Ensurepass

 

QUESTION 21

During role-based CLI configuration, what must be enabled before any user views can be created?

 

A.

multiple privilege levels

B.

usernames and passwords

C.

aaa new-model command

D.

secret password for the root user

E.

HTTP and/or HTTPS server

F.

TACACS server group

 

Correct Answer: C

Explanation:

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtclivws.html

 

Configuring a CLI View

Use this task to create a CLI view and add commands or interfaces to the view, as appropriate.

Prerequisites

Before you create a view, you must perform the following tasks:

Enable AAA via the aaa new-model command. (For more information on enabling AAA, see the chapter “Configuring Authentication” in the Cisco IOS Security Configuration Guide, Release 12.3.)

Ensure that your system is in root view–not privilege level 15.

 

SUMMARY STEPS

1. enable view

2. configure terminal

3. parser view view-name

4. secret 5 encrypted-password

5. commands parser-mode {include | include-exclusive | exclude} [all] [interface interface-name | command]

6. exit

7. exit

8. enable [privilege-level] [view view-name]

9. show parser view [all]

 

 

QUESTION 22

Which two options are characteristics of the Cisco Configuration Professional Security Audit wizard? (Choose two.)

 

A.

displays a screen with fix-it check boxes to let you choose which potential security-related configuration changes to implement

B.

has two modes of operation: interactive and non-interactive

C.

automatically enables Cisco IOS firewall and Cisco IOS IPS to secure the router

D.

uses interactive dialogs and prompts to implement role-based CLI

E.

requires users to first identify which router interfaces connect to the inside network and which connect to the outside network

 

Correct Answer: AE

Explanation:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_configuration_professional/v2_7/olh/ccp.pdf

 

Perform Security Audit

This option starts the Security Audit wizard. The Security Audit wizard tests your router configuration to determine if any potential security problems exist in the configuration, and then presents you with a screen that lets you determine which of those security problems you want to fix. Once determined, the Security Audit wizard will make the necessary changes to the router configuration to fix those problems

 

To have Cisco CP perform a security audit and then fix the problems it has found:

 

Step 1

In the Feature bar, select Configure > Security > Security Audit.

 

Step 2

Click Perform Security Audit.

The Welcome page of the Security Audit wizard appears.

 

Step 3

Click Next>.

The Security Audit Interface Configuration page appears.

 

Step 4

The Security Audit wizard needs to know which of your router interfaces connect to your inside network and which connect outside of your network. For each interface listed, check either the Inside or Outside check box to indicate where the interface connects.

 

Step 5

Click Next> .

The Security Audit wizard tests your router configuration to determine which possible security problems may exist. A screen showing the progress of this action appears, listing all of the configuration options being tested for, and whether or not the current router configuration passes those tests. If you want to save this report to a file, click Save Report.

 

Step 6

Click Close.

The Security Audit Report Card screen appears, showing a list of possible security problems.

 

Step 7

Check the Fix it boxes next to any problems that you want Cisco Configuration Professional (Cisco CP) to fix.

For a description of the problem and a list of the Cisco IOS commands that will be added to your configuration, click the problem description to display a help page about that problem.

 

Step 8

Click Next>.

 

Step 9

The Security Audit wizard may display one or more screens requiring you to enter information to fix certain problems. Enter the information as required and click Next> for each of those screens.

 

Step 10

The Summary page of the wizard shows a list of all the configuration changes that Security Audit will make.

Click Finish to deliver those changes to your router.

 

 

QUESTION 23

Which statement describes a result of securing the Cisco IOS image using the Cisco IOS image resilience feature?

 

A.

The show version command does not show the Cisco IOS image file location.

B.

The Cisco IOS image file is not visible in the output from the show flash command.

C.

When the router boots up, the Cisco IOS image is loaded from a secured FTP location.

D.

The running Cisco IOS image is encrypted and then automatically backed up to the NVRAM.

E.

The running Cisco IOS image is encrypted and then automatically backed up to a TFTP server.

 

Correct Answer: B

Explanation:

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_book.html

 

secure boot-config

To take a snapshot of the router running configuration and securely archive it in persistent storage, use the secure boot-config command in global configuration mode. To remove the secure configuration archive and disable configuration resilience, use the no form of this command.

 

secure boot-config [restore filename]

no secure boot-config

Usage Guidelines

Without any parameters, this command takes a snapshot of the router running configuration and securely archives it in persistent storage. Like the image, the configuration archive is hidden and cannot be viewed or removed directly from the command-line interface (CLI) prompt . It is recommended that you run this command after the router has been fully configured to reach a steady state of operation and the running configuration is considered complete for a restoration, if required. A syslog message is printed on the console notifying the user of configuration resilience activation. The secure archive uses the time of creation as its filename. For example, .runcfg- 20020616-081702.ar was created July 16 2002 at 8:17:02. The restore option reproduces a copy of the secure configuration archive as the supplied filename (disk0:running-config, slot1:runcfg, and so on). The restore operation will work only if configuration resilience is enabled. The number of restored copies that can be created is unlimited.

 

The no form of this command removes the secure configuration archive and disables configuration resilience.

An enable, disable, enable sequence has the effect of upgrading the configuration archive if any changes were made to the running configuration since the last time the feature was disabled. The configuration upgrade scenario is similar to an image upgrade. The feature detects a different version of Cisco IOS and notifies the user of a version mismatch. The same command can be run to upgrade the configuration archive to a newer version after new configuration commands corresponding to features in the new image have been issued. The correct sequence of steps to upgrade the configuration archive after an image upgrade is as follows:

 

clip_image002Configure new commands

clip_image002[1]Issue the secure boot-config command secure boot-image

 

To enable Cisco IOS image resilience, use the secure boot-image command in global configuration mode. To disable Cisco IOS image resilience and release the secured image so that it can be safely removed, use the no form of this command.

 

secure boot-image no secure boot-image

Usage Guidelines

This command enables or disables the securing of the running Cisco IOS image. The following two possible scenarios exist with this command.

When turned on for the first time, the running image (as displayed in the show version command output) is secured, and a syslog entry is generated. This command will function properly only when the system is configured to run an image from a disk with an Advanced Technology Attachment (ATA) interface. Images booted from a TFTP server cannot be secured. Because this command has the effect of “hiding” the running image, the image file will not be included in any directory listing of the disk. The no form of this command releases the image so that it can be safely removed.

 

If the router is configured to boot up with Cisco IOS resilience and an image with a different version of Cisco IOS is detected, a message similar to the following is displayed at bootup:

ios resilience :Archived image and configuration version 12.2 differs from running version 12.3. Run secure boot-config and image commands to upgrade archives to running version. To upgrade the image archive to the new running image, reenter this command from the console.

 

A message will be displayed about the upgraded image. The old image is released and will be visible in the dir command output.

 

 

 

 

 

 

 

QUESTION 24

Which type of management reporting is defined by separating management traffic from production traffic?

 

A.

IPsec encrypted

B.

in-band

C.

out-of-band

D.

SSH

 

Correct Answer: C

Explanation:

http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/SAFE_RG/chap9.html#wp105453

 

OOB Management Best Practices

The OOB network segment hosts console servers, network management stations, AAA servers, analysis and correlation tools, NTP, FTP, syslog servers, network compliance management, and any other management and control services. A single OOB management network may serve all the enterprise network modules located at the headquarters. An OOB management network should be deployed using the following best practices:

 

clip_image002[2]Provide network isolation

clip_image002[3]Enforce access control

clip_image002[4]Prevent data traffic from transiting the management network

 

 

QUESTION 25

Which two options are two of the built-in features of IPv6? (Choose two.)

 

A.

VLSM

B.

native IPsec

C.

controlled broadcasts

D.

mobile IP

E.

NAT

 

Correct Answer: BD

Explanation:

http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-tunnel.html

 

IPv6 IPsec Site-to-Site Protection Using Virtual Tunnel Interface

The IPv6 IPsec feature provides IPv6 crypto site-to-site protection of all types of IPv6 unicast and multicast traffic using native IPsec IPv6 encapsulation. The IPsec virtual tunnel interface (VTI) feature provides this function, using IKE as the management protocol.

An IPsec VTI supports native IPsec tunneling and includes most of the properties of a physical interface. The IPsec VTI alleviates the need to apply crypto maps to multiple interfaces and provides a routable interface.

 

The IPsec VTI allows IPv6 routers to work as security gateways, establish IPsec tunnels between other security gateway routers, and provide crypto IPsec protection for traffic from internal network when being transmitting across the public IPv6 Internet.

http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-mobile.html

 

Mobile IPv6 Overview

Mobile IPv4 provides an IPv4 node with the ability to retain the same IPv4 address and maintain uninterrupted network and application connectivity while traveling across networks. In Mobile IPv6, the IPv6 address space enables Mobile IP deployment in any kind of large environment. No foreign agent is needed to use Mobile IPv6.

 

System infrastructures do not need an upgrade to accept Mobile IPv6 nodes. IPv6 autoconfiguration simplifies mobile node (MN) Care of Address (CoA) assignment.

Mobile IPv6 benefits from the IPv6 protocol itself; for example, Mobile IPv6 uses IPv6 option headers (routing, destination, and mobility) and benefits from the use of neighbor discovery. Mobile IPv6 provides optimized routing, which helps avoid triangular routing. Mobile IPv6 nodes work transparently even with nodes that do not support mobility (although these nodes do not have route optimization).

Mobile IPv6 is fully backward-compatible with existing IPv6 specifications. Therefore, any existing host that does not understand the new mobile messages will send an error message, and communications with the mobile node will be able to continue, albeit without the direct routing optimization.

 

 

QUESTION 26

DRAG DROP

clip_image004

 

Correct Answer:

clip_image006

 

 

 

 

 

 

 

 

 

QUESTION 27

DRAG DROP

clip_image008

 

Correct Answer:

clip_image010

QUESTION 28

Scenario:

You are the security admin for a small company. This morning your manager has supplied you with a list of Cisco ISR and CCP configuration questions. Using CCP, your job is to navigate the pre-configured CCP in order to find answers to your business question. Which four properties are included in the inspection Cisco Map OUT_SERVICE? (Choose four)

 

clip_image012

 

A.

FTP

B.

HTTP

C.

HTTPS

D.

SMTP

E.

P2P

F.

ICMP

 


Correct Answer: ABEF

Explanation:

First option:

clip_image014

 

Second option:

clip_image016

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

QUESTION 29

Scenario:

You are the security admin for a small company. This morning your manager has supplied you with a list of Cisco ISR and CCP configuration questions. Using CCP, your job is to navigate the pre-configured CCP in order to find answers to your business question. What NAT address will be assigned by ACL 1?

 

clip_image018

 

A.

192.168.1.0/25

B.

GlobalEthernet0/0 interface address.

C.

172.25.223.0/24

D.

10.0.10.0/24

 

Correct Answer: C

Explanation:

clip_image020

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

QUESTION 30

Scenario:

You are the security admin for a small company. This morning your manager has supplied you with a list of Cisco ISR and CCP configuration questions. Using CCP, your job is to navigate the pre-configured CCP in order to find answers to your business question. Which Class Map is used by the INBOUND Rule?

 

clip_image022

 

A.

SERVICE_IN

B.

Class-map-ccp-cls-2

C.

Ccp-cts-2

D.

Class-map SERVICE_IN

 

Correct Answer: C

Explanation:

Free VCE & PDF File for Cisco 640-554 Real Exam

Instant Access to Free VCE Files: CCNA | CCNP | CCIE …
Instant Access to Free PDF Files: CCNA | CCNP | CCIE …

 

 

Comments are closed.