Exam Code: 642-637 (Practice Exam Latest Test Questions VCE PDF)
Exam Name: Securing Networks with Cisco Routers and Switches (SECURE) v1.0
Certification Provider: Cisco
Free Today! Guaranteed Training- Pass 642-637 Exam.
2016 Apr 642-637 Study Guide Questions:
Q1. Refer to the exhibit.
What can be determined from the partial configuration shown?
A. The zone-based policy firewall is operating in transparent mode.
B. The zone-based policy firewall is providing for bridging of non-IP protocols.
C. Since the interfaces are in the same bridge group, access policies are not required.
D. Traffic flow will be allowed to pass between the interfaces without being inspected.
Q2. CORRECT TEXT
Answer: Router(config)# zone security INSIDE
Router(config)# zone security OUTSIDE
Router(config)# interface fa0/0/1
Router(config-if)# no shutdown
Router(config-if)# zone-member security INSIDE
Router(config)# interface fa0/0/0
Router(config-if)# no shutdown
Router(config-if)# zone-member security OUTSIDE
Router(config)# class-map type inspect match-any HTTP_POLICY
Router(config-cmap)# match protocol http
Router(config)# policy-map type inspect IN-TO-OUT-POLICY
Router(config-pmap)# class type inspect HTTP_POLICY
Router(config)# zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
Router(config-sec-zone-pair)# service-policy type inspect IN-TO-OUT-POLICY
Router(config)# copy running-config startup-config
1: we divide the network into 2 zones: INSIDE and OUTSIDE
2: apply the interfaces to the appropriate Zone Members INSIDE | OUTSIDE
3: create a class-map with defined name HTTP_POLICY > match HTTP protocol
4: create a policy-map name IN-TO-OUT-POLICY: - define the class-map and apply action > inspect
5: create a zone-pair > specify direction with source and destination
6: apply policy to the zone-pair - policy created in step 4
7: std: copy run start
Q3. Which additional configuration steps are required for a zone-based policy firewall to operate in a VRF scenario?
A. You must assign zone-based policy firewall bridge groups to work in the virtual environment.
B. Separate zone-based policy firewall policies must be defined for each VRF environment.
C. Separate zones must be defined for each virtual zone-based policy firewall instance.
D. No special zone-based policy firewall configurations are needed.
Ensure that you utilized several security layers in your design to adequately protect the rest of your network from the guest VLAN. You might even consider putting them in a separate Virtual Routing and Forwarding (VRF) instance. VRFs are configurations on Cisco IOS Software routers and switches that can be used to provide traffic separation, making them a good solution to keep guest traffic segregated from your corporate traffic.
ZBPFW is also Virtual Routing and Forwarding (VRF) aware and can be used between different VRFs. Interfaces that are configured in different VRFs should not be configured in the same zone, and thus all interfaces that are in a zone must be configured within the same VRF. If there is a common interface or interfaces that are used by multiple VRFs, a common zone should be created and individually paired with each zone (and thus with each VRF).
Q4. When configuring URL filtering with the Trend Micro filtering service. Which of these steps must you take to prepare for configuration?
A. define blacklists and whitelists
B. categorize traffic types
C. install the appropriate root CA certificate on the router
D. synchronize clocks via NTP to ensure accuracy of URL filter updates from the service
Q5. When configuring a zone-based policy firewall, what will be the resulting action if you do not specify any zone pairs for a possible pair of zones?
A. All sessions will pass through the zone without being inspected.
B. All sessions will be denied between these two zones by default.
C. All sessions will have to pass through the router "self zone" for inspection before being allowed to pass to the destination zone.
D. This configuration statelessly allows packets to be delivered to the destination zone.
Zone Pair Configuration The configuration of the zone pair is important because its configuration dictates the direction in which traffic is allowed to flow. As stated previously, a zone pair is unidirectional and is the part of the configuration that controls traffic between zones; this is referred to as interzone. If no zone pair is defined, traffic will not flow between zones
Refresh 642-637 vce:
Q6. The advantages of virtual tunnel interfaces (VTIs) over GRE VPN solutions are which three of the following? (Choose three.)
A. VTI can support QoS.
B. VTI provides a routable interface.
C. VTI supports nonencrypted tunnels.
D. VTI is more scalable than a GRE-based VPN solution.
E. IPsec VTIs need fewer established SAs to cover different types of traffic, both unicast and multicast, thus enabling improved scaling.
F. IPsec VTIs require a loopback interface for configuration.
Page 391, CCNP Security SECURE 642-637 Official Cert Guide IPsec VTIs have many benefits:
Q7. Refer to the exhibit.
What can be determined about IPS updates from the configuration shown?
A. Updates will be stored on the ida-client server.
B. Updates will be stored in the directory labeled "cisco."
C. Updates will be retrieved from an external source every day of the week.
D. Updates will occur once per week on Sundays between midnight and 6 a.m. (0000 and 0600).
Task 2: Configure Automatic Signature Updates The second task illustrates how to configure the router to attempt to retrieve automatic signature updates from Cisco.com or a local server.
To do this, first configure the update URL using the ida-client server url command. Use thehttps://www.cisco.com/cgi-bin/front.x/ids/locator/locator.plURL. Next, create an auto-update profile using the ip ips auto-update command. Use the cisco command inside the profile to designate obtaining updates from Cisco.com. To control when the update attempts occur, use the occur-at command. Example 13-9 illustrates the setup of the configuration to retrieve automatic updates from the Cisco.com repository as well as to provide the Cisco.com credentials that will be used for authentication through using the username command. Example 13-10 illustrates the setup of the configuration to retrieve automatic updates from a local staging server.
The following specifics are used in the example:
Q8. Which action does the command private-vlan association 100,200 take?
A. configures VLANs 100 and 200 and associates them as a community
B. associates VLANs 100 and 200 with the primary VLAN
C. creates two private VLANs with the designation of VLAN 100 and VLAN 200
D. assigns VLANs 100 and 200 as an association of private VLANs
Q9. Which two of these are benefits of implementing a zone-based policy firewall in transparent mode? (Choose two.)
A. Less firewall management is needed.
B. It can be easily introduced into an existing network.
C. IP readdressing is unnecessary.
D. It adds the ability to statefully inspect non-IP traffic.
E. It has less impact on data flows.
Q10. CORRECT TEXT
Answer: R1# show crypto gdoi -or- R2# show crypto gdoi
This command will show you the KS ip address and your registration - with time to re-key R1#show crypto gdoi GROUP INFORMATION Group Name: GETVPNGROUP Group Identity: 67890 Rekeys received: 0 IPSec SA Direction: Both Active Group Server: 192.168.1.2 Group Server list: 192.168.1.2 GM Reregisters in: 3434 secs Rekey Received: never Rekeys received Cumulative: 0 After registration: 0 ACL Downloaded From KS 192.168.1.2: access-list permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0 TEK POLICY for the current KS-Policy ACEs Downloaded: FastEthernet0/0: IPsec SA: spi: 0x673C7398(1732015000) transform: esp-aes esp-sha-hmac sa timing:remaining key lifetime (sec): (3571) Anti-Replay: Disabled
Verified 642-637 dumps:
Q11. DRAG DROP
Q12. DRAG DROP
Q13. What will the authentication event fail retry 0 action authorize vlan 300 command accomplish?
A. assigns clients that fail 802.1X authentication into the restricted VLAN 300
B. assigns clients to VLAN 300 and attempts reauthorization
C. assigns a client to the guest VLAN 300 if it does not receive a response from the client to its EAPOL request/identity frame
D. locks out a user who fails an 802.1X authentication and does not allow the user to try to gain network access again for 300 seconds
Q14. CORRECT TEXT
Answer: R2# show crypto gdoi group GETVPNGROUP
R2 is better as this is the KS
R2#show crypto gdoi group GETVPNGROUP
Group Name: GETVPNGROUP (Multicast)
Group Identity: 67890
Group Members: 2
IPSec SA Direction: Both
Active Group Server: Local
Group Rekey Lifetime: 86400 secs
Rekey Retransmit Period: 10 secs
Rekey Retransmit Attempts: 2
IPSec SA Number: 10
IPSec SA Rekey Lifetime: 3600 secs
Profile Name: GETPROFILE
Replay method: Count Based
Replay Window Size: 64
Remaining Lifetime: 1998 secs
ACL Configured: access-list 101
Group Server list: Local
NB: some other tests have 2 answers highlighted- the question does not ask for (Choose Two) and must assume on one selection is correct.
Q15. CORRECT TEXT
Answer: R1# show crypto map -or- R1# show crypto isakmp key
R1 is the only group member that you can access so it it is assumed this is the only group member
R1#show crypto map
Crypto Map "CMAP" 10 gdoi
Group Name: GETVPNGROUP
identity number 67890
server address ipv4 192.168.1.2
Interfaces using crypto map CMAP:
see more Securing Networks with Cisco Routers and Switches (SECURE) v1.0