Cisco 642-637 Actual Questions, High Pass Rate Cisco 642-637 Qs&As Is What You Need To Take

Welcome to download the newest Examwind EX300 dumps: http://www.examwind.com/EX300.html

The Cisco 642-637 exams are conducted at some levels for testing the skills that are necessary for the networking fields. The  Cisco 642-637 Certification Exam exams are providing the methods for improving the quality of life. The  Cisco 642-637 exam sample questions is useful for solving the security integration problems. The Cisco 642-637 exam sample questions are found to be helpful not only for the job seekers, but also for the working professionals. Cisco 642-637 exam sample questions gives the solutions for the networking problems that are caused by latest developments.This Cisco 642-637 exam sample questions is a professional exam widely recognized by the professionals, it is highly focused by candidates.

QUESTION 86
Refer to the exhibit.

What can be determined from the partial configuration shown?
A. The zone-based policy firewall is providing for bridging of non-IP protocols.
B. Since the interfaces are in the same bridge group, access policies are not required.
C. Traffic flow will be allowed to pass between the interfaces without being inspected.
D. The zone-based policy firewall is operating in transparent mode.

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 87
When is it feasible for a port to be both a guest VLAN and a restricted VLAN?
A. this configuration scenario is never be implemented
B. when you have configured the port for promiscuous mode
C. when private VLANs have been configured to place each end device into different subnets
D. when you want to allow both types of users the same services

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:

QUESTION 88
Refer to the exhibit.

What can be determined from the information provided in the system image output?
A. The router supports LDAP.
B. A Key Version of “A” indicates that this is an advanced IP security image of the Cisco IOS system.
C. The router is in ROM monitor mode.
D. This is a digitally-signed Cisco IOS image.

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 89
Which three of these are sources used when the router is configured for URL filtering? (Choose three.)
A. Websense URL filter
B. AAA server downloadable ACLs
C. ASA URL filter feature set
D. Trend Micro cloud-based URL filter service
E. locally configured filter rules on the router
F. Cisco SenderBase URL filtering service

Correct Answer: ADE Section: (none) Explanation
Explanation/Reference:

Explanation:
QUESTION 90
In an 802.1X environment, which feature allows for non-802.1X-supported devices such as printers and fax machines to authenticate?
A. multiauth
B. WebAuth
C. MAB
D. 802.1X guest VLAN

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 91
The advantages of virtual tunnel interfaces (VTIs) over GRE VPN solutions are which three of the following? (Choose three.)
A. VTI can support QoS.
B. VTI provides a routable interface.
C. VTI supports nonencrypted tunnels.
D. VTI is more scalable than a GRE-based VPN solution.
E. IPsec VTIs need fewer established SAs to cover different types of traffic, both unicast and multicast, thus enabling improved scaling.
F. IPsec VTIs require a loopback interface for configuration.

Correct Answer: BCE Section: (none) Explanation
Explanation/Reference:
Explanation:
Page 391, CCNP Security SECURE 642-637 Official Cert Guide IPsec VTIs have many benefits:

QUESTION 92
In Cisco IOS 15.0.1M code for the router platform, which new feature has been added to the zone- based policy firewall?

A. removal of support for port-to-application matching
B. ability to configure policies for traffic that is traveling between interfaces in the same security zone
C. intrazone traffic is not freely permitted by default now
D. NBAR is not compatible with transparent firewall

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
Page: 309, CCNP Security SECURE 642-637 Official Cert Guide With the release of IOS 15.0.1M, it is
also possible to control the traffic within the same zone; this is referred to as intrazone. This is configured
by creating a zone pair with the same two zone names as both source and destination.

QUESTION 93
When configuring NAT, which three protocols that are shown may have limitations or complications when using NAT? (Choose three.)
A. Kerberos
B. HTTPS
C. NTP
D. SIP
E. FTP
F. SQL

Correct Answer: ADE Section: (none) Explanation
Explanation/Reference:
Explanation:
As with any technology, the use of NAT can introduce problems because some technologies do not
support the use of NAT. These limitations include:

QUESTION 94
Which two answers are potential results of an attacker that is performing a DHCP server spoofing attack? (Choose two.)
A. ability to selectively change DHCP options fields of the current DHCP server, such as the giaddr field.
B. DoS
C. excessive number of DHCP discovery requests
D. ARP cache poisoning on the router
E. client unable to access network resources

Correct Answer: BE Section: (none) Explanation
Explanation/Reference:
Explanation: DHCP Server Spoofing With DHCP server spoofing, the attacker can set up a rogue DHCP server and respond to DHCP requests from clients on the network. This type of attack can often be grouped with a DHCP starvation attack because the victim server will not have any new IP addresses to give out, which raises the chance of new clients using the rouge DHCP server. This information, which is given out by the rogue DHCP server, could send all the traffic through a rogue gateway, which can then capture the traffic for further analysis.
QUESTION 95
Cisco IOS Software displays the following message: DHCP_SNOOPING_5-DHCP_SNOOPING_MATCH_MAC_FAIL. What does this message indicate?
A. The message indicates that an attacker is pretending to be a DHCP server on an untrusted port.
B. The source MAC address in the Ethernet header does not match the address in the “chaddr” field of the DHCP request message.
C. The message indicates that the DHCP snooping has dropped a DHCP message that claimed an existing, legitimate host is present on an unexpected interface.
D. A Layer 2 port security MAC address violation has occurred on an interface that is set up for untrusted DHCP snooping.

Correct Answer: B Section: (none) Explanation Explanation/Reference:
Explanation: Actual Log from Switch configured for DHCP spoofing 007850: Nov 26 09:02:55.484 CET: %DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL: DHCP_SNOOPING drop message because the chaddr doesn’t match source mac, message type: DHCPRELEASE, chaddr: 0016.4487.6527, MAC sa: 0017.422e.d204 The switch logging message basically says that the MAC address of the client contained in the chaddr (client hardware address) field in the DHCP message does not match the source MAC address of the frame in which the DHCP message is encapsulated. In other words, the interfacefor which the DHCP message was created does not match the interface through which the message was actually transmitted.

QUESTION 96
Refer to the exhibit.

Based on the partial configuration that is provided, if a non-802.1X client connects to a port on this switch, which VLAN will it be assigned to, and how long will it take for the port to time out and transition to the guest VLAN? (Choose all that apply.)
A. The switch is configured for the default 802.1X timeout period of 90 seconds.
B. The 802.1X authentication process will time out in 10 seconds and immediately change the port to the guest VLAN.
C. The 802.1X authentication process will time out, and the switch will roll over the port to the guest VLAN in 15 seconds.
D. The non-802.1X client and phones will all be assigned to VLAN 30.
E. The non-802.1X client will be assigned to VLAN 40.
F. The non-802.1X client will be assigned to VLAN 10.

Correct Answer: CE Section: (none) Explanation
Explanation/Reference:
Explanation: The authenticator expects to receive the EAP-Response/Identity frame as a response to its EAP- Request/ Identity frame. If it has not received this frame within the default retransmission time, it will resend the Request frame. The default retransmission timer is 30 seconds.
You can adjust this time to increase response times, which will allow a faster 802.1X

authentication process. The retransmission timer is changed with the dot1x timeout txperiod interface command.
If the switch fails to authenticate a client, such as the user entering a bad password, the switch waits a period of time before trying again. The default value for this quiet timer is 60 seconds. You can lower this value, thus giving the client a faster response time with the dot1x timeout quiet-period seconds interface configuration command.
QUESTION 97
When 802.1X is implemented, how do the authenticator and authentication server communicate?
A. RADIUS
B. TACACS+
C. MAB
D. EAPOL

Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
Page: 119
Note: EAPOL is used between the supplicant and the authenticator, while RADIUS is used between the
authenticator and the authentication server.

QUESTION 98
Refer to the exhibit.

What can be determined about IPS updates from the configuration shown?

A. Updates will be stored on the ida-client server.
B. Updates will be stored in the directory labeled “cisco.”
C. Updates will be retrieved from an external source every day of the week.
D. Updates will occur once per week on Sundays between midnight and 6 a.m. (0000 and 0600).

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
Task 2: Configure Automatic Signature Updates
The second task illustrates how to configure the router to attempt to retrieve automatic signature updates
from Cisco.com or a local server.

To do this, first configure the update URL using the ida-client server url command. Use thehttps://
www.cisco.com/cgi-bin/front.x/ids/locator/locator.plURL. Next, create an auto-update profile using the ip ips
auto-update command. Use the cisco command inside the profile to designate obtaining updates from
Cisco.com. To control when the update attempts occur, use the occur-at command. Example 13-9
illustrates the setup of the configuration to retrieve automatic updates from the Cisco.com repository as
well as to provide the Cisco.com credentials that will be used for authentication through using the
username command. Example 13-10 illustrates the setup of the configuration to retrieve automatic updates
from a local staging server.

The following specifics are used in the example:

QUESTION 99
Refer to the exhibit.

Which of these is correct based on the partial configuration shown?

A. The policy is configured to use an authentication key of “rsa-sig.”
B. The policy is configured to use hashing group sha-1.
C. The policy is configured to use triple DES IPsec encryption.
D. The policy is configured to use digital certificates.
E. The policy is configured to use access list 101 to identify the IKE-protected traffic.

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 100
When uploading an IPS signature package to a Cisco router, what is required for the upload to self-extract the files?
A. the idconf on the end of the copy command
B. a public key on the Cisco router
C. IPS must be disabled on the upload interface
D. HTTP Secured server must be enabled

Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation: First, the signature package must be downloaded from Cisco.com. Go to the download section of Cisco.com and navigate to Products > Security > Integrated Router/Switch Security > Integrated Threat Control > Cisco IOS Intrusion Prevention System Feature Software > IOS IPS Signature Data File. Download the latest package, which should have a filename in the format IOS-Sxxx-CLI.pkg. Put the file on the server from which you will transfer it to the router. Use the copy command to transfer the file to the router’s idconf alias. This causes the router to download and unpack the contents of the file (XML files)
QUESTION 101
To prevent a spanning-tree attack, which command should be configured on a distribution switch port that is connected to an access switch?
A. spanning-tree portfast bpduguard default
B. spanning-tree backbone fast
C. spannning-tree bpduguard enable
D. spanning-tree guard root

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation: To mitigate STP manipulation, two different features can be used. The Root Guard feature is configured on a switchport that should never become a root port, or in other words, the port that forwards traffic going toward the root bridge. A good example of this would be a connection between a distribution layer switch and an access layer switch. In this scenario, the port on the distribution switch going toward the access layer should never become a root port because the access layer switch should never become the root switch. If the switchport does receive a superior BPDU, the port will go into root-inconsistent state, indicating that another switch is attempting to become the root switch.
Enables the Root Guard feature on a switchport Switch(config-if)# spanning-tree guard root
QUESTION 102
In a GETVPN solution, which two ways can the key server distribute the new keys to the group members during the rekey process? (Choose two.)
A. multicast UDP transmission
B. multicast TCP transmission
C. unicast UDP transmission
D. unicast TCP transmission

Correct Answer: AC Section: (none) Explanation
Explanation/Reference:
Explanation: Rekeying Methods GET VPNs use rekey messages to refresh their IPsec SAs (session keys) outside of IKE sessions. When the group IPsec SAs are about to expire, one single rekey message for a particular group is generated on the key server. Distribution of the rekey message does not require that new IKE sessions be created. GET supports rekeying for Unicast and multicast.
QUESTION 103
You are a network administrator and are moving a web server from inside the company network to a DMZ segment that is located on a Cisco router. The web server was located at IP address 172.16.10.50 on the inside and changed to the IP address 172.20.10.5 on the DMZ. Additionally,
67 Cisco 642-637 Exam you are moving the web port to 8080 but do not want your inside users to be affected. Which NAT statement should you configure on your router to support the change?
A. hostname(config)# ip nat inside source static 172.16.10.50 172.20.10.5
B. hostname(config)# ip nat inside source static tcp 172.16.10.50 80 172.20.10.5 8080
C. hostname(config)# ip nat outside source static tcp 172.16.10.50 80 172.20.10.5 8080
D. hostname(config)# ip nat static outside source tcp 172.20.10.5 80 172.16.10.50 8080
E. hostname(config)# ip nat static inside source udp 172.20.10.50 172.20.10.5

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 104
When configuring NAT, and your solution requires the ability to see the inside local and outside global address entries and any TCP or UDP port in the show ip nat command output, how should NAT be configured on the router?
A. use the overload option on the end of your static NAT statement
B. include both static and dynamic NAT configuration on the router
C. tie the ip nat inside command to a dynamic NAT pool
D. attach a route-map to the ip nat inside command
E. configure the ip nat inside command to an extended ACL

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 105
Refer to the exhibit.
68 Cisco 642-637 Exam You are working for a corporation that has connected its network to a partner network. Based on this partial configuration that is supplied in the exhibit, which two things happen to traffic that is inbound from the partner network (outside is 10.10.30.0/24) and the return traffic from the inside as it travels through this router? (Choose two.)

A. The source address of the IP packets that are traveling from the 10.10.30.0/24 network to 10.10.19.0/24 are translated to 172.19.1.0/24.
B. The destination address of IP packets that are traveling from 10.10.19.0/24 to any IP network is translated to 172.19.1.0/24.
C. IP traffic that is flowing from 10.10.19.0/24 to 10.10.30.0/24 has the source address translated to 172.19.1.0/24.
D. The destination address of IP packets that are traveling from 10.10.19.0/24 to 10.10.30.0/24 are translated to 172.19.1.0/24.
E. The destination address of IP packets that are traveling from 10.10.30.0/24 to 10.10.19.0/24 are translated to 172.19.1.0/24.

Correct Answer: AD Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 106
You are a network administrator that is deploying a Cisco router that needs to support both PAT and site-to-site VPN on one public IP address. In order to make both work simultaneously, how should the NAT configuration be set up?
A. The VPN configuration should be set up with a static NAT configuration.
B. Because PAT does support AH, the VPN tunnel must not be configured with Encapsulating Security Payload (ESP).
C. An ACL should be attached to the nat command to permit the NAT traffic and deny the VPN traffic.  Cisco 642-637 Exam
D. The nat configuration command needs to include a range of IP addresses with the overload word on the end.
E. A route-map should be used with the nat command to support the use of AH and ESP.
F.     The ip nat inside command needs to exclude the VPN source address in the NAT pool.

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 107
Refer to the exhibit.

Based on the configuration that is shown in the exhibit, select the three answers that apply. (Choose three.)
A. The configuration supports multidomain authentication, which allows one MAC address on the voice VLAN and one on the data VLAN.
B. Traffic will not flow for either the phone or the host computer until one device completes the 802.1X authentication process.
C. Registration and DHCP traffic will flow on either the data or voice VLAN before authentication.
D. The port will only require the 802.1X supplicant to authenticate one time.
E. MAC Authentication Bypass will be attempted only after 802.1X authentication times out.
F.     Non-802.1X devices are supported on this port by setting up the host for MAC address authentication in the endpoint database.

Correct Answer: ACF Section: (none) Explanation
Explanation/Reference:
Explanation:

QUESTION 108
You are finding that the 802.1X-configured ports are going into the error-disable state. Which command will show you the reason why the port is in the error-disable state, and which command will automatically be re-enabled after a specific amount of time? (Choose two.)
A. show error-disable status
B. show error-disable recovery
C. show error-disable flap-status
D. error-disable recovery cause security-violation
E. error-disable recovery cause dot1x
F. error-disable recovery cause l2ptguard

Correct Answer: BD Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 109
Your company has a requirement that if security is compromised on phase 1 of a Diffie-Hellman key exchange that a secondary option will strengthen the security on the IPsec tunnel. What should you implement to ensure a higher degree of key material security?
A. Diffie-Hellman Phase II ESP
B. PFS Group 5
C. Transform-set SHA-256
D. XAUTH with AAA authentication
E. Diffie-Hellman Group 5 Phase I

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation: IPsec Phases
IPsec has two phases: IPsec session keys are derived from the initial keying material that was obtained during the Phase 1 Diffie-Hellman key exchange. The IPsec session keys can be optionally created using new, independent Diffie-Hellman key exchanges by enabling the Perfect Forward Secrecy (PFS) option. This Phase 2 exchange is called the IKE Quick Mode. IKE Quick Mode is one of two modes of IKE Phase 2, with the other being the Group Domain of Interpretation (GDOI) Mode used by GET VPN.

QUESTION 110
Which solution on a Cisco router requires the loading of a protocol header definition file (PHDF)?
A. Reflexive access control lists
B. NetFlow
C. Flexible Packet Matching
D. Control Plane Policing

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
FPM is implemented using a filtering policy that is divided into four tasks:

QUESTION 111
You are troubleshooting a problem for which end users are reporting connectivity issues. Your network has been configured with Layer 2 protection controls. You have determined that the DHCP snooping database is correct and that proper static addressing maps have been configured. Which of these should be your next step in troubleshooting this problem?
A. Generate a proxy ARP request and verify that the DHCP database has been updated as expected.
B. Temporarily disable DHCP snooping and test connectivity again.
C. Clear the ARP tables and have end users release and renew their DHCP-learned addressing.
D. Use a protocol analyzer to determine if there are malformed DHCP or ARP packets.

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 112
You are troubleshooting a reported connectivity issue from a remote office whose users are accessing corporate headquarters via an IPsec VPN connection. You issued a show crypto isakmp sa command on the headend router, and the state has MM_NO_STATE. Which debug command should you enter next, and which part of the VPN tunnel establishment process is

A. ISAKMP Phase II
B. ISAKMP Phase I
C. debug crypto isakmp sa
D. debug crypto isakmp
E. debug crypto ipsec

Correct Answer: BD Section: (none) Explanation
Explanation/Reference:
Explanation:
Troubleshooting Flow
Follow these steps to proceed through the recommended flow for troubleshooting IKE peering:

Step 1. Verify peer reachability using the ping and traceroute commands with the tunnel source and
destination IP addresses on both peers. If connectivity is verified, proceed to Step 2; otherwise, check the
path between the two peers for routing or access (firewall or access list) issues.
Step 2. Verify the IKE policy on both peers using the show crypto isakmp policy command. Debug
messages revealed by the debug crypto isakmp command will also point out IKE policy mismatches.
Step 3. Verify IKE peer authentication. The debug crypto isakmp command will display unsuccessful
authentication.
Step 4. Upon successful completion of Steps 13, the IKE SA should be establishing. This can be verified
with
the show crypto isakmp sa command and looking for a state of QM_IDLE.

QUESTION 113
You are installing a brand-new, site-to-site VPN tunnel and notice that it is not working correctly. When connecting to the corporate router and issuing a show crypto ipsec sa command, you notice that for this particular SA that packets are being encrypted but not decrypted. What are two potential reasons for this problem? (Choose two.)
A.     XAUTH needs to be enabled.
B. Inbound and outbound IP 50 packets are being filtered at the remote site.
C. The transform-set needs to be set to transport mode.
D. The access-list attached to the crypto map at the remote site is incorrect.
E. The remote site is failing Diffie-Hellman Phase I negotiation.
F.     The NAT exception on the corporate side is filtering the return packets.

Correct Answer: BD Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 114
Which two of these are features of control plane security on a Cisco ISR? (Choose two.)
A. CoPP
B. RBAC
C. AAA
D. CPPr
E. uRPF
F.     FPM

Correct Answer: AD Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 115
Which additional configuration steps are required for a zone-based policy firewall to operate in a VRF scenario?
A. You must assign zone-based policy firewall bridge groups to work in the virtual environment.
B. Separate zone-based policy firewall policies must be defined for each VRF environment.
C. Separate zones must be defined for each virtual zone-based policy firewall instance.
D. No special zone-based policy firewall configurations are needed.

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation: Ensure that you utilized several security layers in your design to adequately protect the rest of your network from the guest VLAN. You might even consider putting them in a separate Virtual Routing and Forwarding (VRF) instance. VRFs are configurations on Cisco IOS Software routers and switches that can be used to provide traffic separation, making them a good solution to keep guest traffic segregated from your corporate traffic.
ZBPFW is also Virtual Routing and Forwarding (VRF) aware and can be used between different VRFs. Interfaces that are configured in different VRFs should not be configured in the same zone, and thus all interfaces that are in a zone must be configured within the same VRF. If there is a common interface or interfaces that are used by multiple VRFs, a common zone should be created and individually paired with each zone (and thus with each VRF).

QUESTION 116
You are troubleshooting an IPsec VPN problem. During debugging of IPsec operations, you see the message “attributes not acceptable” on the IKE responder after issuing the debug crypto isakmp command. Which step should you take next?
A. verify matching ISAKMP policies on each peer
B. verify that an IKE security association has been established between peers
C. verify that IPsec transform sets match on each peer
D. verify if default IPsec attributes are in place on each peer

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation: The show crypto isakmp policy command can be executed on both peers to compare IKE parameters and ensure that they match. The debug crypto isakmp debugging command will display debugging messages during IKE negotiation and session establishment. These debugging commands should be executed and analyzed on both peers.
QUESTION 117
Which state is a Cisco IOS IPS signature in if it does not take an appropriate associated action even if it has been successfully compiled?
A. retired
B. disabled
C. unsupported
D. inactive

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 118
Which CLI command would you use to verify installed SSL VPN licensing on a Cisco 1900, 2900, or 3900 Series ISR?

A. show crypto ssl license
B. show crypto webvpn details
C. show webvpn license
D. show webvpn ssl license count all
E. show webvpn gateway

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation: http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_sslvpn/configuration/15-1mt/sec-conn- sslvpn-15-1mtbook.pdf You can use the show webvpn license command to display the available count and the current usage. To display the current license type and time period left in case of a nonpermanent license, use the show license command. To get information related to license operations, events, and errors, use the debug webvpn license command. For migrating from any Cisco IOS 12.4T release to Cisco IOS 15.x release, use the license migration tool at https://tools.cisco.com/SWIFT/Licensing/LicenseAdminServlet/migrateLicense. New Cisco IOS SSL VPN licenses that are generated are cumulative. Therefore the old licenses become inactive when a new license is applied. For example, when you are upgrading your license from 10 counts to 20 counts (an increase of 10 counts on the current 10 counts), Cisco provides a single 20 count license. The old license for 10 counts is not required when a permanent license for a higher count is available. However, the old license will exist in an inactive state as there is no reliable method to clear the old license. In Cisco IOS Release 15.1(4)M1 and later releases, a Crypto Export Restrictions Manager (CERM) license is reserved only after the user logs in. If you have an Integrated Services Router Generation 2 (ISR G2) router with a CERM license, you must upgrade to Cisco IOS Release 15.1(4)M1 or later releases. Before Cisco IOS Release 15.1(4)M1, a CERM license is reserved for every SSL or Transport Layer Security (TLS) session.
QUESTION 119
Which statement is correct regarding GRE tunnel endpoints when you are configuring GRE over IPsec?
A. The tunnel interfaces of both endpoints must be in the same IP subnet.
B. A mirror image of the IPsec crypto ACL needs to be configured to permit the interesting end- user traffic between the GRE endpoints.
C. The tunnel interfaces of both endpoints should be configured to use the outside IP address of “Pass Any Exam. Any Time.
D. For high availability, the GRE tunnel interface should be configured with a primary and a backup tunnel destination IP address.

Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 120
Refer to the exhibit.

Which of these is correct regarding the configuration parameters shown?
A. Complete certificates will be written to and stored in NVRAM.
B. The RSA key pair is valid for five hours before being revoked.
C. The router is configured as a certificate server.
D. Certificate lifetimes are mismatched and will cause intermittent connectivity errors.
E. The router has enrolled to the MY-TRUSTPOINT PKI server, which is an external CA server.

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:

QUESTION 121
Refer to the exhibit.

When you are using dynamic IPsec VTI tunnels, what can you determine about virtual-access interfaces from the output shown?
A. The Virtual-Access1 interface currently does not have an IPsec peer connection established.
B. The Virtual-Access2 interface does not yet have an IPsec peer defined.
C. The Virtual-Access1 interface is in the down/down state, because the virtual tunnel source physical interface is down.
D. The Virtual-Access1 interface, which is used internally by the Cisco IOS software, is always down.

Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation: “A special Virtual-Access1 interface is used internally by Cisco IOS Software and is always present in the output of this command.” but not always DOWN !!! as follows from: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ prod_white_paper0900aecd803645b5.pdf “…When the Easy VPN negotiation is successful, the line protocol state of the virtual access interface gets changed to up. When the Easy VPN tunnel goes down because the security association expires or is deleted, the line protocol state of the virtual access interface changes to down…”
QUESTION 122
Refer to the exhibit.

Based on the partial configuration shown, which additional configuration parameter is needed under the GET VPN group member GDOI configuration?
A. key server IP address
B. local priority
C. mapping of the IPsec profile to the IPsec SA
D. mapping of the IPsec transform set to the GDOI group

Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 123
CORRECT TEXT

B.
C.
D.

Correct Answer: Section: (none) Explanation
Explanation/Reference:
Answer: Router(config)# zone security INSIDE Router(config-sec-zone)#exit Router(config)# zone security OUTSIDE Router(config-sec-zone)#exit Router(config)# interface fa0/0/1 Router(config-if)# no shutdown Router(config-if)# zone-member security INSIDE Router(config-if)# exit Router(config)# interface fa0/0/0 Router(config-if)# no shutdown Router(config-if)# zone-member security OUTSIDE Router(config-if)# exit Router(config)# class-map type inspect match-any HTTP_POLICY Router(config-cmap)# match protocol http Router(config-cmap)#exit Router(config)# policy-map type inspect IN-TO-OUT-POLICY Router(config-pmap)# class type inspect HTTP_POLICY Router(config-pmap-c)# inspect Router(config-pmap-c)# exit Router(config)# zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE Router(config-sec-zone-pair)# service-policy type inspect IN-TO-OUT-POLICY Router(config-sec-zone-pair)# end Router(config)# copy running-config startup-config Explanation:
1: we divide the network into 2 zones: INSIDE and OUTSIDE

2: apply the interfaces to the appropriate Zone Members INSIDE | OUTSIDE
3: create a class-map with defined name HTTP_POLICY > match HTTP protocol
4: create a policy-map name IN-TO-OUT-POLICY: – define the class-map and apply action > inspect
5: create a zone-pair > specify direction with source and destination
6: apply policy to the zone-pair – policy created in step 4
7: std: copy run start
QUESTION 124
DRAG DROP

A.
B.
C.
D.

Correct Answer: Section: (none) Explanation
Explanation/Reference:

Explanation:

untitled
http://www.cisco.com/en/US/docs/ios/12_4/ip_addr/configuration/guide/ hadnhrp_ps6350_TSD_Products_Configuration_Guide_Chapter.html and http://blog.ine.com/2008/08/02/ dmvpn-explained/ shows this also is this: 6) NHRP Registration is used for ease of support/creation of dynamic tunnels but is not the the same as 1) NHRP Authentication string. Authenticationis recommended to help keep multiple NHRP domains separate from each other. 2) NHRP network ID is used to differentiate multiple NHRP domains So a 4 b 3 Prior to Cisco IOS Release 12.3(11)T, all mGRE interfaces required the configuration of a tunnel ID key. Multipoint tunnels require that you configure a tunnel key. Otherwise, unexpected GRE traffic could easily be received by the tunnel interface. However, for simplicity, it is recommended that the tunnel key correspond to the NHRP network identifier. c 5 d 6 Original dump had 4,1,5,6 not 4,3,5,6 and this explanation
NHRP Hold Time When this expires, the network ID is no longer valid NHRP Authentication string – This needs to be the same for all mGRE tunnels on the network NHRP NHS This is used for NBMA network NHRP Registration This is used for DNVPN tunnel hubs and spokes to authenticate themselves
To make registration possible, you configure each NHC (Client/spoke) with the IP address of at least one NHS (server/hub). In turn, NHS acts as a database agent, storing all registered mappings, and replying to NHC queries. The NHS will keep the registration request cached for the duration of the hold-time, and then, if no registration update is received, will time it out. One can adopt NHRP to work with “simulated NBMA” networks, such as mGRE tunnels. The commands ip nhrp network-id and ip nhrp authentication [Key] identify and authenticate the logical NHRP network. The [ID] and the [Key] must match on all routers sharing the same GRE tunnel. It is possible to split an NBMA medium into multiple NHRP networks

The spokes use the NHS to register their logical IP to NBMA IP associations and send NHRP resolution Requests
QUESTION 125
DRAG DROP A.

B.
C.
D.

Correct Answer: Section: (none) Explanation
Explanation/Reference:

Explanation: BPDU guard violation DHCP snooping rate-limit reached Port channel misconfiguration
There are various reasons for the interface to go into errdisable. The reason can be:
Reference: http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00806cd87b.shtml

QUESTION 126
When you are configuring a hub-and-spoke DMVPN network, which tunnel mode should you use for the spoke router configuration?
A. GRE multipoint
B. Classis point-to-point GRE
C. IPsec multipoint
D. Nonbroadcast multiaccess

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation: http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/DMVPN_2_Phase2.html
The hub-and-spoke deployment model is the most common deployment model. This model is the most scalable, and predominately mimics traditional Layer 2 leased line, Frame Relay, or ATM hub-and-spoke networks. The headend is configured with a multipoint GRE (mGRE) interface, and the branch with a point-to-point (p2p) GRE interface.
QUESTION 127
DRAG DROP

A.

B.
C.
D.

Correct Answer: Section: (none) Explanation
Explanation/Reference:

Explanation: untitled
True Positives The IPS or IDS sensor acted as a consequence of malicious activity. The represents normal and optimal operation. True Negative The IPS or IDS sensor did not take action, even though there was malicious activity. This represents an error. False Positive The IPS or IDS sensor acted as a consequence of non-malicious activity. This represents an error, generally caused by signatures that are too relaxed. False Negative The IPS or IDS sensor did not take action, because there was no malicious activity. This represents normal and optimal operation.
QUESTION 128
DRAG DROP

A.
B.
C.
D.

Correct Answer: Section: (none) Explanation
Explanation/Reference:

Explanation:

untitled
http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configur ation/ guide/Sw8021x.html
· force-authorized–disables 802.1X and causes the port to transition to the authorized state without any authentication exchange required. The port transmits and receives normal traffic

without 802.1X-based authentication of the client. This is the default setting. · force-unauthorized–causes the port to remain in the unauthorized state, ignoring all attempts by the client to authenticate. The switch cannot provide authentication services to the client through the interface. · auto–enables 802.1X authentication and causes the port to begin in the unauthorized state, allowing only EAPOL frames to be sent and received through the port. The authentication process begins when the link state of the port transitions from down to up, or when an EAPOL-start frame is received. The switch requests the identity of the client and begins relaying authentication messages between the client and the authentication server. Each client attempting to access the network is uniquely identified by the switch by using the client’s MAC address.
QUESTION 129
DRAG DROP

A.
B.
C.
D.

Correct Answer: Section: (none) Explanation
Explanation/Reference:

Explanation:

untitled
The default order for authentication methods is 802.1X, and then MAB, then web-based authentication. If fallback authentication methods are not enabled or are not successful, and if a guest VLAN is configured, the switch assigns the client to a guest VLAN that provides limited services. If the switch receives an invalid identity from an 802.1X-capable client and a restricted VLAN is specified, the switch can assign the client to a restricted VLAN that provides limited services. If the RADIUS authentication server is unavailable (down) and inaccessible authentication bypass is enabled, the switch grants the client access to the network by putting the port in the critical- authentication state in the user-specified critical VLAN. Release

untitled

Restrict
If the switch receives an invalid identity from an 802.1X-capable client and a restricted VLAN is specified,
the switch can assign the client to a restricted VLAN that provides limited services.

Guest
If fallback authentication methods are not enabled or are not successful, and if a guest VLAN is configured,
the switch assigns the client to a guest VLAN that provides limited services. NOTE: You can configure a
VLAN to be both the guest VLAN and the restricted VLAN if you want to provide the same services to both
types of users.
If 802.1X authentication times out while waiting for an EAPOL message exchange, the switch can use a
fallback authentication method, such as MAC authentication bypass (MAB) or web-based authentication
(webauth), if either or both are enabled:
If MAC authentication bypass is enabled, the switch relays the client’s MAC address to the AAA server for
authorization. If the client’s MAC address is valid, the authorization succeeds and the switch grants the
client access to the network.
If web-based authentication is enabled, the switch sends an HTTP login page to the client. The

switch relays the client’s username and password to the AAA server for authorization. If the login succeeds, the switch grants the client access to the network.
Reference:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/dot1x. html#wp1133480
QUESTION 130
DRAG DROP

A.
B.
C.
D.

Correct Answer: Section: (none) Explanation
Explanation/Reference:

untitled http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html
QUESTION 131
DRAG DROP A.

B.
C.
D.

Correct Answer: Section: (none) Explanation
Explanation/Reference:
Cisco 642-637 Exam Explanation: Box 1 EAP-TTLS Box 2 EAP-FAST Box 3 EAP-TLS Box 4 EAP-MD5

EAP-MD5 EAP-MD5 is the only IETF Standards Track based EAP method – it is not recommended for use by Cisco
PEAP The Protected Extensible Authentication Protocol, also known as Protected EAP or simply PEAP, is a protocol that encapsulates EAP within a potentially encrypted and authenticated Transport Layer Security (TLS) tunnel. PEAP uses the TLS channel to protect a second EAP exchange, called the “inner” EAP exchange. PEAP’s major advantage is support from Microsoft
EAP-GTC EAP-GTC, is an EAP method created by Cisco as an alternative to PEAPv0/EAP-MSCHAPv2. EAP-GTC carries a text challenge from the authentication server, and a reply generated by a security token.
EAP-FAST EAP-FAST (Flexible Authentication via Secure Tunneling) is a protocol proposal by Cisco Systems as a replacement for LEAP The protocol was designed to address the weaknesses of LEAP while preserving the “lightweight” implementation. Use of server certificates is optional in EAP-FAST. EAP-FAST uses a Protected Access Credential (PAC) to establish a TLS tunnel in which client credentials are verified. EAP- FAST has three phases.
EAP-TTLS

EAP-Tunneled Transport Layer Security (EAP-TTLS) is an EAP protocol that extends TLS. It was co-developed by Funk Software and Certicom. It is widely supported across platforms, although there is no native OS support for this EAP protocol in Microsoft Windows. The client can but does not have to be authenticated via a CAsigned PKI certificate to the server. This greatly simplifies the setup procedure as a certificate does not need to be installed on every client. TTLS implementations today support all methods defined by EAP, as well as several older methods (CHAP, PAP, MS-CHAP and MS-CHAPv2).
EAP-TLS EAP-Transport Layer Security (EAP-TLS), defined in RFC 5216, is an IETF open standard, and is wellsupported among wireless vendors. The security of the TLS protocol is strong, provided the user understands potential warnings about false credentials. It uses PKI to secure communication to a RADIUS authentication server or another type of authentication server. Unlike most HTTPS client implementations like major web browsers, most EAP-TLS implementations require client certificates, which some have identified as potentially dramatically reducing adoption of EAP-TLS. EAP-TLS is the original, standard wireless LAN EAP authentication protocol. Although it is rarely deployed, it is still considered one of the most secure EAP standards available and is universally supported by all manufacturers of wireless LAN hardware and software.
QUESTION 132
Refer to the exhibit.

What can be determined from the partial configuration shown?
A. The zone-based policy firewall is operating in transparent mode.
B. The zone-based policy firewall is providing for bridging of non-IP protocols.
C. Since the interfaces are in the same bridge group, access policies are not required.
D. Traffic flow will be allowed to pass between the interfaces without being inspected.

Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 133
DRAG DROP A.

B.
C.
D.

Correct Answer: Section: (none) Explanation
Explanation/Reference:

Explanation: Traffic filtering measures Transmission pretection Traffic conditioning features

Protection against attacks on network endpoints
QUESTION 134
DRAG DROP

A.
B.
C.
D.

Correct Answer: Section: (none) Explanation
Explanation/Reference:

Explanation:
In a multiswitch environment, designate the interswitch links as trusted NTP should be configured on
switches to ensure that coorect handling of DHCP snooping database
ARP inspection rate limiting is the preferred way of handling DHCP starvation.

Cisco 642-637 exam tests containing questions that cover all sides of tested subjects that help our members to be prepared and keep high level of professionalism.The main purpose of Cisco 642-637 exam is to provide high quality test that can secure and verify knowledge,give overview of question types and complexity that can be represented on real Cisco 642-637 exam exam certification.

Welcome to download the newest Examwind EX300 dumps: http://www.examwind.com/EX300.html

Cisco 642-637 Actual Questions, High Pass Rate Cisco 642-637 Qs&As Is What You Need To Take