[Free] 642-637 Cisco actual exam 1-15 (Apr 2016)

642-637 Royal Pack Testengine pdf

100% Actual & Verified — 100% PASS

Unlimited access to the world's largest Dumps library!


Exam Code: 642-637 (Practice Exam Latest Test Questions VCE PDF)
Exam Name: Securing Networks with Cisco Routers and Switches (SECURE) v1.0
Certification Provider: Cisco
Free Today! Guaranteed Training- Pass 642-637 Exam.

2016 Apr 642-637 Study Guide Questions:

Q1. Refer to the exhibit. 

What can be determined from the partial configuration shown? 

A. The zone-based policy firewall is operating in transparent mode. 

B. The zone-based policy firewall is providing for bridging of non-IP protocols. 

C. Since the interfaces are in the same bridge group, access policies are not required. 

D. Traffic flow will be allowed to pass between the interfaces without being inspected. 

Answer: A


Answer: Router(config)# zone security INSIDE 


Router(config)# zone security OUTSIDE 


Router(config)# interface fa0/0/1 

Router(config-if)# no shutdown 

Router(config-if)# zone-member security INSIDE 

Router(config-if)# exit 

Router(config)# interface fa0/0/0 

Router(config-if)# no shutdown 

Router(config-if)# zone-member security OUTSIDE 

Router(config-if)# exit 

Router(config)# class-map type inspect match-any HTTP_POLICY 

Router(config-cmap)# match protocol http 


Router(config)# policy-map type inspect IN-TO-OUT-POLICY 

Router(config-pmap)# class type inspect HTTP_POLICY 

Router(config-pmap-c)# inspect 

Router(config-pmap-c)# exit 

Router(config)# zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE 

Router(config-sec-zone-pair)# service-policy type inspect IN-TO-OUT-POLICY 

Router(config-sec-zone-pair)# end 

Router(config)# copy running-config startup-config 


1: we divide the network into 2 zones: INSIDE and OUTSIDE 

2: apply the interfaces to the appropriate Zone Members INSIDE | OUTSIDE 

3: create a class-map with defined name HTTP_POLICY > match HTTP protocol 

4: create a policy-map name IN-TO-OUT-POLICY: - define the class-map and apply action > inspect 

5: create a zone-pair > specify direction with source and destination 

6: apply policy to the zone-pair - policy created in step 4 

7: std: copy run start 

Q3. Which additional configuration steps are required for a zone-based policy firewall to operate in a VRF scenario? 

A. You must assign zone-based policy firewall bridge groups to work in the virtual environment. 

B. Separate zone-based policy firewall policies must be defined for each VRF environment. 

C. Separate zones must be defined for each virtual zone-based policy firewall instance. 

D. No special zone-based policy firewall configurations are needed. 

Answer: D

Ensure that you utilized several security layers in your design to adequately protect the rest of your network from the guest VLAN. You might even consider putting them in a separate Virtual Routing and Forwarding (VRF) instance. VRFs are configurations on Cisco IOS Software routers and switches that can be used to provide traffic separation, making them a good solution to keep guest traffic segregated from your corporate traffic. 

ZBPFW is also Virtual Routing and Forwarding (VRF) aware and can be used between different VRFs. Interfaces that are configured in different VRFs should not be configured in the same zone, and thus all interfaces that are in a zone must be configured within the same VRF. If there is a common interface or interfaces that are used by multiple VRFs, a common zone should be created and individually paired with each zone (and thus with each VRF). 

Q4. When configuring URL filtering with the Trend Micro filtering service. Which of these steps must you take to prepare for configuration? 

A. define blacklists and whitelists 

B. categorize traffic types 

C. install the appropriate root CA certificate on the router 

D. synchronize clocks via NTP to ensure accuracy of URL filter updates from the service 

Answer: B


Q5. When configuring a zone-based policy firewall, what will be the resulting action if you do not specify any zone pairs for a possible pair of zones? 

A. All sessions will pass through the zone without being inspected. 

B. All sessions will be denied between these two zones by default. 

C. All sessions will have to pass through the router "self zone" for inspection before being allowed to pass to the destination zone. 

D. This configuration statelessly allows packets to be delivered to the destination zone. 

Answer: B

Zone Pair Configuration The configuration of the zone pair is important because its configuration dictates the direction in which traffic is allowed to flow. As stated previously, a zone pair is unidirectional and is the part of the configuration that controls traffic between zones; this is referred to as interzone. If no zone pair is defined, traffic will not flow between zones 

642-637 free question

Refresh 642-637 vce:

Q6. The advantages of virtual tunnel interfaces (VTIs) over GRE VPN solutions are which three of the following? (Choose three.) 

A. VTI can support QoS. 

B. VTI provides a routable interface. 

C. VTI supports nonencrypted tunnels. 

D. VTI is more scalable than a GRE-based VPN solution. 

E. IPsec VTIs need fewer established SAs to cover different types of traffic, both unicast and multicast, thus enabling improved scaling. 

F. IPsec VTIs require a loopback interface for configuration. 

Answer: BCE

Page 391, CCNP Security SECURE 642-637 Official Cert Guide IPsec VTIs have many benefits: 

Q7. Refer to the exhibit. 

What can be determined about IPS updates from the configuration shown? 

A. Updates will be stored on the ida-client server. 

B. Updates will be stored in the directory labeled "cisco." 

C. Updates will be retrieved from an external source every day of the week. 

D. Updates will occur once per week on Sundays between midnight and 6 a.m. (0000 and 0600). 

Answer: C

Task 2: Configure Automatic Signature Updates The second task illustrates how to configure the router to attempt to retrieve automatic signature updates from Cisco.com or a local server. 

To do this, first configure the update URL using the ida-client server url command. Use thehttps://www.cisco.com/cgi-bin/front.x/ids/locator/locator.plURL. Next, create an auto-update profile using the ip ips auto-update command. Use the cisco command inside the profile to designate obtaining updates from Cisco.com. To control when the update attempts occur, use the occur-at command. Example 13-9 illustrates the setup of the configuration to retrieve automatic updates from the Cisco.com repository as well as to provide the Cisco.com credentials that will be used for authentication through using the username command. Example 13-10 illustrates the setup of the configuration to retrieve automatic updates from a local staging server. 

The following specifics are used in the example: 

Q8. Which action does the command private-vlan association 100,200 take? 

A. configures VLANs 100 and 200 and associates them as a community 

B. associates VLANs 100 and 200 with the primary VLAN 

C. creates two private VLANs with the designation of VLAN 100 and VLAN 200 

D. assigns VLANs 100 and 200 as an association of private VLANs 

Answer: B

Q9. Which two of these are benefits of implementing a zone-based policy firewall in transparent mode? (Choose two.) 

A. Less firewall management is needed. 

B. It can be easily introduced into an existing network. 

C. IP readdressing is unnecessary. 

D. It adds the ability to statefully inspect non-IP traffic. 

E. It has less impact on data flows. 

Answer: BC


Answer: R1# show crypto gdoi -or- R2# show crypto gdoi 


This command will show you the KS ip address and your registration - with time to re-key R1#show crypto gdoi GROUP INFORMATION Group Name: GETVPNGROUP Group Identity: 67890 Rekeys received: 0 IPSec SA Direction: Both Active Group Server: Group Server list: GM Reregisters in: 3434 secs Rekey Received: never Rekeys received Cumulative: 0 After registration: 0 ACL Downloaded From KS access-list permit ip TEK POLICY for the current KS-Policy ACEs Downloaded: FastEthernet0/0: IPsec SA: spi: 0x673C7398(1732015000) transform: esp-aes esp-sha-hmac sa timing:remaining key lifetime (sec): (3571) Anti-Replay: Disabled 

642-637 exam fees

Verified 642-637 dumps:





Q13. What will the authentication event fail retry 0 action authorize vlan 300 command accomplish? 

A. assigns clients that fail 802.1X authentication into the restricted VLAN 300 

B. assigns clients to VLAN 300 and attempts reauthorization 

C. assigns a client to the guest VLAN 300 if it does not receive a response from the client to its EAPOL request/identity frame 

D. locks out a user who fails an 802.1X authentication and does not allow the user to try to gain network access again for 300 seconds 

Answer: A


Answer: R2# show crypto gdoi group GETVPNGROUP 


R2 is better as this is the KS 

R2#show crypto gdoi group GETVPNGROUP 

Group Name: GETVPNGROUP (Multicast) 

Group Identity: 67890 

Group Members: 2 

IPSec SA Direction: Both 

Active Group Server: Local 

Group Rekey Lifetime: 86400 secs 

Rekey Retransmit Period: 10 secs 

Rekey Retransmit Attempts: 2 

IPSec SA Number: 10 

IPSec SA Rekey Lifetime: 3600 secs 

Profile Name: GETPROFILE 

Replay method: Count Based 

Replay Window Size: 64 

SA Rekey 

Remaining Lifetime: 1998 secs 

ACL Configured: access-list 101 

Group Server list: Local 

NB: some other tests have 2 answers highlighted- the question does not ask for (Choose Two) and must assume on one selection is correct. 


Answer: R1# show crypto map -or- R1# show crypto isakmp key 


R1 is the only group member that you can access so it it is assumed this is the only group member 

R1#show crypto map 

Crypto Map "CMAP" 10 gdoi 


identity number 67890 

server address ipv4 

Interfaces using crypto map CMAP: 

see more Securing Networks with Cisco Routers and Switches (SECURE) v1.0