Cisco 642-381 Cisco® FoundFE Foundation Express for Field Engineers Q&A V8.26
English:
www.TestInside.com BIG5:
www.Testinside.net GB:
www.Testinside.cn TestInside ,help you pass any IT exam!
TestInside 642-381
1.Refer to the exhibit. According to the Cisco VPN Client software outputs shown, which two statements are
correct about the connection entry named isr? (Choose two.)
A. HMAC-SHA1 is used to authenticate the remote users.
B. Preshared key is used to authenticate the remote peer.
C. AES is used to provide data confidentiality.
D. The Cisco VPN Client software is assigned an internal IP address of 192.168.1.1.
E. The PC that is running the Cisco VPN Client software will not have access to the local LAN once the PC is
connected into the VPN.
Answer: BE
TestInside 642-381
2.Which two features are only supported when using the Cisco Router and Security Device Manager (SDM)
Advanced Firewall wizard and not supported when using the Cisco SDM Basic Firewall wizard? (Choose two.)
A. deep-packet inspections
B. IP unicast Reverse Path Forwarding on the outside (untrusted) interface
C. DMZ services
D. custom inspection rules
E. proxy authentication
Answer: CD
3.When using Cisco Router and Security Device Manager to configure AAA login authentication policies, which
four methods are available? (Choose four.)
A. group RADIUS: use a list of RADIUS hosts
B. group TACACS+: use a list of TACACS+ hosts
C. enable: use enable password
D. otp: use one-time password
E. local: use local database
F. default: use line password
Answer: ABCE
4.After performing a security audit in Cisco Router and Security Device Manager (SDM), you receive this as one
of the results: Enable Unicast RPF on all outside interfaces - Not Passed
Which Cisco SDM configuration wizard can be use to resolve this?
A. Easy VPN Server
B. Basic Firewall
C. Edit Interface/Connection
D. Site to Site VPN
E. Routing
F. NAT
Answer: B
5.When using the Site to Site VPN wizard in Cisco Router and Security Device Manager, why would you need to
TestInside 642-381
create an access list using the Add a Rule screen?
A. to open holes on the firewall to permit ISAKMP, ESP, and AH traffic
B. to define the traffic that will be protected by IPSec
C. to specify a range of IP addresses on the inside interface
D. to specify the remote-peer IP address range
TestInside 642-381
D. Select Configure > Rules to create the inbound and/or outbound filter to determine which traffic will be
scanned by IPS.
E. Select Configure > Rules to enable an interface for inbound and/or outbound IPS.
Answer: E
9.Refer to the exhibit. You are asked to implement a network design that consists of two sites, the main office and
one branch office connected via the Internet. Communications between these sites must be secure. The main office
site also supports 30 local users and 15 remote mobile workers. Before gaining access to the internal network,
both the local users and the mobile workers should be authenticated using a scalable solution. Before you begin
the implementation, you need to identify which security component is missing in the design.
A. Cisco VPN 3000 Series Concentrator
B. ACS
C. network-based IDS
D. Cisco PIX Security Appliance
E. 802.1x authenticator
TestInside 642-381
F. CBAC on the perimeter router
Answer: B
10.Remote-access VPN users are using Cisco VPN Client software. Which VPN configuration option in the Cisco
Router and Security Device Manager should be enabled to allow the users to connect?
A. SSL VPN
B. Easy VPN Remote
C. Easy VPN Server
D. Dynamic Multipoint VPN
E. GRE over IPSec
F. V3PN
Answer: C
11.The Cisco Aironet 802.11a/b/g Wireless LAN Client Adapter has two LEDs. Which two situations indicate that
the card is associated to an access point and is working properly? (Choose two.)
A. green LED off; amber LED solid
B. green LED off; amber LED blinking sporadically
C. green LED blinking fast; amber LED blinking fast
D. green LED blinking slowly; amber LED blinking slowly
E. green LED blinking slowly; amber LED blinking fast
Answer: CD
12.Which two statements best describe the installation of Cisco Aironet LAN Client Adapters? (Choose two.)
A. Cisco ACAU automates the deployment of Cisco ADU.
B. Cisco ACAU automates the deployment of Cisco ACU.
C. Cisco ADU is for the 802.11a/b/g radio client card.
D. Cisco ACU is for the 802.11a/b/g radio client card.
Answer: AC
13.Which two items have the most influence on an outdoor wireless antenna bridge-path installation? (Choose
two.)
TestInside 642-381
A. snow
B. Earth's curvature
C. lightning
D. Fresnel zone
E. rain
Answer: BD
14.You are migrating the network design from using point security products (perimeter router, firewall, VPN
router, IPS) to an integrated security solution using the Cisco ISR. During the migration process, you determine
that you need to improve the VPN performance. What can you do?
A. Upgrade the Cisco IOS image on the ISR to the V3PN bundle.
B. Increase the RAM on the ISR.
C. Install the AIM-VPN/EPII-PLUS on the ISR.
D. Use AES encryption instead of 3DES.
E. Enable transparent tunneling using IPSec over TCP.
F. Enable transparent tunneling using IPSec over UDP.
Answer: C
15.Which two statements best describe the wireless implementation of Cisco Aironet root and non-root bridging?
(Choose two.)
A. Point-to-point access points can be used if one is root and the other is non-root.
B. WGB can be used with an access point if the distance is less than one mile.
C. Root mode must be enabled only on one side in a point-to-point link to interoperate with other vendors and
comply with 802.11.
D. Up to 17 non-root bridges can associate to a root bridge.
E. Point-to-point WGB can be used if total number of PCs is fewer than eight.
Answer: BD
16.A user is not able to access the Cisco Router and Security Device Manager (SDM) via HTTPS. Which two
situations could be causing the problem? (Choose two.)
A. The ip https server command is not in the running-config.
TestInside 642-381
B. The ip http secure-server command is not in the running-config.
C. The user is trying to launch Cisco SDM from the inside (secured) interface with firewall enabled.
D. The user does not have a privilege level of 15.
Answer: BD
17.Refer to the exhibit. The tables contain information from the Cisco Router and Security Device Manager
configuration of Router A and RouterB. Traffic between Host 1 and Host 2 is not successfully establishing the
site-to-site VPN between Router A and RouterB. What is the mostly likely cause of this fault?
A. The IPSec and IKE encryption methods do not match. They all have to be either 3DES or AES.
B. Router A is using a standard IP ACL (100-149) while Router B is using a turbo ACL (150-199).
C. The D-H Group settings on the two routers are set to group 2. They must be set to group 1 for SHA-1.
D. The IPSec policy map names on the two routers do not match. They must be the same on both routers.
E. The IPSec rules on the two routers are not permitting the correct interesting traffic.
Answer: E
TestInside 642-381
18.Refer to the exhibit. The tables contain information from the Cisco Router and Security Device Manager
configuration of Router A and RouterB. Traffic between Host 1 and Host 2 is not successfully establishing the
site-to-site VPN between Router A and RouterB. What is the mostly likely cause of this fault?
A. The D-H Group settings on the two routers are different. They must be the same.
B. The IPSec and IKE encryption methods do not match. They all have to be either 3DES or AES.
C. Router A is using a standard IP ACL (100-149) while Router B is using a turbo ACL (150-199).
D. The IPSec policy map names on the two routers do not match. They must be the same on both routers.
E. IPSec is using ESP for integrity while IKE is using MD5. They must use the same hashing algorithm.
F. The IPSec rules on the two routers are not permitting the correct interesting traffic. They should permit
router-to-router communications.
Answer: A
19.The network administrator has configured the SSID value in a wireless Cisco Aironet client card. What is the
result of the client-to-access-point association if the client SSID1 is left blank, and the SSID2 is assigned a value
of my_ssid?
A. The client will consider SSID1 a null value, causing the client to request the SSID from the access point.
B. The client software will not allow this configuration and will create an error message until the configuration is
corrected.
TestInside 642-381
C. The client software will replace SSID1 with SSID2, and use my_ssid to
attempt association with the access point.
D. The client software will attempt association with the access point using a null value of SSID1, and if not
successful it will rotate to use the SSID2 value of my_ssid.
Answer: C
20.Refer to the exhibit. The tables contain information from the Cisco Router and Security Device Manager
configuration of Router A and RouterB. Traffic between Host 1 and Host 2 is not successfully establishing the
site-to-site VPN between Router A and RouterB. What is the mostly likely cause of this fault?
A. Router A is using a standard IP ACL (100-149) while Router B is using a turbo ACL (150-199).
B. The IPSec encryption method does not match on the two routers.
C. The D-H Group settings on the two routers are the same.
D. The IPSec policy map names on the two routers do not match.
E. The IPSec rules on the two routers are not permitting the correct interesting traffic.
Answer: B
21.Refer to the exhibit. The tables contain information from the Cisco Router and Security Device Manager
TestInside 642-381
configuration of Router A and RouterB. Traffic between Host 1 and Host 2 is not successfully establishing the
site-to-site VPN between Router A and RouterB. What is the mostly likely cause of this fault?
A. Router A is using a standard IP ACL (100-149) while Router B is using a turbo ACL (150-199).
B. The IKE encryption method does not match on the two routers.
C. The D-H Group settings on the two routers are the same.
D. The IPSec policy map names on the two routers do not match.
E. The IPSec rules on the two routers are not permitting the correct interesting traffic.
Answer: B
22.Which two methods are implemented for AP redundancy when using a wireless core feature set with
autonomous APs? (Choose two.)
A. HSRP
B. hot standby
C. VRRP
D. self-healing
E. NSF
F. graceful restart
TestInside 642-381
Answer: BD
23.Which two statements best describe the wireless core feature set using autonomous access points when
implementing Wireless Domain Services? (Choose two.)
A. Layer 2 and Layer 3 services can be configured in a Cisco Aironet autonomous AP or a Cisco Integrated
Services Router.
B. Layer 2 services can be configured in a Cisco Aironet autonomous AP or a Cisco Integrated Services Router.
C. Layer 2 and Layer 3 services can be configured in a Cisco Aironet autonomous AP or controllers.
D. Layer 3 services can be configured in WLSM.
E. Layer 3 services can be configured in WLSE.
Answer: BD
24.Which two statements best describe the wireless core feature set using autonomous access points when
implementing Wireless Domain Services? (Choose two.)
A. The primary Layer 2 WDS server address is configured via the infrastructure access point GUI.
B. The primary Layer 2 WDS server address is automatically discovered by the infrastructure access points
through multicast.
C. The primary Layer 2 WDS is selected by the highest MAC address, followed by priority number.
D. The primary Layer 2 WDS is selected by the highest priority number, followed by MAC address.
E. The primary Layer 2 WDS is selected by the highest IP address, followed by MAC address.
Answer: BD
25.Which two statements best describe the wireless core feature set using autonomous access points when
implementing repeater topology? (Choose two.)
A. RF overlap between access points should be 10 to 15 percent with unique channels configured.
B. RF overlap between primary and repeater access points should be 10 to 15 percent with the same channel
configured.
C. RF overlap between primary and repeater access points should be 50 percent with the same channel configured.
D. RF overlap between primary and repeater access points should be 50 percent with unique channels configured.
E. Clients that are associated with the repeater access point will have 10 to 15 percent less data throughput than
clients that are associated with the primary root access point.
642-381
F. Clients that are associated with the repeater access point will have 50 percent less data throughput than clients
that are associated with the primary root access point.
Answer: CF
26.Which two wireless access points are directly 802.3af compliant without a midspan or splitter device? (Choose
two.)
A. 1230 APs
B. 1130 APs
C. 1100 APs
D. 1010 APs
E. 1200 APs
Answer: BD
27.The customer requires security authentication between wireless clients and network access points via 802.1x.
Authentication needs to reduce vulnerability to dictionary attacks but not necessitate the use of client or server
certificates. Which EAP authentication algorithm would be the best choice to implement on wireless clients?
A. LEAP
B. PEAP
C. EAP-FAST
D. EAP-TLS
Answer: C
28.The customer wants to implement wireless security through implementation of WPAv2. Which component of
WPAv2 would limit the rollout because of the continued use of old access points?
A. 48-bit IV
B. AES
C. TKIP
D. MIC
Answer: B
29.Refer to the exhibit. Which statement is correct about the information in the Cisco Adaptive Security Device
642-381
Manager General and License Information screen?
A. The security appliance supports active/active failover only.
B. The security appliance supports 3DES-AES only.
C. The managed device is a Cisco ASA 5540 Security Appliance with VPN premium license enabled.
D. The managed device is a Cisco PIX 515E Security Appliance.
Answer: D
30.An administrator at host address 10.0.1.11 is trying to gain access to Cisco Adaptive Security Device Manager
via a Cisco ASA Security Appliance inside interface at IP address 10.0.1.1. Which two commands are required on
a security appliance to enable Cisco ASDM access? (Choose two.)
A. http (inside) host 10.0.1.11
B. Access-list asdm_access permit tcp host 10.0.1.11 host 10.0.1.1 eq http
!
http (inside) match asdm_access
!
C. http server enable
D. asdm-management enable
E. http 10.0.1.1 255.255.255.255 inside
F. Access-list asdm_access permit tcp host 10.0.1.11 host 10.0.1.1 eq http asdm-map ASDM match asdm_access
Answer: CE
31.Refer to the exhibit. According to the Cisco Adaptive Security Device Manager window, which statement
TestInside 642-381
about address translation is correct?
A. Using Network Address Translation, any host on the DMZ1 subnet (172.16.1.0) will be translated to a mapped
address on the outside interface of 192.168.1.11.
B. Using port address translation, DMZ2 host 172.16.10.2 will be translated on DMZ1 to IP address 172.16.1.22
with a dynamically assigned port address.
C. Using Network Address Translation, host 10.0.1.10 on the inside network will be dynamically translated to a
mapped address from the address pool of
192.168.1.20 to 192.168.1.94.
D. Using port address translation, outside host 192.168.1.10 with a dynamically
assigned port address will be translated to 10.0.1.11 on the inside interface.
Answer: C
32.Refer to the exhibit. An administrator is troubleshooting a new Cisco Adaptive Security Device Manager
configured security appliance. The adminstrator is trying to establish a web session with the dmz1_host and the
in_host from a PC on the outside network. The administrator is able to establish a web session with the in_host
successfully from the outside. However, the administrator is unable to connect to the dmz1_host via HTTP from
an outside PC. The administrator checked the access lists and they were correct. The next step was to check the
security appliance interfaces and NAT configuration screens.
From information present on the Cisco ASDM screens shown in the exhibit, what appears to be the reason that the
administrator cannot create a web session with the dmz1_host?
642-381
A. To access dmz1_host, the administrator should be pointing the browser to
http://172.16.1.10.
B. Ethernet3 is set up as a management port and will not pass the web traffic.
C. With NAT control disabled, the administrator should target the real host address.
D. Ethernet2 security level should be changed.
E. The static NAT configuration for the dmz1_host to the outside is not correct.
Answer: D
33.Refer to the exhibit. A company has just set up an e-commerce webhost on the DMZ. It was designed so that
partners can enter their equipment orders via a secure interface on a security appliance. The first time a partner
tried to access the e-commerce webhost at
http://172.16.1.2, the partner could not gain access to the webhost.
After reviewing the network diagram, the Cisco Adaptive Security Device Manager translation table, and Cisco
ASDM access list configuration shown in the exhibit, what did the corporate network administrator determine to
be the cause of the problem?
642-381
A. The pnet static translation entry is not configured correctly.
B. The URL that the partner is using is not configured correctly.
C. The pnet-access access list is not configured correctly.
D. The pnet global address is not configured correctly.
Answer: B
34.Users logging into Cisco Router and Security Device Manager (SDM) should be authenticated using the Cisco
ISR local user database. Currently, none of the users can access the Cisco SDM via HTTP. Which command or
commands should be verified as properly configured on the ISR to resolve this problem?
A. ip http secure-server
B. ip http authentication local
C. line vty 0 5 login local
D. line con 0 login local
E. aaa new-model aaa authentication login default local
F. aaa new-model aaa authorization exec default local
642-381
Answer: B
35.Refer to the exhibit. A host on the Sales subnet (10.0.2.0/24) is not able to initiate a web connection to an
outside website. According to the network diagram and the partial Cisco Adaptive Security Device Manager
configuration
shown in the exhibit, what is the cause of the problem?
A. The dynamic NAT global pool is not configured correctly.
B. The source networks for static NAT are not configured correctly.
C. The administrator needs to add an access list and static command for the return web traffic.
D. The source network for dynamic NAT is not configured correctly.
Answer: D
36.Refer to the exhibit. Based on the IPS configuration, which two types of traffic will be scanned by Cisco IOS
IPS? (Choose two.)
642-381
A. inbound HTTP traffic from host 10.1.1.1 to FastEthernet 0/0 interface
B. inbound HTTP traffic from host 10.2.2.2 to the FastEthernet 0/0 interface
C. all inbound traffic to the FastEthernet 0/0 interface
D. all inbound and outbound traffic to the FastEthernet 0/0 interface
E. inbound Telnet traffic from host 192.168.1.1 to the FastEthernet 0/0 interface
F. all inbound traffic to the FastEthernet 0/0 interface or the FastEthernet 0/1 interface
Answer: BE
37.What is the default authentication method when using HTTP to access the Cisco Router and Security Device
Manager (SDM), assuming that you are not using the default configuration file (sdmconfig-xxxx.cfg) that comes
with Cisco SDM?
A. none
B. local database
C. aaa
D. enable password
E. line console password
642-381
F. line vty password
Answer: D
38.Refer to the exhibit. Based on the Cisco Router and Security Device Manager firewall configuration, which
two statements are correct? (Choose two.)
A. FastEthernet 0/0 is the protected (inside) interface.
B. All outgoing traffic that is originating from any host on the 192.168.1.0/24
network to the FastEthernet 0/0 interface will be inspected.
C. The Inspection Rule DEFAULT100 has four entries to prevent spoofed,
broadcast, and loopback source address.
D. Access Rule 100 is applied to the inbound direction of the FastEthernet 0/0 interface.
E. All traffic will be permitted into the FastEthernet 0/0 interface.
Answer: AD
39.You have just configured and enabled the Cisco IOS Firewall feature set from a remote location using the
Cisco Router and Security Device Manager (SDM) Firewall wizard. You later want to double-check your
642-381
configuration using Cisco SDM. However, you find that you can no longer connect to the Cisco IOS Firewall
using Cisco SDM. What is the probable cause of this failure?
A. You must additionally specify the Cisco SDM management port number to gain access when the configuration
has been applied.
B. You have not generated an RSA key pair between the host and device to allow secure access via Cisco SDM.
C. You have been locked out via access lists that have been applied to the router as a result of your Cisco SDM
configuration.
D. You must specify the host IP address of Cisco SDM in the Configuration panel for allowed management
connections.
Answer: C
40.You have applied a firewall configuration to your router using the Cisco Router and Security Device Manager
(SDM) Firewall wizard. You find that you are now locked out and access via Cisco SDM is denied. After
accessing the router via the console port, what must you do to regain access via Cisco SDM?
A. Generate an RSA key pair between the host and device to allow secure access.
B. Specify the Cisco SDM management port number to gain access.
C. Create a loopback interface and connect to that IP address for management purposes when the configuration
has been applied to the router.
D. Modify the access list that denies Cisco SDM access.
Answer: D
41.You have configured and applied a Cisco IOS Firewall access rule to the inbound, untrusted interface. You
suspect that the rule may be blocking necessary traffic onto the network. What must you do to delete that rule
when using Cisco Router and Security Device Manager?
A. Select ACL Editor > Access Rules to delete the rule.
B. You must remove the association between the rule and the interface before deleting the rule.
C. You must delete the associated access list on the interface, then reconfigure the access list as required, and then
reapply the access group to the proper interface.
D. Go to the Edit Firewall Policy tab to delete the rule.
Answer: B
642-381
42.You see the following error message generated.
IPS-3-ENGINE_BUILD_FAILED; SERVICE.HTTP - 158560 ms - engine build
Which action can you take to prevent this from occurring?
A. Increase the router memory.
B. Reduce the number of signature engines that are loaded prior to performing an SDF build to only those that are
needed for your network.
C. Reload the signature definition file for the failing signature micro engine.
D. You must first enable the built-in signature files before merging the attack-drop.sdf signatures to allow for
correct engine builds.
Answer: A
43.Refer to the exhibit. Cisco Router and Security Device Manager (SDM) is being used to configure EIGRP for
the first time. Which three statements are correct about the Add a EIGRP display window? (Choose three.)
A. R1 will not receive any EIGRP updates from R2.
B. R3 will not receive any EIGRP updates from R2.
TestInside 642-381
C. It is possible to configure the auto summary behavior of EIGRP 100 on R2 using Cisco SDM.
D. It is possible to configure multiple instances of EIGRP on R2 using Cisco SDM, providing the autonomous
systems numbers do not conflict.
E. The IP address masks of interfaces FastEthernet 0/0 and FastEthernet 0/1 must match their corresponding
network statements in the EIGRP routing protocol for routing updates to be exchanged.
F. The various network and mask configurations under EIGRP 100 can be reduced to a single line of 172.16.224.0
0.0.31.255.
Answer: BDF
44.You have enabled SDEE to report Cisco IOS IPS events. However, when you attempt to view IPS events, none
are available for viewing. Which two should you verify to ensure that your configuration is correct? (Choose two.)
A. that ip ips notify sdee is enabled
B. that you have a valid number of subscriptions enabled
C. that the receiving host IP address and secret key are correctly configured
D. that ip http server is enabled
E. that ip ips deny-action parameters are enabled
F. that you are connecting to the proper SDEE engine port number
Answer: AD
45.Refer to the exhibit. This display has been truncated to remove information that is not relevant to the question.
What would be a reason that there have been 21 ignored packets?
A. Ethernet0 has no CDP neighbors.
B. There are no free input buffers to accept new packets.
C. There are no free output buffers for packets, which are traversing the router, to go into for transmission.
D. Ethernet0 and the neighbor that it is connected to are not running the same routing protocol.
E. This is not a valid error display. The display has been modified to show that there have been ignored packets.
Answer: B
642-381
46.Refer to the exhibit. This display has been truncated to remove information that is not relevant to the question.
What will happen to a packet destined to 172.30.254.1?
A. It will be forwarded to 10.1.1.1 because this is the longest prefix match.
B. It will be forwarded to 10.1.1.2 because this is the longest prefix match.
C. It will be forwarded to 10.1.1.3; however, because this network does not exist in the routing table, this packet
will be forwarded to the default route.
D. It will be dropped because the router will not forward packets to supernets because ip classless has not been
configured.
Answer: D
47.Refer to the exhibit. R2 is always in the init state. Which two statements are correct? (Choose two.)
A. R2 is seeing hello packets from R1.
B. R2 is not seeing hello packets from R1.
C. The exchanging of data between R1 and R2 is occurring because each is sending hello packets.
D. Two-way communication has not been established between R1 and R2 because R2 is not seeing its router ID in
the hello packets that it is receiving from R1.
E. R2 has an access list defined for S0 that is blocking an OSPF multicast IP address of 224.0.0.5.
Answer: AD
642-381
48.Refer to the exhibit. Which two statements are correct about what is shown? (Choose two.)
A. The reported distance from Router A to Network A through Router B is 307200.
B. Router B will be the feasible successor of Router A for NetworkA.
C. Router C will be the feasible successor of Router A for NetworkA.
D. The reported distance from Router A to Network A through Router B is 5307136.
E. The reported distance from Router A to Network A through Router C is 20307200.
Answer: AB
49.Which two statements are correct about using Cisco Router and Security Device Manager (SDM) to configure
the OSPF routing protocol? (Choose two.)
A. Cisco SDM enforces the creation of area 0 when configuring OSPF.
B. Cisco SDM will use the supplied wildcard mask to exclude the host bits from the configured network address.
C. Cisco SDM allows the configuration of an area range to allow route summarization between OSPF areas.
D. Cisco SDM allows the selection of OSPFv1 or OSPFv2.
E. Cisco SDM allows the configuration of passive interfaces.
Answer: BE
TestInside 642-381
50.Refer to the exhibit. Which two statements are correct about what is displayed? (Choose two.)
A. The IP address that is used for the router ID must be reachable.
B. Router 1 is the designated router because it has the lowest configured IP address.
C. Router 1 is the designated router because it has the highest configured loopback address.
D. If Router 1 had a PRI of 0, it could not be a designated router or a backup designated router.
E. Router 1 has had its ID manually configured by using the router-ID command.
Answer: CD
51.Which two statements are correct about using Cisco Router and Security Device Manager (SDM) to configure
RIP routing protocol? (Choose two.)
A. Cisco SDM allows the configuration of RIPv2 network masks.
B. Cisco SDM allows the configuration only of RIPv2.
C. Cisco SDM allows the configuration of RIPv1 and RIPv2.
D. Cisco SDM allows leaving the selection of the RIP protocol version to the default of the installed Cisco IOS
software.
Answer: CD