination zone. Answer: B Explanation:

QUESTION NO: 6 Refer to the exhibit. What can be determined from the output of this show command?

A. The IPsec connection is in an idle state. B. The IKE association is in the process of being set up. C. The IKE status is authenticated. D. The ISAKMP state is waiting for quick mode status to authenticate before IPsec parameters are passed between peers E. IKE Quick Mode is in the idle state, indicating a problem with IKE phase 1. Answer: C Explanation: "Pass Any Exam. Any Time." - www.actualtests.com 5

Cisco 642-637 Exam

QUESTION NO: 7 DRAG DROP

Answer:

Explanation: Delete IPsec security association > clear crypto sa Verify cryptographic configurations and show SA lifetimes -> show crypto map Verify the IPsec protection policy settings - > show crypto ipsec transform-set Verify current IPsec settings in use by the SAs show cyrpto ipsec sa "Pass Any Exam. Any Time." - www.actualtests.com 6

Cisco 642-637 Exam Clear active IKE connections clear crypto isakmp

QUESTION NO: 8 You are running Cisco IOS IPS software on your edge router. A new threat has become an issue. The Cisco IOS IPS software has a signature that can address the new threat, but you previously retired the signature. You decide to unretire that signature to regain the desired protection level. How should you act on your decision? A. Retired signatures are not present in the routers memory. You will need to download a new signature package to regain the retired signature. B. You should re-enable the signature and start inspecting traffic for signs of the new threat. C. Unretiring a signature will cause the router to recompile the signature database, which can temporarily affect performance. D. You cannot unretire a signature. To avoid a disruption in traffic flow, it's best to create a custom signature until you can download a new signature package and reload the router. Answer: C Explanation:

QUESTION NO: 9 Which statement best describes inside policy based NAT? A. Policy NAT rules are those that determine which addresses need to be translated per the enterprise security policy B. Policy NAT consists of policy rules based on outside sources attempting to communicate with inside endpoints. C. These rules use source addresses as the decision for translation policies. D. These rules are sensitive to all communicating endpoints. Answer: A Explanation:

QUESTION NO: 10 Refer to the exhibit. What can be determined about the IPS category configuration shown?

"Pass Any Exam. Any Time." - www.actualtests.com

Cisco 642-637 Exam

A. All categories are disabled. B. All categories are retired. C. After all other categories were disabled, a custom category named "os ios" was created D. Only attacks on the Cisco IOS system result in preventative actions. Answer: D Explanation:

QUESTION NO: 11 When Cisco IOS IPS is configured to use SDEE for event notification, how are events managed? A. They are stored in the router's event store and will allow authenticated remote systems to pull events from the event store. B. All events are immediately sent to the remote SDEE server. C. Events are sent via syslog over a secure SSUTLS communications channel. D. When the event store reaches its maximum configured number of event notifications, the stored events are sent via SDEE to a remote authenticated server and a new event store is created. Answer: A Explanation:

QUESTION NO: 12 Which two of these will match a regular expression with the following configuration parameters? [a-zA-Z][0-9][a-z] (Choose two.) A. Q3h

"Pass Any Exam. Any Time." - www.actualtests.com

Cisco 642-637 Exam B. B4Mn C. aaB132AA D. c7lm E. BBpjnrIT Answer: A,D Explanation:

QUESTION NO: 13 Which of these is a configurable Cisco IOS feature that triggers notifications if an attack attempts to exhaust critical router resources and if preventative controls have been bypassed or are not working correctly? A. Control Plane Protection B. Management Plane Protection C. CPU and memory thresholding D. SNMPv3 Answer: C Explanation:

QUESTION NO: 14 Which Cisco IOS IPS feature allows to you remove one or more actions from all active signatures based on the attacker and/or target address criteria, as well as the event risk rating criteria? A. signature event action filters B. signature event action overrides C. signature attack severity rating D. signature event risk rating Answer: A Explanation:

QUESTION NO: 15 You are troubleshooting reported connectivity issues from remote users who are accessing corporate headquarters via an IPsec VPN connection. What should be your first step in "Pass Any Exam. Any Time." - www.actualtests.com 9

Cisco 642-637 Exam troubleshooting these issues? A. issue a show crypto isakmp policy command to verify matching policies of the tunnel endpoints B. ping the tunnel endpoint C. run a traceroute to verify the tunnel path D. debug the connection process and look for any error messages in tunnel establishment Answer: B Explanation:

QUESTION NO: 16 Which of these is correct regarding the configuration of virtual-access interfaces? A. They cannot be saved to the startup configuration. B. You must use static routes inside the tunnels. C. DVTI interfaces should be assigned a unique IP address range. D. The Virtual-Access 1 interface must be enabled in an up/up state administratively Answer: A Explanation:

QUESTION NO: 17 Refer to the exhibit. The INSIDE zone has been configured and assigned to two separate router interfaces. All other zones and interfaces have been properly configured. Given the configuration example shown, what can be determined?

"Pass Any Exam. Any Time." - www.actualtests.com

10

Cisco 642-637 Exam A. Hosts in the INSIDE zone, with addresses in the 10.10.10.0/24 network, can access any host in the 10.10.10.0/24 network using the SSH protocol. B. If a host in the INSIDE zone attempts to communicate via SSH with another host on a different interface within the INSIDE zone, communications must pass through the router self zone using the INTRAZONE policy. C. This is an illegal configuration. You cannot have the same source and destination zones. D. This policy configuration is not needed, traffic within the same zone is allowed to pass by default. Answer: D Explanation:

QUESTION NO: 18 Which action does the command private-vlan association 100,200 take? A. configures VLANs 100 and 200 and associates them as a community B. associates VLANs 100 and 200 with the primary VLAN C. creates two private VLANs with the designation of VLAN 100 and VLAN 200 D. assigns VLANs 100 and 200 as an association of private VLANs Answer: B Explanation:

QUESTION NO: 19 Which of these allows you to add event actions globally based on the risk rating of each event, without having to configure each signature individually? A. event action summarization B. event action filter C. event action override D. signature event action processor Answer: C Explanation:

QUESTION NO: 20

"Pass Any Exam. Any Time." - www.actualtests.com

11

Cisco 642-637 Exam When using Cisco Easy VPN, what are the three options for entering an XAUTH username and password for establishing a VPN connection from the Cisco Easy VPN remote router? (Choose three.) A. using an external AAA server B. entering the information via the router crypto ipsec client ezvpn connect CLI command in privileged EXEC mode C. using the router local user database D. entering the information from the PC via a browser E. storing the XAUTH credentials in the router configuration file Answer: B,D,E Explanation:

QUESTION NO: 21 Which of these is true regarding tunnel configuration when deploying a Cisco ISR as a DMVPN hub router? A. Only one tunnel can be created per tunnel source interface. B. Only one tunnel can be created and should be associated with a loopback interface for dynamic redundancy C. The GRE tunnel key is used to encrypt the traffic going through the tunnel through the hub. D. You can run multiple parallel DMVPNs on the hub router, but each tunnel requires a unique tunnel key. Answer: D Explanation:

QUESTION NO: 22 Given the Cisco IOS command crypto key generate rsa label MY_KEYS modulus 2048, which additional command keyword should be added if you would like to use these keys on another router or have the ability to back them up to another device? A. redundancy B. exportable C. on:USB smart-token D. usage-keys

"Pass Any Exam. Any Time." - www.actualtests.com

12

Cisco 642-637 Exam Answer: B Explanation:

QUESTION NO: 23 Which two types of deployments can be implemented for a zone-based policy firewall? (Choose two.) A. routed mode B. interzone mode C. fail open mode D. transparent mode E. inspection mode Answer: A,D Explanation:

QUESTION NO: 24 DRAG DROP

Answer:

"Pass Any Exam. Any Time." - www.actualtests.com

13

Cisco 642-637 Exam

Explanation: Dropping application layer protocol units that do not confirm to the protocol standard. An application-aware method of filtering that works on OSI layers 3 and 4. Filtering inside the protocol and its related content

QUESTION NO: 25 What is the result of configuring the command dotlx system-auth-control on a Cisco Catalyst switch? A. enables the switch to operate as the 802.1X supplicant B. globally enables 802.1X on the switch C. globally enables 802.1X and defines ports as 802.1X-capable D. places the configuration sub-mode into dotix-auth mode, in which you can identify the authentication server parameters Answer: B Explanation:

QUESTION NO: 26 Which information is displayed when you enter the Cisco IOS command show epm session? A. Enforcement Policy Module sessions B. External Proxy Mappings, per authenticated sessions C. Encrypted Policy Management sessions

"Pass Any Exam. Any Time." - www.actualtests.com

14

Cisco 642-637 Exam D. Enhanced Protected Mode sessions Answer: A Explanation:

QUESTION NO: 27 Refer to the exhibit. Based on the partial configuration shown, which the GET VPN group member GDOI configuration?

A. key server IP address B. local priority C. mapping of the IPsec profile to the IPsec SA D. mapping of the IPsec transform set to the GDOI group Answer: A Explanation:

QUESTION NO: 28 Refer to the exhibit. Given the partial configuration shown, which two statements are correct? (Choose two.)

"Pass Any Exam. Any Time." - www.actualtests.com

15

Cisco 642-637 Exam

A. The tunnel will use the routing protocol configured for GigabitEthemet 1/1 for all tunnel communication with the peer. B. The IP route statement to reach the remote network behind the DMVPN peer is incorrect, it should be ip route 192.168.2.0 255.255.255.0 tunnel 0. C. This is an example of a static point-to-point VTI tunnel. D. The tunnel will use esp-sha-hmac encryption in ESP tunnel mode. E. The tunnel will use 128-bit AES encryption in ESP tunnel mode. Answer: C,E Explanation:

QUESTION NO: 29 You are troubleshooting a Cisco Easy VPN installation that is experiencing session establishment problems. You have verified that matching IKE and IPsec polices exist on both peers. The remote client has also successfully entered authentication credentials. What is the next step to take in troubleshooting this problem? A. verify that the router is not denying traffic from the tunnel B. verify that the router is able to assign an IP address to the client C. examine routing tables D. issue a ping from the client to the router to verify reachability Answer: B Explanation:

QUESTION NO: 30 Which of these is a result of using the same routing protocol process for routing outside and inside the VPN tunnel? "Pass Any Exam. Any Time." - www.actualtests.com 16

Cisco 642-637 Exam A. This will provide for routing-protocol-based failover redundancy. B. Spoke routers will able to dynamically learn routes to peer networks. C. This will allow VPN-encapsulated packets to be routed out the correct physical interface used to reach the remote peer D. The tunnel will constantly flap. Answer: D Explanation:

QUESTION NO: 31 DRAG DROP

Answer:

Explanation: VLAN Assignment Time-based access Endpoint posture assessment

"Pass Any Exam. Any Time." - www.actualtests.com

17

Cisco 642-637 Exam

QUESTION NO: 32 Refer to the exhibit. What can be determined from the output of this show command?

A. The switch port interface is enabled and operating as a community port. B. The interface is acting as an isolated switch port operating in VLAN 1. C. The interface is configured for Private VLAN Edge. D. The switch port interface is not a trusted port. Answer: C Explanation:

QUESTION NO: 33 You are troubleshooting a problem related to IPsec connectivity issues. You see that there is no ISAKMP security association established between peers. You debug the connection process and see an error message of 1d00h: ISAKMP (0:1): atts are not acceptable. Next payload is 0. What does this message indicate? A. This indicates a policy mismatch. B. This indicates that the offered attributes did not contain a payload. C. IKE has failed initial attempts and will resend policy offerings to the peer router. D. The time stamp of the message shows that it is one day old. This could indicate a possible mismatch of system clocks and invalidate the connection attempt.

"Pass Any Exam. Any Time." - www.actualtests.com

18

Cisco 642-637 Exam Answer: A Explanation:

QUESTION NO: 34 Refer to the exhibit. Given the output shown, what can be determined?

A. An attacker has sent a spoofed DHCP address. B. An attacker has sent a spoofed ARP response that violates a static mapping. C. The MAC address has matched a deny rule within the ACL. D. This is an invalid proxy ARP packet, as indicated by the 0000.0000.0000 MAC address on the destination Answer: B Explanation:

QUESTION NO: 35 Which command will enable a SCEP interface when you are configuring a Cisco router to be a certificate server? A. seep enable (under interface configuration mode) B. crypto pki seep enable C. grant auto D. ip http server Answer: D Explanation:

QUESTION NO: 36 When 802.1X is implemented, how do the client (supplicant) and authenticator communicate?

"Pass Any Exam. Any Time." - www.actualtests.com

19

Cisco 642-637 Exam A. RADIUS B. TACACS+ C. MAB D. EAPOL Answer: D Explanation:

QUESTION NO: 37 Refer to the exhibit. Assuming that all other supporting configurations are correct, what can be determined from the partial IP admission configuration shown?

A. The router will forward authentication requests to a AAA server for authentication and authorization. B. The local user password is thl3F4ftvA. C. The router will intercept incoming HTTP sessions on interface G0/0 for authentication. D. The SUPERUSER's privilege level is being restricted. E. The attribute type supplicant-group "SUPERUSER" configuration can be used to match criteria in the "inspect" class-map type using the match access-group option. Answer: C Explanation:

"Pass Any Exam. Any Time." - www.actualtests.com

20

Cisco 642-637 Exam QUESTION NO: 38 Which of these is an implementation guideline when deploying the IP Source Guard feature in an environment with multiple switches? A. Do not configure IP Source Guard on interswitch links. B. Configure PACLs for DHCP-addressed end devices. C. IP Source Guard must be configured in the trunk subconfiguration mode to work on interswitch links. D. Configure static IP Source Guard mapping for all access ports. Answer: A Explanation:

QUESTION NO: 39 DRAG DROP

Answer:

"Pass Any Exam. Any Time." - www.actualtests.com

21

Cisco 642-637 Exam

Explanation: Dynamic Inside NAT Dynamic Inside PAT Static Inside NAT Static Inside PAT

QUESTION NO: 40 What does the command errdisable recovery cause arp-inspection interval 300 provide for? A. It will disable a port when the ARP rate limit of 300 packets per second is received and wait a configured interval time before placing the port back in normal operation. B. It will inspect for ARP-disabled ports every 300 seconds. C. It will recover a disabled port and limit ARP traffic to 300 packets per second to avoid potential ARP attacks from reoccurring. D. It will recover a disabled port due to an ARP inspection condition in 5 minutes. Answer: D Explanation:

QUESTION NO: 41 You have configured Management Plane Protection on an interface on a Cisco router. What is the resulting action on implementing MPP?

"Pass Any Exam. Any Time." - www.actualtests.com

22

Cisco 642-637 Exam A. Inspection of protected management interfaces is automatically configured to ensure that management protocols comply with standards. B. The router gives preference to the configured management interface. If that interface becomes unavailable, management protocols will be allowed on alternate interfaces. C. Along with normal user data traffic, management traffic is also allowed only on the protected interface. D. Only management protocols are allowed on the protected interface. Answer: D Explanation:

QUESTION NO: 42 DRAG DROP

Answer:

Explanation: Use static access ports Disable DTP Avoid trunk native VLAN on access ports

QUESTION NO: 43 "Pass Any Exam. Any Time." - www.actualtests.com 23

Cisco 642-637 Exam Refer to the exhibit. What can be determined from the configuration shown?

A. The community SNMP string is SNMP-MGMT-VIEW. B. All interfaces will be included in the SNMP GETs. C. This SNMP group will only allow read access to interface MIBs. D. The SNMP server group is using 128-bit SHA authentication. Answer: C Explanation:

QUESTION NO: 44 When enabling the Cisco IOS IPS feature, which step should you perform to prevent rogue signature updates from being installed on the router? A. configure authentication and authorization for maintaining signature updates B. install a known RSA public key that correlates to a private key used by Cisco C. manually import signature updates from Cisco to a secure server, and then transfer files from the secure server to the router D. use the SDEE protocol for all signature updates from a known secure management station Answer: B Explanation:

QUESTION NO: 45 A user has requested a connection to an external website. After initiating the connection, a message appears in the user's browser stating that access to the requested website has been denied by the company usage policy. What is the most likely reason for this message to appear?

"Pass Any Exam. Any Time." - www.actualtests.com

24

Cisco 642-637 Exam A. An antivirus software program has blocked the session request due to potential malicious content. B. The network has been configured with a URL filtering service. C. The network has been configured for 802.1X authentication and the user has failed to authenticate D. The user's configured policy access level does not contain proper permissions Answer: B Explanation:

QUESTION NO: 46 Refer to the exhibit. Given the partial configuration shown, what can be determined.

A. This is an example of a dynamic policy PAT rule. B. This is an example of a static policy NAT rule. C. Addresses in the 10.10.30.0 network will be exempt from translation when destined for the 10.100.100.0 network. D. The extended access list provides for one-to-one translation mapping of the 10.10.30.0 network to the 10.100.100.0 network Answer: A Explanation:

QUESTION NO: 47 When is it most appropriate to choose IPS functionality based on Cisco IOS software? A. when traffic rates are low and a complete signature is not required B. when accelerated, integrated performance is required using hardware ASIC-based IPS inspections C. when integrated policy virtualization is required D. when promiscuous inspection meets security requirements

"Pass Any Exam. Any Time." - www.actualtests.com

25

Cisco 642-637 Exam Answer: A Explanation:

QUESTION NO: 48 When performing NAT, which of these is a limitation you need to account for? A. exhaustion of port number translations B. embedded IP addresses C. security payload identifiers D. inability to provide mutual connectivity to networks with overlapping address spaces Answer: B Explanation:

QUESTION NO: 49 DRAG DROP

Answer:

"Pass Any Exam. Any Time." - www.actualtests.com

26

Cisco 642-637 Exam Explanation: Routing Protocol Filtering BPDU Guard VTP Authentication Routing Protocol Authentication

QUESTION NO: 50 You have enabled Cisco IOS IPS on a router in your network. However, you are not seeing expected events on your monitoring system (such as Cisco IME). On the router, you see events being captured. What is the next step in troubleshooting the problem? A. verify that syslog is configured to send events to the correct server B. verify SDEE communications C. verify event action rules D. verify that the IPS license is valid Answer: B Explanation:

QUESTION NO: 51 Which two of these are features of control plane security on a Cisco ISR? (Choose two. A. CoPP B. RBAC C. AAA D. CPPr E. uRPF F. FPM Answer: A,D Explanation:

QUESTION NO: 52 Which two of these are potential results of an attacker performing a DHCP server spoofing attack? (Choose two.) "Pass Any Exam. Any Time." - www.actualtests.com 27

Cisco 642-637 Exam A. DHCP snooping B. DoS C. confidentiality breach D. spoofed MAC addresses E. switch ports being converted to an untrusted state Answer: B,C Explanation:

QUESTION NO: 53 When Cisco IOS IPS signatures are being tuned, how is the Target Value Rating assigned? A. It is calculated from the Event Risk Rating. B. It is calculated from a combination of the Attack Severity Rating and Signature Fidelity Rating C. It is manually set by the administrator. D. It is set based upon SEAP functions. Answer: C Explanation:

QUESTION NO: 54 Which of these should you do before configuring IP Source Guard on a Cisco Catalyst switch? A. Enable NTP for event correlation B. Enable IP routing authentication C. Configure an access list with exempt DHCP-initiated IP address ranges D. Turn DHCP snooping on at least 24 hours in advance Answer: D Explanation:

QUESTION NO: 55 What action will the parameter-map type ooo global command enable? A. globally initiates tuning of the router's TCP normalizer parameters for out-of-order packets "Pass Any Exam. Any Time." - www.actualtests.com 28

Cisco 642-637 Exam B. globally classifies type ooo packets within the parameter map and subsequent policy map C. enables a parameter map named ooo D. configures a global parameter map for traffic destined to the router itself Answer: A Explanation:

QUESTION NO: 56 DRAG DROP

Answer:

Explanation: Port ACLs Port Security VLAN ACLs Private VLANs

QUESTION NO: 57 Scenario: "Pass Any Exam. Any Time." - www.actualtests.com 29

Cisco 642-637 Exam To access the router console ports, refer to the exhibit and click router R1 or R2 for access. The ISP router will not need to be accessed. You will be placed directly into Cisco IOS enable mode. Using CLI show commands, answer the questions presented regarding GET VPN configurations. For this exercise, you will not be able to use show running-config or show start-conflg CLI commands. You may use other specific show run and global show commands to determine the correct answers. Not all Cisco IOS CU features are enabled for this simulation.

What is the registration status of the group member router and what is the IP addresses of the key server? (Choose two.) A. group registration has not yet been attempted B. the member router is registered with the C. 192.168.2.2 D. 192.168.12 Answer: B,D Explanation:

QUESTION NO: 58 Scenario: To access the router console ports, refer to the exhibit and click router R1 or R2 for access. The

"Pass Any Exam. Any Time." - www.actualtests.com

30

Cisco 642-637 Exam ISP router will not need to be accessed. You will be placed directly into Cisco IOS enable mode. Using CLI show commands, answer the questions presented regarding GET VPN configurations. For this exercise, you will not be able to use show running-config or show start-conflg CLI commands. You may use other specific show run and global show commands to determine the correct answers. Not all Cisco IOS CU features are enabled for this simulation.

On the key server router, what is the name of the transform set applied to the IPsec profile and which protection services is the transform set providing? (Choose two.) A. the name is ESP-3DES-SHA B. the name is GETSET C. the transform set is offering esp-aes esp-sha-hrnac D. the transform set is offering esp-3des esp-sha-hmac Answer: B,C Explanation:

QUESTION NO: 59 Scenario: To access the router console ports, refer to the exhibit and click router R1 or R2 for access. The ISP router will not need to be accessed. You will be placed directly into Cisco IOS enable mode. "Pass Any Exam. Any Time." - www.actualtests.com 31

Cisco 642-637 Exam Using CLI show commands, answer the questions presented regarding GET VPN configurations. For this exercise, you will not be able to use show running-config or show start-conflg CLI commands. You may use other specific show run and global show commands to determine the correct answers. Not all Cisco IOS CU features are enabled for this simulation.

Which router is acting as the key server and which is acting as a group member? (Choose two.) A. Router 1 is the key server B. Router 2 is the key server C. Router 1 is the group member D. Router 2 is the group member E. The ISP router is the key server F. The ISP router is the group member G. Router 1 and Router 2 are both key servers H. Router 1 and Router 2 are both group members Answer: B,F Explanation:

QUESTION NO: 60 Scenario: "Pass Any Exam. Any Time." - www.actualtests.com 32

Cisco 642-637 Exam To access the router console ports, refer to the exhibit and click router R1 or R2 for access. The ISP router will not need to be accessed. You will be placed directly into Cisco IOS enable mode. Using CLI show commands, answer the questions presented regarding GET VPN configurations. For this exercise, you will not be able to use show running-config or show start-conflg CLI commands. You may use other specific show run and global show commands to determine the correct answers. Not all Cisco IOS CU features are enabled for this simulation.

What is the Identity used to distinguish the GETVPNGROUP GDOI group? A. the IP address of the peer B. identity number 67890 C. group 14 D. GETVPNKEY Answer: A,D Explanation:

QUESTION NO: 61 Scenario: To access the router console ports, refer to the exhibit and click router R1 or R2 for access. The ISP router will not need to be accessed. You will be placed directly into Cisco IOS enable mode. Using CLI show commands, answer the questions presented regarding GET VPN configurations. For this exercise, you will not be able to use show running-config or show start-conflg CLI "Pass Any Exam. Any Time." - www.actualtests.com 33

Cisco 642-637 Exam commands. You may use other specific show run and global show commands to determine the correct answers. Not all Cisco IOS CU features are enabled for this simulation.

On the group member router, where is the crypto map applied and what is the ISAKMP shared key? (Choose two.) A. the crypto map is applied to the FastEthernet0/1 interface B. the crypto map name is applied globally on the router and is active on all enabled a interfaces C. the shared Key Is GETVPNKEY D. the shared Key is 67890 Answer: A,B Explanation:

QUESTION NO: 62 Which protocol is EAP encapsulated in for communications between the authenticator and the authentication server? A. EAP-MD5 B. IPsec C. EAPOL D. RADIUS "Pass Any Exam. Any Time." - www.actualtests.com 34

Cisco 642-637 Exam Answer: D Explanation:

QUESTION NO: 63 You are loading a basic IPS signature package onto a Cisco router. After a period of time, you see this message: %IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 275013 ms. What do you expect happened during downloading and compilation of the files? A. The files were successfully copied with an elapse time of 275013 ms. The router will continue with extraction and compilation of the signature database. B. The signature engines were compiles, but there is no indication that the actual signatures were compiled. C. The compilation failed for some of the signature engines. There are 16 engines, but only 6 were completed according to the %IPS-6 message D. The files were compiled without error. Answer: D Explanation:

QUESTION NO: 64 Refer to the exhibit. Given the configuration shown, which of these statements is correct?

"Pass Any Exam. Any Time." - www.actualtests.com

35

Cisco 642-637 Exam

A. An external service is providing URL filtering via a subscription service. B. All HTTP traffic to websites with the name "Gambling" included in the URL will be reset. C. A service policy on the zone pair needs to be configured in the opposite direction or all return HTTP traffic will be blocked by policy D. The URL filter policy has been configured in a fail-closed scenario. Answer: A Explanation:

"Pass Any Exam. Any Time." - www.actualtests.com

36

Cisco 642-637 Exam QUESTION NO: 65 DRAG DROP

Answer:

Explanation: Spoke-to-hub GRE and IPSec tunnels are created NHRP mappings are created. All spoke traffic is forwarded to the hub.

QUESTION NO: 66 Refer to the exhibit. Which two of these are most likely to have caused the issue with NHRP, given this output of the show command? (Choose two.)

"Pass Any Exam. Any Time." - www.actualtests.com

37

Cisco 642-637 Exam

A. There was a network ID mismatch. B. The spoke router has not yet sent a request via Tunnel0. C. The spoke router received a malformed NHRP packet. D. There was an authentication key mismatch. E. The registration request was expecting a return request ID of 1201, but received an ID of 120. Answer: A,D Explanation:

QUESTION NO: 67 DRAG DROP

Answer:

Explanation: Event action filter Event action override Target value rating "Pass Any Exam. Any Time." - www.actualtests.com 38

Cisco 642-637 Exam

QUESTION NO: 68 You have configured a guest VLAN using 802.1X on a Cisco Catalyst switch. A client incapable of using 802.1X has accessed the port and has been assigned to the guest VLAN. What happens when a client capable of using 802.1Xjoins the network on the same port? A. The client capable of using 802.1X is allowed access and proper security policies are applied to the client. B. EAPOL packets will not be allowed on the guest VLAN and the access attempt with fail. C. The port is put into the unauthorized state in the user-configured access VLAN, and authentication is restarted. D. This is considered a security breach by the authentication server and all users on the access port will be placed into the restricted VLAN. Answer: C Explanation:

QUESTION NO: 69 Refer to the exhibit. What can be determined from the information shown?

A. The user has been restricted to privilege level 1. B. The standard access list should be reconfigured as an extended access list to allow desired user permissions C. RBAC has been configured with restricted views. "Pass Any Exam. Any Time." - www.actualtests.com 39

Cisco 642-637 Exam D. IP access list DMZ_ACL has not yet been configured with proper permissions. Answer: C Explanation:

QUESTION NO: 70 Refer to the exhibit. Assuming that all other supporting configurations are correct, what can be determined from the partial IP admission configuration shown?

A. The router will forward authentication requests to a AAA server for authentication and authorization. B. The user maint3nanc3 will have complete CLI command access once authenticated. C. After a period of 20 minutes, the user will again be required to provide authentication credentials. D. The authentication proxy will fail, because the router's HTTP server has not been enabled. E. All traffic entering interface GO/1 will be intercepted for authentication, but only Telnet traffic will be authorized. Answer: C Explanation:

"Pass Any Exam. Any Time." - www.actualtests.com

40

Cisco 642-637 Exam QUESTION NO: 71 What will the authentication event fail retry 0 action authorize vlan 300 command accomplish? A. assigns clients that fail 802.1X authentication into the restricted VLAN 300 B. assigns clients to VLAN 300 and attempts reauthorization C. assigns a client to the guest VLAN 300 if it does not receive a response from the client to its EAPOL request/identity frame D. locks out a user who fails an 802.1X authentication and does not allow the user to try to gain network access again for 300 seconds Answer: A Explanation:

QUESTION NO: 72 DRAG DROP

Answer:

Explanation: Protocol verification Payload minimization Protocol minimization Application layer inspections "Pass Any Exam. Any Time." - www.actualtests.com 41

Cisco 642-637 Exam

QUESTION NO: 73 When you are configuring a hub-and-spoke DMVPN network, which tunnel mode should you use for the spoke router configuration? A. GRE multipoint B. classic point-to-point GRE C. IPsec multipoint D. nonbroadcast multiaccess Answer: B Explanation:

QUESTION NO: 74 Which Cisco IOS feature provides secure, on-demand, meshed connectivity? A. DMVPN B. Easy VPN C. IPsec VPN D. mGRE Answer: A Explanation:

QUESTION NO: 75 You have configured a Cisco router to act a PKI certificate server. However, you are experiencing problems starting the server. You have verified that al CA parameters have been correctly configured. What is the next step you should take in troubleshooting this problem? A. Disable and restart the routers HTTP server function B. Enable the SCEP interface C. Verify the RSA key pair and generate new keys D. Verify that the correct time is being used and time source are reachable

"Pass Any Exam. Any Time." - www.actualtests.com

42

Cisco 642-637 Exam Answer: D Explanation:

QUESTION NO: 76 Which three of these are features of data plane security on a Cisco ISR? (Choose three) A. uRPF B. NetFlow export C. FPM D. CPPr E. RBAC F. routing protocol filtering Answer: A,B,C Explanation:

QUESTION NO: 77 What will the authentication event fail retry 0 action authorize vlan 300 command accomplish? A. assigns clients that fail 802.1X authentication into the restricted VLAN 300 B. assigns clients to VLAN 300 and attempts reauthorization C. assigns a client to the guest VLAN 300 if it does not receive a response from the client to its EAPOL request/identity frame D. locks out a user who fails an 802.1X authentication and does not allow the user to try to gain network access again for 300 seconds Answer: A Explanation:

QUESTION NO: 78 When you are configuring DHCP snooping, how should you classify access ports? A. untrusted B. trusted C. promiscuous "Pass Any Exam. Any Time." - www.actualtests.com 43

Cisco 642-637 Exam D. private Answer: A Explanation:

QUESTION NO: 79 When configuring URL filtering with the Trend Micro filtering service, which of these steps must you take to prepare for configuration? A. define blacklists and whitelists B. categorize traffic types C. install the appropriate root CA certificate on the router D. synchronize clocks via NTP to ensure accuracy of URL filter updates from the service Answer: D Explanation:

QUESTION NO: 80 Which of these is correct regarding the functionality of DVTI tunnels? A. DVTI tunnels are created dynamically from a preconfigured template as tunnels are established to the hub. B. The hub router needs a static DVT1 tunnel to each spoke router in order to establish remote communications from spoke to spoke. C. Spoke routers require a virtual template to clone the configuration on which the DVTI tunnel is established. D. DVTI tunnels appear on the hub as tunnel interfaces. Answer: C Explanation:

QUESTION NO: 81 When implementing GET VPN, which of these is a characteristic of GDOI IKE? A. GDOI IKE sessions are established between all peers in the network. "Pass Any Exam. Any Time." - www.actualtests.com 44

Cisco 642-637 Exam B. Security associations do not need to linger between members once a group member has authenticated to the key server and obtained the group policy. C. Each pair of peers has a private set of IPsec security associations that is only shared between the two peers. D. GDOI IKE uses UDP port 500. Answer: B Explanation:

QUESTION NO: 82 DRAG DROP

Answer:

Explanation: User Traffic Encapsulation

"Pass Any Exam. Any Time." - www.actualtests.com

45

Cisco 642-637 Exam Tunneling VPN Non-tunneling VPN Configuration Scalability Automated peer discovery Manual provisioning of paths Authentication Scalability Manual provisioning of peer identity PKI provisioning

QUESTION NO: 83 DRAG DROP

Answer:

"Pass Any Exam. Any Time." - www.actualtests.com

46

Cisco 642-637 Exam

Explanation: Step 1 The VPN Client initiates IKE Phase 1. Step 2 The VPN Client establishes an ISAKMP SA. Step 3 The Easy VPN Server accepts the SA proposal. Step 4 The Easy VPN Server initiates a username and password challenge. Step 5 The mode configuration process is initiated. Step 6 The RRI process is initiated. Step 7 IPSec quick mode completes the connection process

QUESTION NO: 84 Which of these are the two types of keys used when implementing GET VPN? (Choose two) A. key encryption B. group encryption C. pre-shared key D. public key E. private key F. traffic encryption key Answer: A,F Explanation:

QUESTION NO: 85 CORRECT TEXT "Pass Any Exam. Any Time." - www.actualtests.com 47

Cisco 642-637 Exam Scenario: You have been given the task of performing initial zone-based policy firewall configurations. You will need to create zones, assign the zones to specific interfaces, and create zone pairs to allow for traffic flow between interfaces. You will also need to define a zone-based policy firewall and assign the policy to the zone pair. To access the router console ports, refer to the exhibit, click the router for access, and perform the following tasks.

Note that when performing the configuration, you should use the exact names highlighted in bold below: Globally create zones and label them with the following names: OUTSIDE IHSIDE Assign interfaces to zones as indicated in the exhibit Create a zone pair for traffic flowing from the inside to outside zones named IH-TO-OUT - Define a zone-based firewall policy named IH-TO-OUT-POLICY Use the "match protocol" classification option to statefully inspect HTTP traffic and drop all other traffic Use a class-map named HTTP_POLICY Apply zone-based firewall policy IN-TO-OUT-POLICY to the zone pair

Answer: First we divide the networks into 2 zones: Inside and Outside. Router(config)#zone security INSIDE Router(config)#zone security OUTSIDE Router(config)#interface fa0/0/1 Router(config-if)#no shutdown Router(config-if)#zone-member security INSIDE Router(config)#interface fa0/0/0 Router(config-if)#no shutdown Router(config-if)#zone-member security OUTSIDE Router(config)#class-map type inspect match-any HTTP_POLICY

"Pass Any Exam. Any Time." - www.actualtests.com

48

Cisco 642-637 Exam Router(config-cmap)#match protocol http Router(config)#policy-map type inspect IN-TO-OUT-POLICY Router(config-pmap)#class type inspect HTTP_POLICY Router(config-pmap-c)#inspect Router(config)#zone-pair security IN-TO-OUT-POLICY source INSIDE destination OUTSIDE Router(config-sec-zone-pair)#service-policy type inspect IN-TO-OUT-POLICY

QUESTION NO: 86 Refer to the exhibit.

What can be determined from the partial configuration shown A. The zone-based policy firewall is providing for bridging of non-IP protocols. B. Since the interfaces are in the same bridge group, access policies are not required. C. Traffic flow will be allowed to pass between the interfaces without being inspected. D. The zone-based policy firewall is operating in transparent mode. Answer: D Explanation:

QUESTION NO: 87 When is it feasible for a port to be both a guest VLAN and a restricted VLAN? A. this configuration scenario is never be implemented B. when you have configured the port for promiscuous mode C. when private VLANs have been configured to place each end device into different subnets D. when you want to allow both types of users the same services Answer: D Explanation:

"Pass Any Exam. Any Time." - www.actualtests.com

49

Cisco 642-637 Exam QUESTION NO: 88 Refer to the exhibit.

What can be determined from the information provided in the system image output? A. The router supports LDAP. B. A Key Version of "A" indicates that this is an advanced IP security image of the Cisco IOS system. C. The router is in ROM monitor mode. D. This is a digitally-signed Cisco IOS image. Answer: D Explanation:

QUESTION NO: 89 Which three of these are sources used when the router is configured for URL filtering? (Choose three.) A. Websense URL filter B. AAA server downloadable ACLs C. ASA URL filter feature set D. Trend Micro cloud-based URL filter service E. locally configured filter rules on the router F. Cisco SenderBase URL filtering service Answer: A,D,E

"Pass Any Exam. Any Time." - www.actualtests.com

50

Cisco 642-637 Exam Explanation:

QUESTION NO: 90 In an 802.1X environment, which feature allows for non-802.1X-supported devices such as printers and fax machines to authenticate? A. multiauth B. WebAuth C. MAB D. 802.1X guest VLAN Answer: C Explanation:

QUESTION NO: 91 The advantages of virtual tunnel interfaces (VTIs) over GRE VPN solutions are which three of the following? (Choose three.) A. VTI can support QoS. B. VTI provides a routable interface. C. VTI supports nonencrypted tunnels. D. VTI is more scalable than a GRE-based VPN solution. E. IPsec VTIs need fewer established SAs to cover different types of traffic, both unicast and multicast, thus enabling improved scaling. F. IPsec VTIs require a loopback interface for configuration. Answer: A,B,E Explanation:

QUESTION NO: 92 In Cisco IOS 15.0.1M code for the router platform, which new feature has been added to the zonebased policy firewall? A. removal of support for port-to-application matching B. ability to configure policies for traffic that is traveling between interfaces in the same security "Pass Any Exam. Any Time." - www.actualtests.com 51

Cisco 642-637 Exam zone C. intrazone traffic is not freely permitted by default now D. NBAR is not compatible with transparent firewall Answer: B Explanation:

QUESTION NO: 93 When configuring NAT, which three protocols that are shown may have limitations or complications when using NAT? (Choose three.) A. Kerberos B. HTTPS C. NTP D. SIP E. FTP F. SQL Answer: A,D,E Explanation:

QUESTION NO: 94 Which two answers are potential results of an attacker that is performing a DHCP server spoofing attack? (Choose two.) A. ability to selectively change DHCP options fields of the current DHCP server, such as the giaddr field. B. DoS C. excessive number of DHCP discovery requests D. ARP cache poisoning on the router E. client unable to access network resources Answer: B,E Explanation:

QUESTION NO: 95

"Pass Any Exam. Any Time." - www.actualtests.com

52

Cisco 642-637 Exam Cisco IOS Software displays the following message: DHCP_SNOOPING_5DHCP_SNOOPING_MATCH_MAC_FAIL. What does this message indicate? A. The message indicates that an attacker is pretending to be a DHCP server on an untrusted port. B. The source MAC address in the Ethernet header does not match the address in the "chaddr" field of the DHCP request message. C. The message indicates that the DHCP snooping has dropped a DHCP message that claimed an existing, legitimate host is present on an unexpected interface. D. A Layer 2 port security MAC address violation has occurred on an interface that is set up for untrusted DHCP snooping. Answer: B Explanation:

QUESTION NO: 96 Refer to the exhibit.

Based on the partial configuration that is provided, if a non-802.1X client connects to a port on this switch, which VLAN will it be assigned to, and how long will it take for the port to time out and transition to the guest VLAN? (Choose all that apply.) A. The switch is configured for the default 802.1X timeout period of 90 seconds. B. The 802.1X authentication process will time out in 10 seconds and immediately change the port to the guest VLAN. C. The 802.1X authentication process will time out, and the switch will roll over the port to the guest VLAN in 15 seconds. D. The non-802.1X client and phones will all be assigned to VLAN 30. "Pass Any Exam. Any Time." - www.actualtests.com 53

Cisco 642-637 Exam E. The non-802.1X client will be assigned to VLAN 40. F. The non-802.1X client will be assigned to VLAN 10. Answer: C,E Explanation:

QUESTION NO: 97 When 802.1X is implemented, how do the authenticator and authentication server communicate? A. RADIUS B. TACACS+ C. MAB D. EAPOL Answer: A Explanation:

QUESTION NO: 98 Refer to the exhibit.

What can be determined about IPS updates from the configuration shown? A. Updates will be stored on the ida-client server. B. Updates will be stored in the directory labeled "cisco." C. Updates will be retrieved from an external source every day of the week. D. Updates will occur once per week on Sundays between midnight and 6 a.m. (0000 and 0600). Answer: C Explanation:

"Pass Any Exam. Any Time." - www.actualtests.com

54

Cisco 642-637 Exam

QUESTION NO: 99 Refer to the exhibit.

Which of these is correct based on the partial configuration shown? A. The policy is configured to use an authentication key of "rsa-sig." B. The policy is configured to use hashing group sha-1. C. The policy is configured to use triple DES IPsec encryption. D. The policy is configured to use digital certificates. E. The policy is configured to use access list 101 to identify the IKE-protected traffic. Answer: D Explanation:

QUESTION NO: 100 When uploading an IPS signature package to a Cisco router, what is required for the upload to self-extract the files? A. the idconf on the end of the copy command B. a public key on the Cisco router C. IPS must be disabled on the upload interface D. HTTP Secured server must be enabled Answer: A Explanation:

"Pass Any Exam. Any Time." - www.actualtests.com

55

Cisco 642-637 Exam

QUESTION NO: 101 To prevent a spanning-tree attack, which command should be configured on a distribution switch port that is connected to an access switch? A. spanning-tree portfast bpduguard default B. spanning-tree backbone fast C. spannning-tree bpduguard enable D. spanning-tree guard root Answer: D Explanation:

QUESTION NO: 102 In a GETVPN solution, which two ways can the key server distribute the new keys to the group members during the rekey process? (Choose two.) A. multicast UDP transmission B. multicast TCP transmission C. unicast UDP transmission D. unicast TCP transmission Answer: A,C Explanation:

QUESTION NO: 103 You are a network administrator and are moving a web server from inside the company network to a DMZ segment that is located on a Cisco router. The web server was located at IP address 172.16.10.50 on the inside and changed to the IP address 172.20.10.5 on the DMZ. Additionally, you are moving the web port to 8080 but do not want your inside users to be affected. Which NAT statement should you configure on your router to support the change? A. hostname(config)# ip nat inside source static 172.16.10.50 172.20.10.5 B. hostname(config)# ip nat inside source static tcp 172.16.10.50 80 172.20.10.5 8080 C. hostname(config)# ip nat outside source static tcp 172.16.10.50 80 172.20.10.5 8080 D. hostname(config)# ip nat static outside source tcp 172.20.10.5 80 172.16.10.50 8080 "Pass Any Exam. Any Time." - www.actualtests.com 56

Cisco 642-637 Exam E. hostname(config)# ip nat static inside source udp 172.20.10.50 172.20.10.5 Answer: B Explanation:

QUESTION NO: 104 When configuring NAT, and your solution requires the ability to see the inside local and outside global address entries and any TCP or UDP port in the show ip nat command output, how should NAT be configured on the router? A. use the overload option on the end of your static NAT statement B. include both static and dynamic NAT configuration on the router C. tie the ip nat inside command to a dynamic NAT pool D. attach a route-map to the ip nat inside command E. configure the ip nat inside command to an extended ACL Answer: D Explanation:

QUESTION NO: 105 Refer to the exhibit.

You are working for a corporation that has connected its network to a partner network. Based on this partial configuration that is supplied in the exhibit, which two things happen to traffic that is inbound from the partner network (outside is 10.10.30.0/24) and the return traffic from the inside

"Pass Any Exam. Any Time." - www.actualtests.com

57

Cisco 642-637 Exam as it travels through this router? (Choose two.) A. The source address of the IP packets that are traveling from the 10.10.30.0/24 network to 10.10.19.0/24 are translated to 172.19.1.0/24. B. The destination address of IP packets that are traveling from 10.10.19.0/24 to any IP network is translated to 172.19.1.0/24. C. IP traffic that is flowing from 10.10.19.0/24 to 10.10.30.0/24 has the source address translated to 172.19.1.0/24. D. The destination address of IP packets that are traveling from 10.10.19.0/24 to 10.10.30.0/24 are translated to 172.19.1.0/24. E. The destination address of IP packets that are traveling from 10.10.30.0/24 to 10.10.19.0/24 are translated to 172.19.1.0/24. Answer: A,D Explanation:

QUESTION NO: 106 You are a network administrator that is deploying a Cisco router that needs to support both PAT and site-to-site VPN on one public IP address. In order to make both work simultaneously, how should the NAT configuration be set up? A. The VPN configuration should be set up with a static NAT configuration. B. Because PAT does support AH, the VPN tunnel must not be configured with Encapsulating Security Payload (ESP). C. An ACL should be attached to the nat command to permit the NAT traffic and deny the VPN traffic. D. The nat configuration command needs to include a range of IP addresses with the overload word on the end. E. A route-map should be used with the nat command to support the use of AH and ESP. F. The ip nat inside command needs to exclude the VPN source address in the NAT pool. Answer: C Explanation:

QUESTION NO: 107 Refer to the exhibit.

"Pass Any Exam. Any Time." - www.actualtests.com

58

Cisco 642-637 Exam

Based on the configuration that is shown in the exhibit, select the three answers that apply. (Choose three.) A. The configuration supports multidomain authentication, which allows one MAC address on the voice VLAN and one on the data VLAN. B. Traffic will not flow for either the phone or the host computer until one device completes the 802.1X authentication process. C. Registration and DHCP traffic will flow on either the data or voice VLAN before authentication. D. The port will only require the 802.1X supplicant to authenticate one time. E. MAC Authentication Bypass will be attempted only after 802.1X authentication times out. F. Non-802.1X devices are supported on this port by setting up the host for MAC address authentication in the endpoint database. Answer: A,C,F Explanation:

QUESTION NO: 108 You are finding that the 802.1X-configured ports are going into the error-disable state. Which command will show you the reason why the port is in the error-disable state, and which command will automatically be re-enabled after a specific amount of time? (Choose two.) A. show error-disable status B. show error-disable recovery C. show error-disable flap-status D. error-disable recovery cause security-violation E. error-disable recovery cause dot1x "Pass Any Exam. Any Time." - www.actualtests.com 59

Cisco 642-637 Exam F. error-disable recovery cause l2ptguard Answer: B,D Explanation:

QUESTION NO: 109 Your company has a requirement that if security is compromised on phase 1 of a Diffie-Hellman key exchange that a secondary option will strengthen the security on the IPsec tunnel. What should you implement to ensure a higher degree of key material security? A. Diffie-Hellman Phase II ESP B. PFS Group 5 C. Transform-set SHA-256 D. XAUTH with AAA authentication E. Diffie-Hellman Group 5 Phase I Answer: B Explanation:

QUESTION NO: 110 Which solution on a Cisco router requires the loading of a protocol header definition file (PHDF)? A. reflexive access control lists B. NetFlow C. Flexible Packet Matching D. Control Plane Policing Answer: C Explanation:

QUESTION NO: 111 You are troubleshooting a problem for which end users are reporting connectivity issues. Your network has been configured with Layer 2 protection controls. You have determined that the DHCP snooping database is correct and that proper static addressing maps have been configured. Which of these should be your next step in troubleshooting this problem?

"Pass Any Exam. Any Time." - www.actualtests.com

60

Cisco 642-637 Exam A. Generate a proxy ARP request and verify that the DHCP database has been updated as expected. B. Temporarily disable DHCP snooping and test connectivity again. C. Clear the ARP tables and have end users release and renew their DHCP-learned addressing. D. Use a protocol analyzer to determine if there are malformed DHCP or ARP packets. Answer: D Explanation:

QUESTION NO: 112 You are troubleshooting a reported connectivity issue from a remote office whose users are accessing corporate headquarters via an IPsec VPN connection. You issued a show crypto isakmp sa command on the headend router, and the state has MM_NO_STATE. Which debug command should you enter next, and which part of the VPN tunnel establishment process is failing? (Choose two.) A. ISAKMP Phase II B. ISAKMP Phase I C. debug crypto isakmp sa D. debug crypto isakmp E. debug crypto ipsec Answer: B,D Explanation:

QUESTION NO: 113 You are installing a brand-new, site-to-site VPN tunnel and notice that it is not working correctly. When connecting to the corporate router and issuing a show crypto ipsec sa command, you notice that for this particular SA that packets are being encrypted but not decrypted. What are two potential reasons for this problem? (Choose two.) A. XAUTH needs to be enabled. B. Inbound and outbound IP 50 packets are being filtered at the remote site. C. The transform-set needs to be set to transport mode. D. The access-list attached to the crypto map at the remote site is incorrect. E. The remote site is failing Diffie-Hellman Phase I negotiation. F. The NAT exception on the corporate side is filtering the return packets. Answer: B,D "Pass Any Exam. Any Time." - www.actualtests.com 61

Cisco 642-637 Exam Explanation:

QUESTION NO: 114 Which two of these are features of control plane security on a Cisco ISR? (Choose two.) A. CoPP B. RBAC C. AAA D. CPPr E. uRPF F. FPM Answer: A,D Explanation:

QUESTION NO: 115 Which additional configuration steps are required for a zone-based policy firewall to operate in a VRF scenario? A. You must assign zone-based policy firewall bridge groups to work in the virtual environment. B. Separate zone-based policy firewall policies must be defined for each VRF environment. C. Separate zones must be defined for each virtual zone-based policy firewall instance. D. No special zone-based policy firewall configurations are needed. Answer: D Explanation:

QUESTION NO: 116 You are troubleshooting an IPsec VPN problem. During debugging of IPsec operations, you see the message "attributes not acceptable" on the IKE responder after issuing the debug crypto isakmp command. Which step should you take next? A. verify matching ISAKMP policies on each peer B. verify that an IKE security association has been established between peers C. verify that IPsec transform sets match on each peer D. verify if default IPsec attributes are in place on each peer "Pass Any Exam. Any Time." - www.actualtests.com 62

Cisco 642-637 Exam Answer: C Explanation:

QUESTION NO: 117 Which state is a Cisco IOS IPS signature in if it does not take an appropriate associated action even if it has been successfully compiled? A. retired B. disabled C. unsupported D. inactive Answer: B Explanation:

QUESTION NO: 118 Which CLI command would you use to verify installed SSL VPN licensing on a Cisco 1900, 2900, or 3900 Series ISR? A. show crypto ssl license B. show crypto webvpn details C. show webvpn license D. show webvpn ssl license count all E. show webvpn gateway Answer: C Explanation:

QUESTION NO: 119 Which statement is correct regarding GRE tunnel endpoints when you are configuring GRE over IPsec? A. The tunnel interfaces of both endpoints must be in the same IP subnet. B. A mirror image of the IPsec crypto ACL needs to be configured to permit the interesting enduser traffic between the GRE endpoints. "Pass Any Exam. Any Time." - www.actualtests.com 63

Cisco 642-637 Exam C. The tunnel interfaces of both endpoints should be configured to use the outside IP address of the router as the unnumbered IP address. D. For high availability, the GRE tunnel interface should be configured with a primary and a backup tunnel destination IP address. Answer: A Explanation:

QUESTION NO: 120 Refer to the exhibit.

Which of these is correct regarding the configuration parameters shown? A. Complete certificates will be written to and stored in NVRAM. B. The RSA key pair is valid for five hours before being revoked. C. The router is configured as a certificate server. D. Certificate lifetimes are mismatched and will cause intermittent connectivity errors. E. The router has enrolled to the MY-TRUSTPOINT PKI server, which is an external CA server. Answer: C Explanation:

"Pass Any Exam. Any Time." - www.actualtests.com

64

Cisco 642-637 Exam

QUESTION NO: 121 Refer to the exhibit.

When you are using dynamic IPsec VTI tunnels, what can you determine about virtual-access interfaces from the output shown? A. The Virtual-Access1 interface currently does not have an IPsec peer connection established. B. The Virtual-Access2 interface does not yet have an IPsec peer defined. C. The Virtual-Access1 interface is in the down/down state, because the virtual tunnel source physical interface is down. D. The Virtual-Access1 interface, which is used internally by the Cisco IOS software, is always down. Answer: D Explanation:

QUESTION NO: 122 Refer to the exhibit.

"Pass Any Exam. Any Time." - www.actualtests.com

65

Cisco 642-637 Exam Based on the partial configuration shown, which additional configuration parameter is needed under the GET VPN group member GDOI configuration? A. key server IP address B. local priority C. mapping of the IPsec profile to the IPsec SA D. mapping of the IPsec transform set to the GDOI group Answer: A

"Pass Any Exam. Any Time." - www.actualtests.com

66