Securing Networks with Cisco Routers and Switches (SECURE v1.0): 642-637 Exam
642-637 Questions & Answers
Exam Code: 642-637
Exam Name: Securing Networks with Cisco Routers and Switches (SECURE v1.0)
Q & A: 141 Q&As
QUESTION 1
Refer to the exhibit. Given the partial output of the debug command, what can be determined?
A. There is no ID payload in the packet, as indicated by the message ID = 0.
B. The peer has not matched any offered profiles.
C. This is an IKE quick mode negotiation.
D. This is normal output of a successful Phase 1 IKE exchange.
Answer: D
QUESTION 3
Refer to the exhibit. Which two Cisco IOS WebVPN features are enabled with the partial
configuration shown? (Choose two.)
A. The end-user Cisco AnyConnect VPN software will remain installed on the end system.
B. If the Cisco AnyConnect VPN software fails to install on the end-user PC, the end user cannot
use other modes.
C. Client based full tunnel access has been enabled.
D. Traffic destined to the 10.0.0.0/8 network will not be tunneled and will be allowed access via a
split tunnel.
E. Clients will be assigned IP addresses in the 10.10.0.0/16 range.
Answer: AC
QUESTION 4
Refer to the exhibit. Which of these is correct regarding the configuration parameters shown?
A. Complete certificates will be written to and stored in NVRAM.
B. The RSA key pair is valid for five hours before being revoked.
C. The router is configured as a certificate server.
D. Certificate lifetimes are mismatched and will cause intermittent connectivity errors.
E. The router has enrolled to the MY-TRUSTPOINT PKI server, which is an external CA server.
Answer: C
QUESTION 5
Refer to the exhibit. Based on the configuration that is shown in the exhibit, select the three
answers that apply. (Choose three.)
A. The configuration supports multidomain authentication, which allows one MAC address on the voice
VLAN and one on the data VLAN.
B. Traffic will not flow for either the phone or the host computer until one device completes the 802.1X
authentication process.
C. Registration and DHCP traffic will flow on either the data or voice VLAN before authentication.
D. The port will only require the 802.1X supplicant to authenticate one time.
E. MAC Authentication Bypass will be attempted only after 802.1X authentication times out.
F. Non-802.1X devices are supported on this port by setting up the host for MAC address authentication
in the endpoint database.
Answer: ACF
QUESTION 6
Refer to the exhibit. What can be determined from the output of this show command?
A. The IPsec connection is in an idle state.
B. The IKE association is in the process of being set up.
C. The IKE status is authenticated.
D. The ISAKMP state is waiting for quick mode status to authenticate before IPsec parameters are
passed between peers
E. IKE Quick Mode is in the idle state, indicating a problem with IKE phase 1.
Answer: C
QUESTION 7
You are troubleshooting a problem for which end users are reporting connectivity issues. Your
network has been configured with Layer 2 protection controls. You have determined that the
DHCP snooping database is correct and that proper static addressing maps have been configured.
Which of these should be your next step in troubleshooting this problem?
A. Generate a proxy ARP request and verify that the DHCP database has been updated as expected.
B. Temporarily disable DHCP snooping and test connectivity again.
C. Clear the ARP tables and have end users release and renew their DHCP-learned addressing.
D. Use a protocol analyzer to determine if there are malformed DHCP or ARP packets.
Answer: D
QUESTION 8
You are finding that the 802.1X-configured ports are going into the error-disable state. Which
command will show you the reason why the port is in the error-disable state, and which command
will automatically be re-enabled after a specific amount of time? (Choose two.)
A. show error-disable status
B. show error-disable recovery
C. show error-disable flap-status
D. error-disable recovery cause security-violation
E. error-disable recovery cause dot1x
F. error-disable recovery cause l2ptguard
Answer: BD
QUESTION 9
Your company has a requirement that if security is compromised on phase 1 of a Diffie-Hellman
key exchange that a secondary option will strengthen the security on the IPsec tunnel. What
should you implement to ensure a higher degree of key material security?
A. Diffie-Hellman Phase II ESP
B. PFS Group 5
C. Transform-set SHA-256
D. XAUTH with AAA authentication
E. Diffie-Hellman Group 5 Phase I
Answer: B
QUESTION 10
Refer to the exhibit. What can be determined about the IPS category configuration shown?
A. All categories are disabled.
B. All categories are retired.
C. After all other categories were disabled, a custom category named “os ios” was created
D. Only attacks on the Cisco IOS system result in preventative actions.
Answer: D
…