Passed with high score today for Cisco 642-552 Exam. Windows 8.1 new questions will be added so I’m lucky to pass today.Almost all questions were the same includes the new question, DirectAccess, EFS, AD CS.. Only used Itcertlab premium vce file.
Exam A
QUESTION 1
Referring to the Cisco SDM Security Audit Wizard screen shown, what will happen if you check the Fix it box for Firewall is not enabled in all the outside interfaces then click the Next button?
A. All outside access through the outside interfaces will immediately be blocked by an ACL.
B. SDM will prompt you to configure an ACL to block access through the outside interfaces.
C. SDM will take you to the Advanced Firewall Wizard.
D. SDM will perform a one-step lockdown to lock down the outside interfaces.
E. SDM will take you to the Edit Firewall Policy/ACL screen where you can configure an ACL to block access through the outside interfaces.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
QUESTION 2
Which method does a Cisco router use for protocol type IP packet filtering?
A. inspection rules
B. standard ACLs
C. security policies
D. extended ACLs
Correct Answer: D Section: (none) Explanation Explanation/Reference:
QUESTION 3
What are two security risks on 802.11 WLANs that implement WEP using a static 40-bit key with open authentication? (Choose two.)
A. The IV is transmitted as plaintext, and an attacker can sniff the WLAN to see the IV.
B. The challenge packet sent by the wireless AP is sent unencrypted.
C. The response packet sent by the wireless client is sent unencrypted.
D. WEP uses a weak-block cipher such as the Data Encryption Algorithm.
E. One-way authentication only where the wireless client does not authenticate the wireless-access point.
Correct Answer: AE Section: (none) Explanation
Explanation/Reference:
QUESTION 4
In the Cisco SDM Security Audit Wizard screen shown in the figure, which Fix it action should be selected to prevent smurf denial of service attacks?
A. IP Mask Reply is enabled
B. IP Unreachables is enabled
C. IP Directed Broadcast is enabled
D. IP Redirects is enabled
E. IP Proxy ARP is enabled
F. Access class is not set on vty lines
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
QUESTION 5
Which feature is available only in the Cisco SDM Advanced Firewall Wizard?
A. configure a router interface connected to a WLAN
B. create a firewall policy to block SDM access to the router from the outside interface
C. specify the router outside interface to use for remote management access
D. choose physical and logical interfaces connected to a WLAN
E. configure DMZ interfaces with access and inspection rules
Correct Answer: E Section: (none) Explanation
Explanation/Reference:
QUESTION 6
What is the primary type of intrusion prevention technology used by Cisco IPS security appliances?
A. profile-based
B. rule-based
C. signature-based
D. protocol analysis-based
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
QUESTION 7
Which IPsec protocol is the most popular and why?
A. AH, because it provides encryption and authentication
B. AH, because it supports tunnel mode
C. AH, because it works with PAT
D. ESP, because it provides encryption and authentication
E. ESP, because it supports tunnel mode
F. ESP, because it works with PAT
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
QUESTION 8
LAB A.
B.
C.
D.
Correct Answer: Section: (none) Explanation
Explanation/Reference:
Answer: Check certifyme eEngine, Download from Member Center
QUESTION 9
LAB A.
B.
C.
D.
Correct Answer: Section: (none) Explanation
Explanation/Reference:
Answer: Check certifyme eEngine, Download from Member Center
QUESTION 10
Remote users are having a problem using their Cisco VPN Client software to connect to a Cisco Easy VPN Server. Which of the following could be causing the problem?
A. The Cisco Easy VPN Server is configured with more than one ISAKMP policy.
B. The Cisco Easy VPN Server is configured with only one ISAKMP policy specifying Diffie-Hellman Group 5.
C. The Cisco Easy VPN Server transform set configuration includes both encryption and authentication.
D. The Cisco Easy VPN Server is configured with more than one transform set using ESP.
E. The Cisco VPN Client software does not support ESP, so the Cisco VPN Server transform set needs to use AH instead.
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
QUESTION 11
Why is TACACS+ the preferred AAA protocol to use with Cisco device authentication?
A. TACACS+ encryption algorithm is more recent than other AAA protocols
B. TACACS+ has a more robust programming interface than other AAA protocols
C. TACACS+ was initially developed as open-source software
D. TACACS+ provides true AAA functional separation and encrypts the entire body of the packet
E. TACACS+ maintains authentication information in the local database of each Cisco IOS router
F. TACACS+ combines authentication and authorization to provide more robust functionalities
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
QUESTION 12
Using a stateful firewall, which information is stored in the stateful session flow table?
A. the outbound and inbound access rules (ACL entries)
B. the source and destination IP addresses, port numbers, TCP sequencing information, and additional flags for each TCP or UDP connection associated with a particular session
C. all TCP and UDP header information only
D. all TCP SYN packets and the associated return ACK packets only
E. the inside private IP address and the translated global IP address
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
QUESTION 13
Referring to the network diagram shown, Remote Access LAN users need access to the Corporate LAN. Which three Cisco IOS configuration commands will prevent users on the Remote LAN from spoofing their source IP address as Corporate LAN user? (Choose three.)
A. access-list 1 deny 16.1.1.0 0.0.0.255
access-list 1 permit any
B. access-list 2 deny 16.2.1.0 0.0.0.255 access-list 2 permit any
C. int e0/0
D. int e0/1
E. ip access-group 1 in
F. ip access-group 2 out
Correct Answer: ADE Section: (none) Explanation
Explanation/Reference:
QUESTION 14
Which of these is the strongest symmetrical encryption algorithm?
A. DES
B. 3DES
C. AES
D. RSA
E. SHA
F. Diffie-Hellman
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
QUESTION 15
Router A can not establish a standard IPsec VPN tunnel with router B. An analysis reveals one or more
NAT points in the delivery path of each IPsec packet being sent to router B.
What is the problem and what is the solution?
A. IPsec encrypts Layer 4 port information and IKE NAT transversal needs to be configured on this network.
B. The port number information in the ESP header is encrypted. Use ESP tunnel mode instead of transport mode.
C. Router A needs to decrypt the Layer 4 port information. Configure ESP protocol on router A.
D. NAT changes the source IP address of the packets so IPSEC ESP integrity check will fail. Use PAT instead of NAT.
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
QUESTION 16
What does the MD5 algorithm do?
A. takes a message less than 2^64 bits as input and produces a 160-bit message digest
B. creates a variable-length message and produces a 168-bit message digest
C. takes a variable-length message and produces a 128-bit message digest D. takes a fixed-length message and produces a 128-bit message digest
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
QUESTION 17
In the Cisco SDM Security Audit Wizard screen shown in the figure, which Fix it action should be selected to prevent IP spoofing attack?
A. IP Proxy ARP is enabled
B. Unicast RPF is not enabled in all the outside interfaces
C. IP Mask Reply is enabled
D. IP Directed Broadcast is enabled
E. IP Unreachables is enabled
F. IP Redirects is enabled
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
QUESTION 18
Which of these can be used to authenticate the IPsec peers during IKE Phase 1?
A. Diffie-Hellman Nounce
B. Pre-Shared Key
C. XAUTH
D. ICV
E. ACS
F. AH
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
QUESTION 19
Which three new features does SNMPv3 provide? (Choose three.)
A. HMAC with MD5
B. AES encryption
C. 3DES encryption
D. HMAC with SHA
E. DES-56 encryption
F. IDEA encryption
Correct Answer: ADE Section: (none) Explanation
Explanation/Reference:
QUESTION 20
What are two ways of preventing VLAN hopping attacks? (Choose two.)
A. Disable DTP on all the trunk ports.
B. Enable VTP pruning on all trunk ports to limit the VLAN broadcast.
C. Set the native VLAN on all the trunk ports to an unused VLAN.
D. Using port security, set the maximum number of secure MAC addresses to 1 on all trunk and access ports.
E. Disable portfast on all access ports.
Correct Answer: AC Section: (none) Explanation
Explanation/Reference:
The Cisco 642-552 Certified Network Associate (CCNA) is the composite exam associated with the Cisco Certified Network Associate certification. Candidates can prepare for this exam by taking the Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 and the Interconnecting Cisco Networking Devices Part 2 (ICND2) v1.0 courses. This exam tests a candidate’s knowledge and skills required to install, operate, and troubleshoot a small to medium size enterprise branch network. The topics include connecting to a WAN; implementing network security; network types; network media; routing and switching fundamentals; the TCP/IP and OSI models; IP addressing; WAN technologies; operating and configuring IOS devices; extending switched networks with VLANs; determining IP routes; managing IP traffic with access lists; establishing point-to-point connections; and establishing Frame Relay connections.
