Cisco 642-501 Questions And Answers, Sale Discount Cisco 642-501 Question Description Is What You Need To Take

Cisco Comments Off

Good News! The Flydumps Cisco 642-501 exam questions and answers covers all the knowledge points of the real exam. With our Cisco 642-501 practice test, you will never worry about the exam.Recently the new version with all new updated Cisco 642-501 exam dumps can free download on the site Flydumps.com.Visit the site to get more exam information.

QUESTION 60
Which command can you use to disable finger replies on a perimeter router?
A. The no finger command
B. The no finger reply command
C. The disable finger command
D. The no service finger command

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Cisco routers provide an implementation of the “finger” service, which is used to find out which users are logged into a network device. Although this information isn’t usually tremendously sensitive, it can sometimes be useful to an attacker. The “finger” service may be disabled with the command no service finger.
QUESTION 61
How do you enable the Nagle algorithm on an IOS router?
A. ip nagle
B. service nagle
C. enable service nagle
D. enable ip nagle

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
Use the global configuration mode command service nagle to enable the TCP congestion Nagle algorithm.
The Nagle algorithm attempts to bunch traffic into fewer TCP packets, thus saving on bandwidth. This
command is disabled by default.

QUESTION 62
Which of the following router commands will prevent a router from giving an attacker a valid IP address via DHCP?
A. no tcp-dhcp-servers
B. no service dhcp
C. no ip dhcp servers
D. no dhcp server

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
The IOS command no service dhcp will prevent the router from responding to DHCP requests on all
interfaces.
You cannot disable only certain interfaces, if you need to allow this service, apply proper ACL’s.

QUESTION 63
What is IP spoofing?
A. altering the source ip address in packets
B. sending large amounts of icmp packets to a broadcast address
C. altering ip routing tables
D. packet sniffing

Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation: An IP spoof is when an attacker changes the source IP address of network packets, usually in attempt to bypass access lists or to DOS the real IP source
QUESTION 64
What is the global IOS command that disables Cisco Discovery Protocol (CDP) completely?
A. no cdp enable
B. no cdp server
C. no cdp process
D. no cdp start
E. no cdp run

Correct Answer: E Section: (none) Explanation
Explanation/Reference:
Explanation:
Use the global configuration command no cdp run to disable CDP on all router interfaces. To disable CDP
on an interface basis, go into interface configuration mode and enter no cdp enable.

QUESTION 65
Exhibit:

You are the administrator at Certkiller Inc. and you need to add an ACL statement to protect against address spoofing when applied inbound on the external interface of the perimeter router. Which one of these commands is correct?
A. access-list 101 deny IP 162.16.1.0 0.0.0.255. 0.0.0.0 255.255.255.255
B. access-list 101 deny UDP 162.16.1.0 255.255.0.0 0.0.0.0 255.255.255.255
C. access-list 101 deny IP 162.16.1.0 255.255.255.0 0.0.0.0 255.255.255.255
D. access list 101 permit IP 162.16.1.0 255.255.0.0 0.0.0.0 255.255.255.255

Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
access-list101 deny IP 162.16.1.0 0.0.0.255 0.0.0.0 255 255.255.255 access-list command – command to
deny access to the 162.16.1.0 0.0.0.255 addresses from any address (0.0.0.0 255.255.255.255)

Reference:
Managing Cisco Network Security (Ciscopress) page Appendix C

QUESTION 66
Exhibit: Greg has just started working as the security administrator at Certkiller Inc. His manager asked him to prevent Internet users from pinging the PIX. Which ACL statement should be configured on the external interface of the perimeter router?

A. access-list 102 deny tcp any 162.16.1.1 0.0.0.0
B. access-list 102 permit tcp any 162.16.1.1 0.0.0.0 echo
C. access-list 102 deny icmp any 162.16.1.1 0.0.0.0 echo-reply
D. access-list 102 deny icmp any 162.16.1.1 0.0.0.0 echo

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
Echo added to the end of the command implies no ping requests to the PIX.

Reference:
Managing Cisco Network Security (Ciscopress) pages 728

QUESTION 67
Johnthe administrator is working on defending the network against attack. He needs to know which Cisco IOS feature defends against an unauthorized access attempt?
A. IKE
B. IPSO
C. TCP intercept
D. IOS ACLs
E. CBAC

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Access list permits who can enter and leave the network when it is applied to the interface of a perimeter router.
QUESTION 68
Which command will you advice the Certkiller trainee technician to use to apply an access list to a router interface?
A. ip access-list
B. ip access-class
C. ip access-group
D. apply access-list

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Cisco Self-Study CCSP SECUR page 210
QUESTION 69
Which of the following IOS commands will enable turbo access list?
A. turbo acl
B. fast ip acls
C. acl turbo
D. access-list compiled
E. all of the above

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1834/ products_feature_guide09186a0080080374.html#10 19763
QUESTION 70
What are the ACL number ranges for IP standard ACL’s? Select all that apply.
A. 1-99
B. 100-199
C. 1300-1999
D. 800-1299

Correct Answer: AC Section: (none) Explanation
Explanation/Reference:
Explanation:
IP standard access lists can be numbered from 1-99 or from the expanded range of 1300-1999.

QUESTION 71
Which of the following correctly applies ACL 101 inbound on an interface?
A. ip access-class 101 inbound
B. ip access-group 101 in
C. ip access-list 101 in
D. ip access-range 101 inbound
E. ip access-group 101 inbound
F. ip access-list 101 inbound
G. ip access-class 101 in
H. ip access-range 101 in

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
After creating an access list, you must apply it to an interface with the access-group command in interface
configuration mode, and specify the direction to monitor traffic with the in or out keyword.

QUESTION 72
Which of the following can be an IP extended ACL? Select all that apply.
A. ACL 3601
B. ACL 99
C. ACL 1401
D. ACL 100
E. ACL 2101

Correct Answer: DE Section: (none) Explanation
Explanation/Reference:
Explanation:
An IP extended ACL can be numbered within any of the following ranges: 100-199, 2000-2699.

QUESTION 73
Which of the following commands correctly references access list 120 in a crypto map?
A. Router(config-crypto-map)#match address 120
B. Router(config-crypto-map)#set peer 120
C. Router(config-crypto-map)#set list 120
D. Router(config-crypto-map)#match list 120

Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
After defining a crypto map, and entering into crypto map configuration, you must specify the hosts
needing encryption by defining those hosts in an access list and referencing that list with the match
address (acl) command.

QUESTION 74
John and Kathy are working on configuring the IOS firewall together. They are figuring out what CBAC uses for inspection rules to configure on a per-application protocol basis. Which one of these is the correct one?
A. ODBC filtering
B. Tunnel, transport models, or both
C. Alerts and audit trails
D. Stateful failover

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation: CBAC also generates real-time alerts and audit trails. Enhanced audit trail features use SYSLOG to track all network transactions. Real-time alerts send SYSLOG error messages to central management consoles upon detecting suspicious activity. Using CBAC inspection rules, you can configure alerts and audit trail information on a per-application protocol basis.
Reference: http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/ products_configuration_guide_chapter09186a00800 ca7c1.ht
QUESTION 75
You are the security administrator for Certkiller and you need to know what CBAC does on the Cisco IOS Firewall. Which one of these is the best answer?
A. Creates specific security policies for each user at Certkiller Inc.
B. Provides additional visibility at intranet, extranet, and Internet perimeters at Certkiller Inc.
C. Protects the network from internal attacks and threats at Certkiller Inc.
D. Provides secure, per-application access control across network perimeters at Certkiller Inc.

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
Context-based Access Control (CBAC) examines not only networklayer and transportlayer information, but
also examines the application-layer protocol information (such as FTP information) to learn about the state
of TCP and UDP connections. CBAC maintains connection state information for individual connections.
This state information is used to make intelligent decisions about whether packets should be permitted or
denied, and dynamically creates and deletes temporary openings in the firewall.

Reference:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/
products_configuration_guide_chapter09186a00800 d9815.ht

QUESTION 76
Paul the security administrator is working to fight against DoS attacks. He has a lot of work to do, starting with knowing which three thresholds CBAC on the Cisco IOS Firewall provides against DoS attacks. (Choose three)
A. Number of fully open sessions based upon time.
B. Number of half-open sessions based upon time.
C. Total number of half-open TCP or UDP sessions.
D. Total number of fully open TCP or UDP sessions.
E. Number of fully open TCP-only sessions per host.
F. Number of half-open TCP-only sessions per host.

Correct Answer: BCF Section: (none) Explanation Explanation/Reference:
Half Open Sessions An unusually high number of half-open sessions (connection requests that are not
completed) could indicate that a DoS attack is occurring or that someone is conducting a port scan. CBAC
measures both the Total number of half-open sessions and the rate of session establishment attempts. It
counts total TCP and UDP half-open sessions and measures the rate of half-open session establishment
once per minute. When the number of existing half-open sessions exceeds the max-incomplete high
number, CBAC deletes half-open sessions as required to accommodate new connection requests. The
software continues to delete half-open requests until the number of existing half-open sessions drops
below max-incomplete low number.

Reference:
Managing Cisco Network Security (Ciscopress) page 273

QUESTION 77
Which of the following represents the aggressive mode of CBAC in Cisco IOS firewall?
A. Delete all half-open session
B. Re-initiate half open session
C. Complete all half open sessions, make the full open session
D. Delete half-open session as needed to accommodate new connection requests

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
A TCP SYN attack occurs when an attacking source host generates TCP SYN packets with random source addresses and sends them in rapid succession to a victim host. The victim destination host sends a SYN ACK back to the random source address and adds an entry to the connection queue. Since the SYN ACK is destined for an incorrect or nonexistent host, the acknowledgment is never completed and the entry remains in the connection queue until a timer expires. The connection queue fills up and legitimate users cannot use TCP services. However, with CBAC, TCP packets flow from the outside only in response to traffic sent from the inside. The attacking host can’t get its packets through, and the attack does not succeed. In addition, by inspecting inbound on the external interface (interface serial 0 in the example above), CBAC can account for half-open connections through the firewall and begin closing those half-open connections in an aggressive mode. The firewall will calm down once the number of half-open connections settles down to a user-defined value.
QUESTION 78
What role does CBAC play?
A. CBAC creates a temporary opening in the firewall’s ACLs to allow return traffic and additional data connections for permissible sessions.
B. Nothing.

Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation: CBAC creates temporary openings in ACLs at Cisco IOS firewall interfaces. These openings are created when specified traffic exits your internal network through the Cisco IOS firewall. The openings allow returning traffic that would normally be blocked. The traffic Is allowd back through the Cisco IOS firewall only if it is part of the same session as the original traffic that triggered CBAC when exiting through the Cisco IOS frewall Reference: CCSP SECUR student guide p.237
QUESTION 79
What could be the reason why an authentication attempt to a CSACS for Windows server failed yet no log entries are in the report? (Choose two)
A. the password has expired
B. user enter incorrect password
C. Communication path between the NAS and Cisco Secure ACS server is down
D. User is not defined
E. User belong to a different group
F. CSAuth service is down on the Cisco Secure ACS Server

Correct Answer: CF Section: (none) Explanation
QUESTION 80
What OSI layers can CBAC filter on? Select all that apply.
A. layer 4
B. layer 3
C. layer 2
D. layer 7

Correct Answer: ABD Section: (none) Explanation
Explanation/Reference:
Explanation:
Access lists can filter traffic based on layer 3 and layer 4 information, while CBAC can filter traffic based on
layer 3, 4, and 7 (application layer) information.

QUESTION 81
By default how long will CBAC monitor an idle TCP session in the state table before deleting the entry?
A. 60 minutes
B. 5 minutes
C. 30 seconds
D. 20 minutes

Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
The default CBAC global TCP idle session timeout value is 3600 seconds (60 minutes). This can be
overridden for specific protocols.

QUESTION 82
Which of the following cannot be configured on a router unless the IOS Firewall feature set is installed? Select all that apply.
A. PAM
B. Authentication Proxy
C. IDS
D. CBAC

Correct Answer: ABCD Section: (none) Explanation
Explanation/Reference:
Explanation:
CBAC, PAM, IDS, Authentication Proxy are the four main components of the Cisco IOS Firewall and
cannot be configured until the IOS Firewall feature set is installed on the router.

QUESTION 83
Which of the following access lists is CBAC unable to alter? Select all that apply.
A. ACL 1335
B. ACL 35
C. ACL 135
D. ACL 2335

Correct Answer: AB Section: (none) Explanation
Explanation/Reference:
Explanation:
CBAC does not alter standard IP access lists. Only an extended access list can be used to get the benefit
of CBAC traffic filtering.

QUESTION 84
By default, after how many half-open sessions need to be in the state table before CBAC will begin to delete the half-open sessions?
A. 500
B. 250
C. 1000
D. 2000
E. 100
F. 50

Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
By default, CBAC will begin to delete half-open sessions when there are 500 in the state table. It will keep
deleting half-open sessions until the minimum half-open sessions threshold is met (default is 400).

QUESTION 85
Which of the following encryption protocols can the Cisco IOS Firewall support? Select all that apply.
A. CAST
B. Twofish
C. DES
D. 3DES
E. AES

Correct Answer: CDE Section: (none) Explanation
Explanation/Reference:
Explanation:
The Cisco IOS Firewall can support DES (56 bit), 3DES (168 bit), and AES (128, 192, 256 bit) encryption
protocols for VPN tunnels.

QUESTION 86
Which of the following dynamically alters access lists?
A. CBAC
B. IPSEC
C. Kerberos
D. AAA

Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
CBAC monitors traffic and dynamically alters access lists to allow specified return traffic. CBAC then
dynamically closes the hole(s) in the access list(s) once the session is finished.

QUESTION 87
What is the command to enable logging to all configured destinations (other than the console) on a router?
A. logging facility
B. logging enable
C. logging on
D. logging server
E. logging messages
F. logging enabled

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
Enable logging to destinations other than the console port, such as internal buffers, terminal monitor
(telnet/vty line), or a syslog server with the logging on command.

QUESTION 88
How many IDS signatures can the Cisco IOS Firewall scan for?
A. 207
B. 59
C. 426
D. 12

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
The IDS component of the Cisco IOS Firewall can monitor 59 different IDS signature attacks.

QUESTION 89
Which of the following will happen during the aggressive mode of the CBAC on the Cisco IOS Firewall?
A. CBAC will delete all half-open sessions.
B. CBAC will re-initiate half-open sessions.
C. CBAC will complete all half-open sessions, making them fully open sessions.
D. CBAC will delete half-open sessions as needed to accommodate new connections requests.

Correct Answer: D Section: (none) Explanation
QUESTION 90
Kathy from the security department at Certkiller Inc. wants to know what does a half-open TCP session on the Cisco IOS Firewall mean.
A. Session was denied.
B. Session has not reached the established state.
C. Three-way handshake has been completed.
D. Firewall detected return traffic.

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation: An unusually high number of half-open sessions (either absolute or measured as the arrival rate) could indicate that a denial-of-service attack is occurring. For TCP, “half-open” means that the session has not reached the established state. For UDP, “half-open” means that the firewall has detected traffic from one direction only.
Reference: http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/ products_command_reference_chapter09186a00800 d9806.h
QUESTION 91
What command configures the amount of time CBAC will wait for a TCP session to become established before dropping the connection in the state table?
A. ip inspect global syn-establish (seconds)
B. ip inspect tcp global syn-time (seconds)
C. ip inspect global tcp syn (seconds)
D. ip inspect tcp synwait-time (seconds)

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
Use the IOS Firewall global configuration mode command ip inspect tcp synwait-time (seconds) command
to set the CBAC timeout value for TCP session establishment. The default is 30 seconds.

QUESTION 92
How do you configure the CBAC global UDP idle session timeout?
A. ip inspect udp-session-timeout (seconds)
B. ip inspect udp-idle (seconds)
C. ip inspect udp-timeout (seconds)
D. ip inspect udp idle-time (seconds)

Correct Answer: D Section: (none) Explanation Explanation/Reference:
Explanation:
Determine the global UDP idle session state table timeout value with the ip inspect udp idle-time (seconds)
command. This global value (along with the global tcp idle timeout) can be overridden on a per-protocol
basis.

QUESTION 93
How do you set the threshold of half-open sessions CBAC will allow per minute before deleting them?
A. ip inspect one-minute incomplete (number)
B. ip inspect one-minute (number)
C. ip inspect one-minute high (number)
D. ip inspect one-minute high incomplete (number)
E. ip inspect max-incomplete minute high (number)

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
This command will set the number of new, half-open connections per minute CBAC will allow before
deleting them. The default is 500 per minute.

QUESTION 94
Which of the following commands will alter the CBAC DNS timeout timer to 10 seconds?
A. ip inspect dns-server-timeout 10
B. ip inspect dns-server-timer 10
C. ip inspect dns-timeout 10
D. ip inspect dns-timer 10

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
To configure the time CBAC will keep a DNS session open in the state table, use the global configuration
command ip inspect dns-timeout (seconds). The default is five seconds.

QUESTION 95
If CBAC is configured to inspect telnet traffic on an interface, how should outbound telnet traffic be configured in any ACL’s?
A. outbound telnet should be permitted in any acl’s
B. outbound telnet should be denied in any acl’s
C. telnet should not be referenced at all in the acl
D. outbound telnet should be denied only if inbound telnet is allowed

Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
ACL’s need to allow the initial outbound traffic. If the traffic is not allowed outbound access, CBAC will not
have a chance to monitor and restrict the return session traffic.

Get certified Cisco 642-501 is a guaranteed way to succeed with IT careers.We help you do exactly that with our high quality Cisco 642-501 Certification Certified Information Systems Security Professional training materials.

Author

Back to Top