[Free] Download New Updated (December) Cisco 640-554 Exam Questions 81-90

Ensurepass

QUESTION 81

Refer to the exhibit and partial configuration. Which statement is true?

 

clip_image002

 

A.

All traffic destined for network 172.16.150.0 will be denied due to the implicit deny all.

B.

All traffic from network 10.0.0.0 will be permitted.

C.

Access-list 101 will prevent address spoofing from interface E0.

D.

This is a misconfigured ACL resulting in traffic not being allowed into the router in interface S0.

E.

This ACL will prevent any host on the Internet from spoofing the inside network address as the source address for packets coming into the router from the Internet.

 

Correct Answer: C

Explanation:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml

 

Transit ACL Sections

In general, a transit ACL is composed of four sections.

Special-use address and anti-spoofing entries that deny illegitimate sources and packets with source addresses that belong within your network from entering the network from an external source NotE. RFC 1918 leavingcisco.com defines reserved address space that is not a valid source address on the Internet. RFC 3330 leavingcisco.com defines special-use addresses that might require filtering. RFC 2827 leavingcisco.com provides anti-spoofing guidelines.

Explicitly permitted return traffic for internal connections to the Internet

Explicitly permitted externally sourced traffic destined to protected internal addresses

Explicit deny statement NotE. Although all ACLs contain an implicit deny statement, Cisco recommends use of an explicit deny statemen, for example, deny ip any any. On most platforms, such statements maintain a count of the number of denied packets that can be displayed using the show access-list command.

 

 

 

 

 

 

QUESTION 82

You have configured a standard access control list on a router and applied it to interface Serial 0 in an outbound direction. No ACL is applied to Interface Serial 1 on the same router. What happens when traffic being filtered by the access list does not match the configured ACL statements for Serial 0?

 

A.

The resulting action is determined by the destination IP address.

B.

The resulting action is determined by the destination IP address and port number.

C.

The source IP address is checked, and, if a match is not found, traffic is routed out interface Serial 1.

D.

The traffic is dropped.

 

Correct Answer: D

Explanation:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a008010 0548.shtml

 

Introduction

This document provides sample configurations for commonly used IP Access Control Lists (ACLs), which filter

IP packets based on:

Source address

Destination address

Type of packet

Any combination of these items

In order to filter network traffic, ACLs control whether routed packets are forwarded or blocked at the router interface. Your router examines each packet to determine whether to forward or drop the packet based on the criteria that you specify within the ACL. ACL criteria include:

 

Source address of the traffic

Destination address of the traffic

Upper-layer protocol

Complete these steps to construct an ACL as the examples in this document show:

Create an ACL.

 

Apply the ACL to an interface.

The IP ACL is a sequential collection of permit and deny conditions that applies to an IP packet. The router tests packets against the conditions in the ACL one at a time.

The first match determines whether the Cisco IOSĀ® Software accepts or rejects the packet. Because the Cisco IOS Software stops testing conditions after the first match, the order of the conditions is critical. If no conditions match, the router rejects the packet because of an implicit deny all clause.

 

 

QUESTION 83

Which two statements about IPv6 access lists are true? (Choose two).

 

A.

IPv6 access lists support numbered access lists.

B.

IPv6 access lists support wildcard masks.

C.

IPv6 access lists support standard access lists.

D.

IPv6 access lists support named access lists.

E.

IPv6 access lists support extended access lists.

 

Correct Answer: DE

Explanation:

Here exists the first major difference we notice between IPv4 and IPv6 ACLs: IPv6 supports only extended ACLs. We cannot create a standard (source-only) IPv6 ACL. IPv6 also only supports named (versus numbered) ACLs.

Router(config)# ipv6 access-list ?

WORD User selected string identifying this access list

log-update Control access list log updates

Reference: http://packetlife.net/blog/2010/jun/30/ipv6-access-lists-acl-ios/

 

 

QUESTION 84

Which command enables subnet 192.168.8.4/30 to communicate with subnet 192.168.8.32/27 on IP protocol 50?

 

A.

permit esp 192.168.8.4 255.255.255.252 192.168.8.32 255.255.255.224

B.

permit esp 192.168.8.4 0.0.0.31 192.168.8.32 0.0.0.31

C.

permit esp 192.168.8.4 255.255.255.252 224.168.8.32 255.255.255.192

D.

permit esp 192.168.8.4 0.0.0.3 192.168.8.32 0.0.0.31

 

Correct Answer: D

Explanation:

Access lists use inverse wildcard masks, so a /30 subnet translates to 0.0.0.3, where as a standard wildcard mask used in static routes would be 255.255.255.252. Similarly, a /27 would be .0.0.0.31, which is the opposite of a /27 255.255.255.224 used in static routes.

 

 

QUESTION 85

Which two types of access lists can be used for sequencing? (Choose two.)

 

A.

reflexive

B.

standard

C.

dynamic

D.

extended

 

Correct Answer: BD

Explanation:

Users can apply sequence numbers to permit or deny statements and also reorder, add, or remove such statements from a named IP access list. This feature makes revising IP access lists much easier. Prior to this feature, users could add access list entries to the end of an access list only; therefore needing to add statements anywhere except the end required reconfiguring the access list entirely.

Restrictions for IP Access List Entry Sequence Numbering

This feature does not support dynamic, reflexive, or firewall access lists.

This feature does not support old-style numbered access lists, which existed before named access lists. Keep in mind that you can name an access list with a number, so numbers are allowed when they are entered in the standard or extended named access list (NACL) configuration mode.

Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_2s/feature/guide/fsaclseq.html

 

 

QUESTION 86

Which command will block IP traffic to the destination 172.16.0.1/32?

 

A.

access-list 101 deny ip host 172.16.0.1 any

B.

access-list 101 deny ip any host 172.16.0.1

C.

access-list 101 deny ip any any

D.

access-list 11 deny host 172.16.0.1

 

Correct Answer: B

Explanation:

Here is a similar example:

Access-list Statement

What it Matches

access-list 101 deny ip any host 10.1.1.1

Any IP packet, any source IP address, with a destination IP address of 10.1.1.1

Reference: http://www.proprofs.com/mwiki/index.php/IP_Access_Control_List_Security

 

 

QUESTION 87

How are Cisco IOS access control lists processed?

 

A.

Standard ACLs are processed first.

B.

The best match ACL is matched first.

C.

Permit ACL entries are matched first before the deny ACL entries.

D.

ACLs are matched from top down.

E.

The global ACL is matched first before the interface ACL.

 

Correct Answer: D

Explanation:

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml

 

Process ACLs

Traffic that comes into the router is compared to ACL entries based on the order that the entries occur in the router. New statements are added to the end of the list. The router continues to look until it has a match. If no matches are found when the router reaches the end of the list, the traffic is denied. For this reason, you should have the frequently hit entries at the top of the list. There is an implied deny for traffic that is not permitted. A single-entry ACL with only one deny entry has the effect of denying all traffic. You must have at least one permit statement in an ACL or all traffic is blocked. These two ACLs (101 and 102) have the same effect.

 

 

QUESTION 88

Which Cisco management tool provides the ability to centrally provision all aspects of device configuration across the Cisco family of security products?

 

A.

Cisco Configuration Professional

B.

Security Device Manager

C.

Cisco Security Manager

D.

Cisco Secure Management Server

 

Correct Answer: C

Explanation:

Cisco Security Manager 4.4 Data Sheet

Cisco Security Manager is a comprehensive management solution that enables advanced management and rapid troubleshooti
ng of multiple security devices. Cisco Security Manager provides scalable, centralized management from which administrators can efficiently manage a wide range of Cisco security devices, gain visibility across the network deployment, and securely share information with other essential network services such as compliance systems and advanced security analysis systems. Designed to maximize operational efficiency, Cisco Security Manager also includes a powerful suite of automated capabilities, such as health and performance monitoring, software image management, auto-conflict detection, and integration with ticketing systems.

Reference: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5739/ps6498/data_sheet_c78-27090.html

 

 

QUESTION 89

You have been tasked by your manager to implement syslog in your network. Which option is an important factor to consider in your implementation?

 

A.

Use SSH to access your syslog information.

B.

Enable the highest level of syslog function available to ensure that all possible event messages are logged.

C.

Log all messages to the system buffer so that they can be displayed when accessing the router.

D.

Synchronize clocks on the network with a protocol such as Network Time Protocol.

 

Correct Answer: D

Explanation:

http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/Baseline_Security/sec_chap5.html

 

Time Synchronization

When implementing network telemetry, it is important that dates and times are both accurate and synchronized across all network infrastructure devices. Without time synchronization, it is very difficult to correlate different sources of telemetry.

 

Enabling Network Time Protocol (NTP) is the most common method of time synchronization.

General best common practices for NTP include:

A common, single time zone is recommended across an entire network infrastructure in order to enable the consistency & synchronization of time across all network devices.

The time source should be from an authenticated, limited set of authorized NTP servers.

Detailed information on NTP and NTP deployment architectures is available in the Network Time Protocol: Best

Practices White Paper at the following URL:

http://www.cisco.com/warp/public/126/ntpm.pdf

Timestamps and NTP Configuration

In Cisco IOS, the steps to enable timestamps and NTP include:

 

Step 1 Enable timestamp information for debug messages.

Step 2 Enable timestamp information for log messages.

Step 3 Define the network-wide time zone.

Step 4 Enable summertime adjustments.

Step 5 Restrict which devices can communicate with this device as an NTP server.

Step 6 Restrict which devices can communicate with this device as an NTP peer.

Step 7 Define the source IP address to be used for NTP packets.

Step 8 Enable NTP authentication.

Step 9 Define the NTP servers.

Step 10 Define the NTP peers.

Step 11 Enable NTP to update the device hardware clock

 

 

 

QUESTION 90

Which protocol secures router management session traffic?

 

A.

SSTP

B.

POP

C.

Telnet

D.

SSH

 

Correct Answer: D

Explanation:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml

 

Encrypting Management Sessions

 

Because information can be disclosed during an interactive management session, this traffic must be encrypted so that a malicious user cannot gain access to the data being transmitted. Encrypting the traffic allows a secure remote access connection to the device. If the traffic for a management session is sent over the network in cleartext, an attacker can obtain sensitive information about the device and the network. An administrator is able to establish an encrypted and secure remote access management connection to a device by using the SSH or HTTPS (Secure Hypertext Transfer Protocol) features. Cisco IOS software supports SSH version 1.0 (SSHv1), SSH version 2.0 (SSHv2), and HTTPS that uses Secure Sockets Layer (SSL) and Transport Layer Security (TLS) for authentication and data encryption. Note that SSHv1 and SSHv2 are not compatible.

 

Cisco IOS software also supports the Secure Copy Protocol (SCP), which allows an encrypted and secure connection for copying device configurations or software images. SCP relies on SSH. This example configuration enables SSH on a Cisco IOS device:

!

ip domain-name example.com

!

crypto key generate rsa modulus 2048

!

ip ssh time-out 60

ip ssh authentication-retries 3

ip ssh source-interface GigabitEthernet 0/1

!

line vty 0 4

transport input ssh

!

Free VCE & PDF File for Cisco 640-554 Exam Questions

Instant Access to Free VCE Files: CCNA | CCNP | CCIE …
Instant Access to Free PDF Files: CCNA | CCNP | CCIE …