Cisco 642-637 Online Exam, First-hand Cisco 642-637 Practise Questions Is Your Best Choice

I passed the Cisco 642-637 exam this week with nearly 920 pts.I prepared myself with 140 Q&As, all questions from this dump.Cisco 642-637 questions, 2hrs time limit.New questions in Exampass like “AD FS components in the environment”,“Windows PowerShell cmdlet ” “Office 365”.Just know all new Cisco 642-637 questions you will be fine.

QUESTION 50
You have enabled Cisco IOS IPS on a router in your network. However, you are not seeing expected events on your monitoring system (such as Cisco IME). On the router, you see events being captured. What is the next step in troubleshooting the problem?
A. verify that syslog is configured to send events to the correct server
B. verify SDEE communications
C. verify event action rules D. verify that the IPS license is valid

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 51
Which two of these are features of control plane security on a Cisco ISR? (Choose two.
“Pass Any Exam. Any Time.” – www.actualtests.com 32 Cisco 642-637 Exam
A. CoPP
B. RBAC
C. AAA
D. CPPr
E. uRPF
F. FPM

Correct Answer: AD Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 52
Which two of these are potential results of an attacker performing a DHCP server spoofing attack? (Choose two.)
A. DHCP snooping
B. DoS
C. confidentiality breach
D. spoofed MAC addresses
E. switch ports being converted to an untrusted state

Correct Answer: BC Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 53
When Cisco IOS IPS signatures are being tuned, how is the Target Value Rating assigned?
A. It is calculated from the Event Risk Rating.
B. It is calculated from a combination of the Attack Severity Rating and Signature Fidelity Rating
C. It is manually set by the administrator.
D. It is set based upon SEAP functions.

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 54
Which of these should you do before configuring IP Source Guard on a Cisco Catalyst switch?
“Pass Any Exam. Any Time.” – www.actualtests.com 33 Cisco 642-637 Exam
A. Enable NTP for event correlation
B. Enable IP routing authentication
C. Configure an access list with exempt DHCP-initiated IP address ranges
D. Turn DHCP snooping on at least 24 hours in advance

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 55
What action will the parameter-map type ooo global command enable?
A. globally initiates tuning of the router’s TCP normalizer parameters for out-of-order packets
B. globally classifies type ooo packets within the parameter map and subsequent policy map
C. enables a parameter map named ooo
D. configures a global parameter map for traffic destined to the router itself

Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation: http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/12-4t/sec-zone-pol- fw.html
QUESTION 56
DRAG DROP A.

B.
C.
D.

Correct Answer: Section: (none) Explanation
Explanation/Reference:
“Pass Any Exam. Any Time.” – www.actualtests.com 34 Cisco 642-637 Exam

Explanation:

untitled
QUESTION 57
CORRECT TEXT

“Pass Any Exam. Any Time.” – www.actualtests.com 35 Cisco 642-637 Exam
A.
B.
C.
D.

Correct Answer: Section: (none) Explanation
Explanation/Reference:
Answer: R1# show crypto gdoi -or- R2# show crypto gdoi Explanation: This command will show you the KS ip address and your registration – with time to re-key R1#show crypto gdoi GROUP INFORMATION Group Name: GETVPNGROUP Group Identity: 67890 Rekeys received: 0 IPSec SA Direction: Both Active Group Server: 192.168.1.2 Group Server list: 192.168.1.2 GM Reregisters in: 3434 secs Rekey Received: never Rekeys received Cumulative: 0 After registration: 0 ACL Downloaded From KS 192.168.1.2: access-list permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0 TEK POLICY for the current KS-Policy ACEs Downloaded: FastEthernet0/0: IPsec SA: spi: 0x673C7398(1732015000) transform: esp-aes esp-sha-hmac sa timing:remaining key lifetime (sec): (3571) Anti-Replay: Disabled
QUESTION 58
CORRECT TEXT
“Pass Any Exam. Any Time.” – www.actualtests.com 36 Cisco 642-637 Exam

A.
B.
C.
D.

Correct Answer: Section: (none) Explanation
Explanation/Reference:
Answer: R2# show crypto ipsec transform-set
Explanation:
NB – only show runn commands accepted are show runn interfaces R2#show crypto ipsec transform-set
Transform set GETSET: { esp-sha-hmac }
will negotiate = { Tunnel, },
{ esp-256-aes }
will negotiate = { Tunnel, },
!

QUESTION 59
CORRECT TEXT
“Pass Any Exam. Any Time.” – www.actualtests.com 37 Cisco 642-637 Exam A.

B.
C.
D.

Correct Answer: Section: (none) Explanation
Explanation/Reference:
Answer: R2# show crypto gdoi ks -or- R2# show crypto gdoi ks members -or- R1# show ip interface brief Explanation: NB: it is assumed that only R1 is a member router and ISP is not a member R1#show crypto gdoi ks Total group members registered to this box: 0
“Pass Any Exam. Any Time.” – www.actualtests.com 38 Cisco 642-637 Exam All commands can be referenced here http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_s3.html#wp1159252

QUESTION 60
CORRECT TEXT
A.
B.
C.
D.

Correct Answer: Section: (none) Explanation
Explanation/Reference:
Answer: R2# show crypto gdoi group GETVPNGROUP Explanation: R2 is better as this is the KS
R2#show crypto gdoi group GETVPNGROUP Group Name: GETVPNGROUP (Multicast) Group Identity: 67890 Group Members: 2
“Pass Any Exam. Any Time.” – www.actualtests.com 39 Cisco 642-637 Exam IPSec SA Direction: Both Active Group Server: Local Group Rekey Lifetime: 86400 secs Rekey Retransmit Period: 10 secs Rekey Retransmit Attempts: 2
IPSec SA Number: 10 IPSec SA Rekey Lifetime: 3600 secs Profile Name: GETPROFILE Replay method: Count Based Replay Window Size: 64 SA Rekey Remaining Lifetime: 1998 secs ACL Configured: access-list 101 Group Server list: Local
NB: some other tests have 2 answers highlighted- the question does not ask for (Choose Two) and must assume on one selection is correct.
QUESTION 61
CORRECT TEXT

“Pass Any Exam. Any Time.” – www.actualtests.com 40 Cisco 642-637 Exam
A.
B.
C.
D.

Correct Answer: Section: (none) Explanation Explanation/Reference:
Answer: R1# show crypto map -or- R1# show crypto isakmp key Explanation: R1 is the only group member that you can access so it it is assumed this is the only group member R1#show crypto map Crypto Map “CMAP” 10 gdoi Group Name: GETVPNGROUP identity number 67890 server address ipv4 192.168.1.2 Interfaces using crypto map CMAP:

QUESTION 62
Which protocol is EAP encapsulated in for communications between the authenticator and the authentication server?
A. EAP-MD5
B. IPsec
C. EAPOL
D. RADIUS

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
Note: EAPOL is used between the supplicant and the authenticator, while RADIUS is used between the
authenticator and the authentication server.

“Pass Any Exam. Any Time.” – www.actualtests.com 41
Cisco 642-637 Exam

QUESTION 63
You are loading a basic IPS signature package onto a Cisco router. After a period of time, you see this message:
%IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 275013 ms. What do you expect happened during downloading and compilation of the files?
A. The files were successfully copied with an elapse time of 275013 ms. The router will continue with extraction and compilation of the signature database.
B. The signature engines were compiles, but there is no indication that the actual signatures were compiled.
C. The compilation failed for some of the signature engines. There are 16 engines, but only 6 were completed according to the %IPS-6 message
D. The files were compiled without error.

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/prod_white_paper090 0aecd805c4ea8.html
QUESTION 64
Refer to the exhibit. Given the configuration shown, which of these statements is correct?
“Pass Any Exam. Any Time.” – www.actualtests.com 42 Cisco 642-637 Exam

A. An external service is providing URL filtering via a subscription service.
B. All HTTP traffic to websites with the name “Gambling” included in the URL will be reset.
C. A service policy on the zone pair needs to be configured in the opposite direction or all return HTTP traffic will be blocked by policy
D. The URL filter policy has been configured in a fail-closed scenario.

Correct Answer: A Section: (none) Explanation Explanation/Reference:
Explanation:
“Pass Any Exam. Any Time.” – www.actualtests.com 43 Cisco 642-637 Exam
QUESTION 65
DRAG DROP

A.
B.
C.
D.

Correct Answer: Section: (none) Explanation
Explanation/Reference:

Explanation:

“Pass Any Exam. Any Time.” – www.actualtests.com 44
Cisco 642-637 Exam

Page 453 – CCNP Security Guide – Initial State
In its initial state, the network is purely hub-and-spoke and can stay that way if desired.

The initial network properties are:

QUESTION 66
Refer to the exhibit. Which two of these are most likely to have caused the issue with NHRP, given this output of the show command? (Choose two.)

A. There was a network ID mismatch.
B. The spoke router has not yet sent a request via Tunnel0.
C. The spoke router received a malformed NHRP packet.
D. There was an authentication key mismatch.
E. The registration request was expecting a return request ID of 1201, but received an ID of 120.

Correct Answer: AD Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 67
DRAG DROP “Pass Any Exam. Any Time.” – www.actualtests.com 45 Cisco 642-637 Exam

A.
B.
C.
D.

Correct Answer: Section: (none) Explanation
Explanation/Reference:

Explanation:
QUESTION 68
You have configured a guest VLAN using 802.1X on a Cisco Catalyst switch. A client incapable of using 802.1X has accessed the port and has been assigned to the guest VLAN. What happens when a client capable of using 802.1Xjoins the network on the same port?
A. The client capable of using 802.1X is allowed access and proper security policies are applied to the client.
B. EAPOL packets will not be allowed on the guest VLAN and the access attempt with fail.
C. The port is put into the unauthorized state in the user-configured access VLAN, and authentication is restarted.
D. This is considered a security breach by the authentication server and all users on the access port will be placed into the restricted VLAN.

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation: Usage Guidelines for Using Authentication Failed VLAN Assignment When an authentication failed port is moved to an unauthorized state the authentication process is restarted. If you should fail the authentication process again the authenticator waits in the held
“Pass Any Exam. Any Time.” – www.actualtests.com 46 Cisco 642-637 Exam
state. After you have correctly reauthenticated all 802.1x ports are reinitialized and treated as normal 802.1x ports. http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sga/configuration/guide/dot1x. html#wp1198927
QUESTION 69
Refer to the exhibit. What can be determined from the information shown?

A. The user has been restricted to privilege level 1.
B. The standard access list should be reconfigured as an extended access list to allow desired user permissions
C. RBAC has been configured with restricted views.
D. IP access list DMZ_ACL has not yet been configured with proper permissions.

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 70
“Pass Any Exam. Any Time.” – www.actualtests.com 47 Cisco 642-637 Exam Refer to the exhibit. Assuming that all other supporting configurations are correct, what can be determined
from the partial IP admission configuration shown?

A. The router will forward authentication requests to a AAA server for authentication and authorization.
B. The user maint3nanc3 will have complete CLI command access once authenticated.
C. After a period of 20 minutes, the user will again be required to provide authentication credentials.
D. The authentication proxy will fail, because the router’s HTTP server has not been enabled.
E. All traffic entering interface GO/1 will be intercepted for authentication, but only Telnet traffic will be authorized.

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 71
What will the authentication event fail retry 0 action authorize vlan 300 command accomplish?
A. assigns clients that fail 802.1X authentication into the restricted VLAN 300
B. assigns clients to VLAN 300 and attempts reauthorization
C. assigns a client to the guest VLAN 300 if it does not receive a response from the client to its EAPOL request/identity frame “Pass Any Exam. Any Time.” – www.actualtests.com 48 Cisco 642-637 Exam
D. locks out a user who fails an 802.1X authentication and does not allow the user to try to gain network access again for 300 seconds
Correct Answer: A Section: (none) Explanation

Explanation/Reference:
Explanation:
QUESTION 72
DRAG DROP

A.
B.
C.
D.

Correct Answer: Section: (none) Explanation
Explanation/Reference:

Explanation:

“Pass Any Exam. Any Time.” – www.actualtests.com 49 Cisco 642-637 Exam
http://www.slideshare.net/CiscoSystems/ccsp-effective-deployment-of-cisco-asa-access-control
QUESTION 73
When you are configuring a DMVPN network, which tunnel mode should you use for the hub router configuration?
A. GRE multipoint
B. Nonbroadcast multiaccess
C. Classic point-to-point GRE
D. IPsec multipoint

Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation: http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/DMVPN_2_Phase2.html
The hub-and-spoke deployment model is the most common deployment model. This model is the most scalable, and predominately mimics traditional Layer 2 leased line, Frame Relay, or ATM hub-and-spoke networks. The headend is configured with a multipoint GRE (mGRE) interface, and the branch with a point-to-point (p2p) GRE interface.
QUESTION 74
Which Cisco IOS feature provides secure, on-demand meshed connectivity?
A. DMVPN
B. Easy VPN
C. IPsec VPN
D. mGRE

Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
“Pass Any Exam. Any Time.” – www.actualtests.com 50 Cisco 642-637 Exam
QUESTION 75
You have configured a Cisco router to act a PKI certificate server. However, you are experiencing problems starting the server. You have verified that al CA parameters have been correctly configured. What is the next step you should take in troubleshooting this problem?
A. Disable and restart the router’s HTTP server function
B. Enable the SCEP interface
C. Verify the RSA key pair and generate new keys
D. Verify that correct time is being used and source are reachable

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation: There are others who prefer the answer from the previous dump. However, the question clearly states “You have verified that al CA parameters have been correctly configured” So if the configuration is correctly configured, why would you enable SCEP interface again? The best answer is verify correct time is being used and source are reachable
Having synchronized time is vital for PKI, but PKI does not require that the time be extremely accurate. Time synchronization issues can cause certificate validation failures if the current time on the VPN device is outside the validity range of the CA certificate.
QUESTION 76
Which three of these are features of data plane security on a Cisco ISR? (Choose three)
A. uRPF
B. NetFlow export
C. FPM
D. CPPr
E. RBAC
F. routing protocol filtering

Correct Answer: ABC Section: (none) Explanation
Explanation/Reference:
Explanation: http://ptgmedia.pearsoncmg.com/images/9781587142802/samplepages/1587142805.pdf
“Pass Any Exam. Any Time.” – www.actualtests.com 51 Cisco 642-637 Exam
QUESTION 77
What will the authentication event fail retry 0 action authorize vlan 300 command accomplish?
A. assigns clients that fail 802.1X authentication into the restricted VLAN 300
B. assigns clients to VLAN 300 and attempts reauthorization
C. assigns a client to the guest VLAN 300 if it does not receive a response from the client to its EAPOL request/identity frame
D. locks out a user who fails an 802.1X authentication and does not allow the user to try to gain network access again for 300 seconds

Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 78
When you are configuring DHCP snooping, how should you classify access ports?
A. untrusted
B. trusted
C. promiscuous
D. private

Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 79
When configuring URL filtering with the Trend Micro filtering service. Which of these steps must you take to prepare for configuration?
A. define blacklists and whitelists
B. categorize traffic types
C. install the appropriate root CA certificate on the router D. synchronize clocks via NTP to ensure accuracy of URL filter updates from the service

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
“Pass Any Exam. Any Time.” – www.actualtests.com 52 Cisco 642-637 Exam
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6643/white_paper_c89- 492776.pdf
QUESTION 80
Which of these is correct regarding the functionality of DVTI tunnels?
A. DVTI tunnels are created dynamically from a preconfigured template as tunnels are established to the hub.
B. The hub router needs a static DVT1 tunnel to each spoke router in order to establish remote communications from spoke to spoke.
C. Spoke routers require a virtual template to clone the configuration on which the DVTI tunnel is established.
D. DVTI tunnels appear on the hub as tunnel interfaces.

Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm.pdf
QUESTION 81
When implementing GET VPN, which of these is a characteristic of GDOI IKE?
A. GDOI IKE sessions are established between all peers in the network.
B. Security associations do not need to linger between members once a group member has authenticated to the key server and obtained the group policy.
C. Each pair of peers has a private set of IPsec security associations that is only shared between the two peers.
D. GDOI IKE uses UDP port 500.

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps7180/ deployment_guide_c07_554713.pdf
“Pass Any Exam. Any Time.” – www.actualtests.com 53 Cisco 642-637 Exam
QUESTION 82
DRAG DROP A.

B.
C.
D.

Correct Answer: Section: (none) Explanation
Explanation/Reference:

Explanation:
“Pass Any Exam. Any Time.” – www.actualtests.com 54 Cisco 642-637 Exam

QUESTION 83
DRAG DROP

A.
B.
C.
D.

Correct Answer: Section: (none) Explanation
Explanation/Reference:
“Pass Any Exam. Any Time.” – www.actualtests.com 55 Cisco 642-637 Exam

Explanation:
Step 1 The VPN Client initiates IKE Phase 1.
Step 2 The VPN Client establishes an ISAKMP SA.
Step 3 The Easy VPN Server accepts the SA proposal.
Step 4 The Easy VPN Server initiates a username and password challenge.
Step 5 The mode configuration process is initiated.
Step 6 The RRI process is initiated.
Step 7 IPSec quick mode completes the connection process

QUESTION 84
Which of these are the two types of keys used when implementing GET VPN? (Choose two)
A. public key
B. group encryption
C. traffic encryption key
D. pre-shared key
E. key encryption
F. private key

Correct Answer: CE Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 85
CORRECT TEXT
“Pass Any Exam. Any Time.” – www.actualtests.com 56 Cisco 642-637 Exam Scenario:
You have been given the task of performing initial zone-based policy firewall configurations. You will need to create zones, assign the zones to specific interfaces, and create zone pairs to allow for traffic flow between interfaces. You will also need to define a zone-based policy firewall and assign the policy to the zone pair. To access the router console ports, refer to the exhibit, click the router for access, and perform the following tasks.

Note that when performing the configuration, you should use the exact names highlighted in bold below: Globally create zones and label them with the following names: · OUTSIDE · IHSIDE · Assign interfaces to zones as indicated in the exhibit · Create a zone pair for traffic flowing from the inside to outside zones named IH-TO-OUT – · Define a
zone-based firewall policy named IH-TO-OUT-POLICY · Use the “match protocol” classification option to statefully inspect HTTP traffic and drop all other traffic · Use a class-map named HTTP_POLICY Apply zone-based firewall policy IN-TO-OUT-POLICY to the zone pair
A.
B.
C.
D.

Correct Answer: Section: (none) Explanation
Explanation/Reference:
Answer: First we divide the networks into 2 zones: Inside and Outside. Router(config)#zone security INSIDE Router(config)#zone security OUTSIDE Router(config)#interface fa0/0/1 Router(config-if)#no shutdown Router(config-if)#zone-member security INSIDE Router(config)#interface fa0/0/0 Router(config-if)#no shutdown Router(config-if)#zone-member security OUTSIDE Router(config)#class-map type inspect match-any HTTP_POLICY
“Pass Any Exam. Any Time.” – www.actualtests.com 57 Cisco 642-637 Exam
Router(config-cmap)#match protocol http Router(config)#policy-map type inspect IN-TO-OUT-POLICY Router(config-pmap)#class type inspect HTTP_POLICY Router(config-pmap-c)#inspect Router(config)#zone-pair security IN-TO-OUT-POLICY source INSIDE destination OUTSIDE Router (config-sec-zone-pair)#service-policy type inspect IN-TO-OUT-POLICY

Cisco 642-637 Exam Certification Guide is part of a recommended study program from Cisco 642-637 Exam that includes simulation and hands-on training from authorized Cisco 642-637 Exam Learning Partners and self-study products from Cisco 642-637 Exam.Find out more about instructor-led, e-learning, and hands-on instruction offered by authorized Cisco 642-637 Exam Learning Partners worldwide.