We provide thoroughly reviewed Cisco 642-825 using the training resources which are the best for Cisco 642-825 test, and to get certified by Microsoft Windows Store apps. It is a best choice to accelerate your career as a professional in the Information Technology industry. Now we add the latest Cisco 642-825 content and to print and share content.
Exam A
QUESTION 1
Which two statements about common network attacks are true? (Choose two.)
A. Access attacks can consist of password attacks, trust exploitation, port redirection, and man-in-the-middle attacks.
B. Access attacks can consist of password attacks, ping sweeps, port scans, and man-in-the-middle attacks.
C. Access attacks can consist of packet sniffers, ping sweeps, port scans, and man-in-the-middle attacks.
D. Reconnaissance attacks can consist of password attacks, trust exploitation, port redirection and Internet information queries.
E. Reconnaissance attacks can consist of packet sniffers, port scans, ping sweeps, and Internet information queries.
F. Reconnaissance attacks can consist of ping sweeps, port scans, man-in-middle attacks and Internet information queries.
Correct Answer: AE Section: Questions Explanation
QUESTION 2
Which three statements are correct about MPLS-based VPNs? (Choose three.)
A. Route Targets (RTs) are attributes attached to a VPNv4 BGP route to indicate its VPN membership.
B. Scalability becomes challenging for a very large, fully meshed deployment.
C. Authentication is done using a digital certificate or pre-shared key.
D. A VPN client is required for client-initiated deployments.
E. A VPN client is not required for users to interact with the network.
F. An MPLS-based VPN is highly scalable because no site-to-site peering is required.
Correct Answer: AEF Section: Questions Explanation
QUESTION 3
Refer to the exhibit. Which two statements about the AAA configuration are true? (Choose two.)
A. A good security practice is to have the none parameter configured as the final method used to ensure that no other authentication method will be used.
B. If a TACACS+ server is not available, then a user connecting via the console port would not be able to gain access since no other authentication method has been defined.
C. If a TACACS+ server is not available, then the user Bob could be able to enter privileged mode as long as the proper enable password is entered.
D. The aaa new-model command forces the router to override every other authentication method previously configured for the router lines.
E. To increase security, group radius should be used instead of group tacacs+.
F. Two authentication options are prescribed by the displayed aaa authentication command.
Correct Answer: DF Section: Questions Explanation
QUESTION 4
What are the two main features of Cisco IOS Firewall? (Choose two.)
A. TACACS+
B. AAA
C. Cisco Secure Access Control Server
D. Intrusion Prevention System
E. Authentication Proxy
Correct Answer: DE Section: Questions Explanation
QUESTION 5
What three features does Cisco Security Device Manager (SDM) offer? (Choose three.)
A. smart wizards and advanced configuration support for NAC policy features
B. single-step mitigation of Distributed Denial of Service (DDoS) attacks
C. one-step router lockdown
D. security auditing capability based upon CERT recommendations
E. multi-layered defense against social engineering
F. single-step deployment of basic and advanced policy settings
Correct Answer: ACF Section: Questions Explanation
QUESTION 6
What are two principles to follow when configuring ACLs with IOS Firewall? (Choose two.)
A. Prevent traffic that will be inspected by IOS Firewall from leaving the network through the firewall.
B. Configure extended ACLs to prevent IOS Firewall return traffic from entering the network through the firewall.
C. Configure an ACL to deny traffic from the protected networks to the unprotected networks.
D. Permit broadcast messages with a source address of 255.255.255.255.
E. Allow traffic that will be inspected by IOS Firewall to leave the network through the firewall.
Correct Answer: BE Section: Questions Explanation
QUESTION 7
Which three MPLS statements are true? (Choose three.)
A. Cisco Express Forwarding (CEF) must be enabled as a prerequisite to running MPLS on a Cisco router.
B. Frame-mode MPLS inserts a 32-bit label between the Layer 3 and Layer 4 headers.
C. MPLS is designed for use with frame-based Layer 2 encapsulation protocols such as Frame Relay, but is not supported by ATM because of ATM fixed-length cells.
D. OSPF, EIGRP, IS-IS, RIP, and BGP can be used in the control plane.
E. The control plane is responsible for forwarding packets.
F. The two major components of MPLS include the control plane and the data plane.
Correct Answer: ADF Section: Questions Explanation
QUESTION 8
Which statement is true about an IPsec/GRE tunnel?
A. The GRE tunnel source and destination addresses are specified within the IPsec transform set.
B. An IPsec/GRE tunnel must use IPsec tunnel mode.
C. GRE encapsulation occurs before the IPsec encryption process.
D. Crypto map ACL is not needed to match which traffic will be protected.
Correct Answer: C Section: Questions Explanation
QUESTION 9
Which two statements are true about the configuration of the Cisco IOS Firewall using the SDM? (Choose two.)
A. Cisco IOS Firewall features may be configured by choosing the Additional Tasks wizard.
B. Firewall policies can be viewed from the Home screen of the SDM.
C. To simplify the Firewall configuration task, the SDM provides Basic Firewall, Intermediate Firewall, and Advanced Firewall wizards.
D. The Basic Firewall Configuration wizard applies default access rules to the inside (trusted), outside (untrusted) and DMZ interfaces.
E. The Advanced Firewall Configuration wizard applies access rules to the inside (trusted), outside (untrusted) and DMZ interfaces.
Correct Answer: BE Section: Questions Explanation
Explanation/Reference:
QUESTION 10
Refer to the exhibit. On the basis of the partial configuration, which two statements are true? (Choose two.)
A. A CBAC inspection rule is configured on router RTA.
B. A named ACL called SDM_LOW is configured on router RTA.
C. A QoS policy has been applied on interfaces Serial 0/0 and FastEthernet 0/1.
D. Interface Fa0/0 should be the inside interface and interface Fa0/1 should be the outside interface.
E. On interface Fa0/0, the ip inspect statement should be incoming.
F. The interface commands ip inspect SDM_LOW in allow CBAC to monitor multiple protocols.
Correct Answer: AF Section: Questions Explanation
Explanation/Reference:
QUESTION 11
Which two statements describe the functions and operations of IDS and IPS systems? (Choose two.)
A. A network administrator entering a wrong password would generate a true-negative alarm.
B. A false positive alarm is generated when an IDS/IPS signature is correctly identified.
C. An IDS is significantly more advanced over IPS because of its ability to prevent network attacks.
D. Cisco IDS works inline and stops attacks before they enter the network.
E. Cisco IPS taps the network traffic and responds after an attack.
F. Profile-based intrusion detection is also known as “anomaly detection”.
Correct Answer: BF Section: Questions Explanation
QUESTION 12
What should a security administrator who uses SDM consider when configuring the firewall on an interface that is used in a VPN connection?
A. The firewall must permit traffic going out of the local interface only.
B. The firewall must permit traffic to a VPN concentrator only.
C. The firewall must permit encrypted traffic between the local and remote VPN peers.
D. The firewall cannot be configured in conjunction with a VPN.
Correct Answer: C Section: Questions Explanation
Explanation/Reference:
QUESTION 13
Refer to the exhibit. What statement is true about the interface S1/0 on router R1?
A. Labeled packets can be sent over an interface.
B. MPLS Layer 2 negotiations have occurred.
C. IP label switching has been disabled on this interface.
D. None of the MPLS protocols have been configured on the interface.
Correct Answer: D Section: Questions Explanation
QUESTION 14
Which two network attack statements are true? (Choose two.)
A. Access attacks can consist of password attacks, trust exploitation, port redirection, and man-in-the-middle attacks.
B. Access attacks can consist of UDP and TCP SYN flooding, ICMP echo-request floods, and ICMP directed broadcasts.
C. DoS attacks can be reduced through the use of access control configuration, encryption, and RFC 2827 filtering.
D. DoS attacks can consist of IP spoofing and DDoS attacks.
E. IP spoofing can be reduced through the use of policy-based routing.
F. IP spoofing exploits known vulnerabilities in authentication services, FTP services, and web services to gain entry to web accounts, confidential databases, and other sensitive information.
Correct Answer: AD Section: Questions Explanation
QUESTION 15
If an edge Label Switch Router (LSR) is properly configured, which three combinations are possible? (Choose three.)
A. A received IP packet is forwarded based on the IP destination address and the packet is sent as an IP packet.
B. An IP destination exists in the IP forwarding table. A received labeled packet is dropped because the label is not found in the LFIB table.
C. There is an MPLS label-switched path toward the destination. A received IP packet is dropped because the destination is not found in the IP forwarding table.
D. A received IP packet is forwarded based on the IP destination address and the packet is sent as a labeled packet.
E. A received labeled IP packet is forwarded based upon both the label and the IP address.
F. A received labeled packet is forwarded based on the label. After the label is swapped, the newly labeled packet is sent.
Correct Answer: ADF Section: Questions Explanation
Explanation/Reference:
QUESTION 16
Which three techniques should be used to secure management protocols? (Choose three.)
A. Configure SNMP with only read-only community strings.
B. Encrypt TFTP and syslog traffic in an IPSec tunnel.
C. Implement RFC 3704 filtering at the perimeter router when allowing syslog access from devices on the outside of a firewall.
D. Synchronize the NTP master clock with an Internet atomic clock.
E. Use SNMP version 2.
F. Use TFTP version 3 or above because these versions support a cryptographic authentication mechanism between peers.
Correct Answer: ABC Section: Questions Explanation
QUESTION 17
Refer to the exhibit. Which two statements about the Network Time Protocol (NTP) are true? (Choose two.)
A. Router RTA will adjust for eastern daylight savings time.
B. To enable authentication, the ntp authenticate command is required on routers RTA and RTB.
C. To enable NTP, the ntp master command must be configured on routers RTA and RTB.
D. Only NTP time requests are allowed from the host with IP address 10.1.1.1.
E. The preferred time source located at 130.207.244.240 will be used for synchronization regardless of the other time sources.
Correct Answer: AB Section: Questions Explanation
Explanation/Reference:
QUESTION 18
Which statement about the aaa authentication enable default group radius enable command is true?
A. If the radius server returns an error, the enable password will be used.
B. If the radius server returns a ‘failed’ message, the enable password will be used.
C. The command login authentication group will associate the AAA authentication to a specified interface.
D. If the group database is unavailable, the radius server will be used.
Correct Answer: A Section: Questions Explanation
QUESTION 19
What is a reason for implementing MPLS in a network?
A. MPLS eliminates the need of an IGP in the core.
B. MPLS reduces the required number of BGP-enabled devices in the core.
C. Reduces routing table lookup since only the MPLS core routers perform routing table lookups.
D. MPLS eliminates the need for fully meshed connections between BGP enabled devices.
Correct Answer: B Section: Questions Explanation
QUESTION 20
Refer to the exhibit. Routers RTB and RTC have established LDP neighbor sessions. Troubleshooting discovered that labels are being distributed between the two routers but no label swapping information is in the LFIB. What is the most likely cause of this problem?
A. The IGP is summarizing the address space.
B. IP CEF has not been enabled on both routers RTB and RTC.
C. BGP neighbor sessions have not been configured on both routers.
D. LDP has been enabled on one router and TDP has been enabled on the other.
E. LDP is using the loopback address as the LDP ID and the loopback address is not in the routing table.
Correct Answer: B Section: Questions Explanation
Explanation/Reference:
Try Cisco 642-825 exam free demo before you decide to buy it in Flydumps. After you buy Flydumps Cisco 642-825 exam dumps, you will get free update for ONE YEAR!