Ensurepass

 

 

QUESTION 41

What does the secure boot-config global configuration accomplish?

 

A.

enables Cisco IOS image resilience

B.

backs up the Cisco IOS image from flash to a TFTP server

C.

takes a snapshot of the router running configuration and securely archives it in persistent storage

D.

backs up the router running configuration to a TFTP server

E.

stores a secured copy of the Cisco IOS image in its persistent storage

 

Correct Answer: C

Explanation:

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_book.html

 

secure boot-config

To take a snapshot of the router running configuration and securely archive it in persistent storage, use the secure boot-config command in global configuration mode. To remove the secure configuration archive and disable configuration resilience, use the no form of this command.

 

secure boot-config [restore filename]

no secure boot-config

Usage Guidelines

Without any parameters, this command takes a snapshot of the router running configuration and securely archives it in persistent storage. Like the image, the configuration archive is hidden and cannot be viewed or removed directly from the command-line interface (CLI) prompt . It is recommended that you run this command after the router has been fully configured to reach a steady state of operation and the running configuration is considered complete for a restoration, if required. A syslog message is printed on the console notifying the user of configuration resilience activation. The secure archive uses the time of creation as its filename. For example, .runcfg- 20020616-081702.ar was created July 16 2002 at 8:17:02.

 

The restore option reproduces a copy of the secure configuration archive as the supplied filename (disk0:running-config, slot1:runcfg, and so on). The restore operation will work only if configuration resilience is enabled. The number of restored copies that can be created is unlimited. The no form of this command removes the secure configuration archive and disables configuration resilience.

An enable, disable, enable sequence has the effect of upgrading the configuration archive if any changes were made to the running configuration since the last time the feature was disabled. The configuration upgrade scenario is similar to an image upgrade. The feature detects a different version of Cisco IOS and notifies the user of a version mismatch. The same command can be run to upgrade the configuration archive to a newer version after new configuration commands corresponding to features in the new image have been issued.

The correct sequence of steps to upgrade the configuration archive after an image upgrade is as follows:

 

clip_image002Configure new commands

clip_image002[1]Issue the secure boot-config command

 

secure boot-image

To enable Cisco IOS image resilience, use the secure boot-image command in global configuration mode. To disable Cisco IOS image resilience and release the secured image so that it can be safely removed, use the no form of this command.

secure boot-image

no secure boot-image

Usage Guidelines

This command enables or disables the securing of the running Cisco IOS image. The following two possible scenarios exist with this command.

When turned on for the first time, the running image (as displayed in the show version command output) is secured, and a syslog entry is generated. This command will function properly only when the system is configured to run an image from a disk with an Advanced Technology Attachment (ATA) interface. Images booted from a TFTP server cannot be secured. Because this command has the effect of “hiding” the running image, the image file will not be included in any directory listing of the disk. The no form of this command releases the image so that it can be safely removed.

If the router is configured to boot up with Cisco IOS resilience and an image with a different version of Cisco IOS is detected, a message similar to the following is displayed at bootup:

ios resilience: Archived image and configuration version 12.2 differs from running version 12.3. Run secure boot-config and image commands to upgrade archives to running version. To upgrade the image archive to the new running image, reenter this command from the console. A message will be displayed about the upgraded image. The old image is released and will be visible in the dir command output.

 

 

QUESTION 42

Which statement is true about configuring access control lists to control Telnet traffic destined to the router itself?

 

A.

The ACL is applied to the Telnet port with the ip access-group command.

B.

The ACL should be applied to all vty lines in the in direction to prevent an unwanted user from connecting to an unsecured port.

C.

The ACL applied to the vty lines has no in or out option like ACL being applied to an interface.

D.

The ACL must be applied to each vty line individually.

 

Correct Answer: B

Explanation:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/12-4t/sec-cntrl-acc-vtl.html

 

Controlling Access to a Virtual Terminal Line

You can control who can access the virtual terminal lines (vtys) to a router by applying an access list to inbound vtys. You can also control the destinations that the vtys from a router can reach by applying an access list to outbound vtys.

Benefits of Controlling Access to a Virtual Terminal Line

By applying an access list to an inbound vty, you can control who can access the lines to a router.

By applying an access list to an outbound vty, you can control the destinations that the lines from a router can reach.

 

 

QUESTION 43

When configuring role-based CLI on a Cisco router, which step is performed first?

 

A.

Log in to the router as the root user.

B.

Create a parser view called “root view.”

C.

Enable role-based CLI globally on the router using the privileged EXEC mode Cisco IOS command.

D.

Enable the root view on the router.

E.

Enable AAA authentication and authorization using the local database.

F.

Create a root local user in the local database.

 

Correct Answer: D

Explanation:

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtclivws.html

 

Role-Based CLI Access

The Role-Based CLI Access feature allows the network administrator to define “views,” which are a set of operational commands and configuration capabilities that provide selective or partial access to Cisco IOS EXEC and configuration (Config) mode commands. Views restrict user access to Cisco IOS command-line interface (CLI) and configuration information; that is, a view can define what commands are accepted and what configuration information is visible. Thus, network administrators can exercise better control over access to Cisco networking devices.

Configuring a CLI View

Prerequisites

Before you create a view, you must perform the following tasks:

Enable AAA via the aaa new-model command. (For more information on enabling AAA, see the chapter “Configuring Authentication” in the Cisco IOS Security Configuration Guide, Release 12.3.)

Ensure that your system is in root view–not privilege level 15.

SUMMARY STEPS

1. enable view

2. configure terminal

3. parser view view-name

4. secret 5 encrypted-password

5. commands parser-mode {include | include-exclusive | exclude} [all] [interface interface-name | command]

6. exit

7. exit

8. enable [privilege-level] [view view-name]

9. show parser view [all]

DETAILED STEPS

Step 1

Enable view

Router> enable view

Enables root view.

 

 

QUESTION 44

What will be disabled as a result of the no service password-recovery command?

 

A.

changes to the config-register setting

B.

ROMMON

C.

password encryption service

D.

aaa new-model global configuration command

E.

the xmodem privilege EXEC mode command to recover the Cisco IOS image

 

Correct Answer: B

Explanation:

http://www.cisco.com/en/US/products/hw/routers/ps274/products_configuration_example09186a00801d8113.shtml

 

Background

ROMMON security is designed not to allow a person with physical access to the router view the configuration file. ROMMON security disables access to the ROMMON, so that a person cannot set the configuration register to ignore the start-up configuration. ROMMON security is enabled when the router is configured with the no service password-recovery command. Caution: Because password recovery that uses ROMMON security destroys the configuration, it is recommended that you save the router configuration somewhere off the router, such as on a TFTP server.

 

Risks

If a router is configured with the no service password-recovery command, this disables all access to the ROMMON. If there is no valid Cisco IOS software image in the Flash memory of the router, the user is not able to use the ROMMON XMODEM command in order to load a new Flash image. In order to fix the router, you must get a new Cisco IOS software image on a Flash SIMM, or on a PCMCIA card, for example on the 3600 Series Routers.

In or
der to minimize this risk, a customer who uses ROMMON security must also use dual Flash bank memory and put a backup Cisco IOS software image in a separate partition.

 

 

QUESTION 45

What does the MD5 algorithm do?

 

A.

takes a message less than 2^64 bits as input and produces a 160-bit message digest

B.

takes a variable-length message and produces a 168-bit message digest

C.

takes a variable-length message and produces a 128-bit message digest

D.

takes a fixed-length message and produces a 128-bit message digest

 

Correct Answer: C

Explanation:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080094203.shtml

 

Message Digest 5 (MD5)–This is a one way hashing algorithm that produces a 128-bit hash. Both MD5 and Secure Hash Algorithm (SHA) are variations on MD4, which is designed to strengthen the security of this hashing algorithm. SHA is more secure than MD4 and MD5. Cisco uses hashes for authentication within the IPsec framework.

 

 

QUESTION 46

In which two modes can Cisco Configuration Professional Security Audit operate? (Choose two.)

 

A.

Security Audit wizard

B.

Lockdown

C.

One-Step Lockdown

D.

AutoSecure

 

Correct Answer: AC

Explanation:

Router security audit

The audit assesses the vulnerability of your existing router.

It provides quick compliance to best-practices security policies for routers.

One-step router lockdown

This feature simplifies firewall and Cisco IOS Software configuration without requiring expertise about security or Cisco IOS Software.

Reference: http://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/configuration-professional/data_sheet_c78_462210.html

 

 

 

 

 

QUESTION 47

What are three of the security conditions that Cisco Configuration Professional One-Step Lockdown can automatically detect and correct on a Cisco router? (Choose three.)

 

A.

One-Step Lockdown can set the enable secret password.

B.

One-Step Lockdown can disable unused ports.

C.

One-Step Lockdown can disable the TCP small servers service.

D.

One-Step Lockdown can enable IP Cisco Express Forwarding.

E.

One-Step Lockdown can enable DHCP snooping.

F.

One-Step Lockdown can enable SNMP version 3.

 

Correct Answer: ACD

Explanation:

One-Step Lockdown

This option tests you router configuration for any potential security problems and automatically makes any necessary configuration changes to correct any problems found. The conditions checked for and, if needed, corrected are as follows:

 

Disable Finger Service

Disable PAD Service

Disable TCP Small Servers Service

Disable UDP Small Servers Service

Disable IP BOOTP Server Service

Disable IP Identification Service

Disable CDP

Disable IP Source Route

Enable Password Encryption Service

Enable TCP Keepalives for Inbound Telnet Sessions

Enable TCP Keepalives for Outbound Telnet Sessions

Enable Sequence Numbers and Time Stamps on Debugs

Enable IP CEF

Disable IP Gratuitous ARPs

Set Minimum Password Length to Less Than 6 Characters

Set Authentication Failure Rate to Less Than 3 Retries

Set TCP Synwait Time

Set Banner

Enable Logging

Set Enable Secret Password

Disable SNMP

Set Scheduler Interval

Set Scheduler Allocate

Set Users

Enable Telnet Settings

Enable NetFlow Switching

Disable IP Redirects

Disable IP Proxy ARP

Disable IP Directed Broadcast

Disable MOP Service

Disable IP Unreachables

Disable IP Mask Reply

Disable IP Unreachables on NULL Interface

Enable Unicast RPF on Outside Interfaces

Enable Firewall on All of the Outside Interfaces

Set Access Class on HTTP Server Service

Set Access Class on VTY Lines

Enable SSH for Access to the Router

 

Reference:

http://www.cisco.com/c/en/us/td/docs/routers/access/cisco_router_and_security_device_manager/ 24/software/user/guide/SAudt.html

 

 

QUESTION 48

Which statement about Control Plane Policing is true?

 

A.

Control Plane Policing allows QoS filtering to protect the control plane against DoS attacks.

B.

Control Plane Policing classifies traffic into three categories to intercept malicious traffic.

C.

Control Plane Policing allows ACL-based filtering to protect the control plane against DoS attacks.

D.

Control Plane Policing intercepts and classifies all traffic.

 

Correct Answer: A

Explanation:

The Control Plane Policing feature allows you to configure a quality of service (QoS) filter that manages the traffic flow of control plane packets to protect the control plane of routers and switches against reconnaissance and denial-of-service (DoS) attacks. In this way, the control plane (CP) can help maintain packet forwarding and protocol states despite an attack or heavy traffic load on the router or switch.

Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/qos_plcshp/configuration/xe-3s/asr1000/qos-plcshp-xe-3s-asr-1000-book/qos-plcshp-ctrl-pln-plc.html

 

 

QUESTION 49

Which three applications comprise Cisco Security Manager? (Choose three.)

 

A.

Configuration Manager

B.

Packet Tracer

C.

Device Manager

D.

Event Viewer

E.

Report Manager

F.

Syslog Monitor

 

Correct Answer: ADE

Explanation:

The Security Manager client includes three main applications:

Configuration Manager–This is the primary application. You use Configuration Manager to manage the device inventory, create and edit local and shared policies, manage VPN configurations, and deploy policies to devices. Configuration Manager is the largest of the applications and most of the documentation addresses this application. If a procedure does not specifically mention an application, the procedure is using Configuration Manager.

Event Viewer–This is an event monitoring application, where you can view and analyze events generated from IPS, ASA, and FWSM devices that you have configured to send events to Security Manager.

Report Manager–This is a reporting application, where you can view and create reports of aggregated information on device and VPN statistics. Much of the information is derived from events available through Event Viewer, but some of the VPN statistics are obtained by communicating directly with the device.

Reference: http://www.cisco.com/c/en/us/td/docs/security/security_management/cisco_security_manager/sec urity_manager/4-1/user/guide/CSMUserGuide_wrapper/wfplan.html

QUESTION 50

When a network transitions from IPv4 to IPv6, how many bits does the address expand to?

 

A.

64 bits

B.

128 bits

C.

96 bits

D.

156 bits

 

Correct Answer: B

Explanation:

IPv6 uses a 128-bit address, allowing 2128, or approximately 3.4×1038 addresses, or more than 7.9×1028 times as many as IPv4, which uses 32-bit addresses and provides approximately 4.3 billion addresses.

Reference: http://en.wikipedia.org/wiki/IPv6

Free VCE & PDF File for Cisco 640-554 Real Exam

Instant Access to Free VCE Files: CCNA | CCNP | CCIE …
Instant Access to Free PDF Files: CCNA | CCNP | CCIE …

 

Comments are closed.