1. Which Cisco Catalyst IOS command can be used to mitigate a CAM table overflow attack?

　　A. switch(config-if)# port-security maximum 1

　　B. switch(config)# switchport port-security

　　C. switch(config-if)# port-security

　　D. switch(config-if)# switchport port-security maximum 1

　　E. switch(config-if)# switchport access

　　F. switch(config-if)# access maximum 1

　　Answer:D

　　2. Which Cisco Catalyst IOS command is used to mitigate a MAC spoofing attack?

　　A. switch(config-if)# port-security mac-address 0000.ffff.aaaa

　　B. switch(config)# switchport port-security mac-address 0000.ffff.aaaa

　　C. switch(config-if)# switchport port-security mac-address 0000.ffff.aaaa

　　D. switch(config)# port-security mac-address 0000.ffff.aaaa

　　E. switch(config-if)# mac-address 0000.ffff.aaaa

　　F. switch(config)# security mac-address 0000.ffff.aaaa

　　Answer:C

　　3. In a Cisco Identity-Based Networking Services (IBNS) implementation, the endpoint that is seeking network

　　access is known as what?

　　A. host

　　B. authenticator

　　C. PC

　　D. authentication server

　　E. client

　　F. supplicant

　　Answer:F

　　4. In an 802.1x implementation, the supplicant directly connects to, and obtains network access permission

　　through, which device?

　　A. host

　　TestInside 642-502

　　B. authenticator

　　C. PC

　　D. authentication server

　　E. client

　　F. supplicant

　　Answer:B

　　5. In an 802.1x implementation, the authenticator acts as a gateway to which device?

　　A. host

　　B. authenticator

　　C. PC

　　D. authentication server

　　E. client

　　F. supplicant

　　Answer:D

　　6. Which three keywords are used with the dot1x port-control command? (Choose three.)

　　A. enable

　　B. force-authorized

　　C. force-unauthorized

　　D. authorized

　　E. unauthorized

　　F. auto

　　Answer:BCF

　　7. Which two are typical Layer 2 attacks? (Choose two.)

　　A. MAC spoofing

　　B. CAM table overflow

　　C. route poisoning

　　D. DHCP Starvation

　　E. ARP Starvation

　　TestInside 642-502

　　F. spam

　　Answer:AB

　　8. Which three are typical Layer 2 attack mitigation techniques? (Choose three.)

　　A. switch security

　　B. port security

　　C. ARP snooping

　　D. DHCP snooping

　　E. port snooping

　　F. 802.1x authentication

　　Answer:BDF

　　9. What are three main components of the Cisco IOS Firewall feature set? (Choose three.)

　　A. Context-based Access Control

　　B. port security

　　C. authentication proxy

　　D. authentication, authorization, and accounting

　　E. Intrusion Prevention System

　　F. neighbor router authentication

　　Answer:ACE

　　10. CBAC intelligently filters TCP and UDP packets based on which protocol-session information?

　　A. network layer

　　B. transport layer

　　C. data-link

　　D. application layer

　　E. presentation layer

　　F. session layer

　　Answer:D

　　11. The Cisco Identity-Based Networking Services (IBNS) solution is based on which two standard

　　TestInside 642-502

　　implementations? (Choose two.)

　　A. TACACS+

　　B. RADIUS

　　C. 802.11

　　D. 802.1x

　　E. 802.1q

　　F. IPSec

　　Answer:BD

　　12. Which command is required to specify the authorization protocol for authentication proxy?

　　A. auth-proxy group tacacs+

　　B. aaa auth-proxy default group tacacs+

　　C. authorization auth-proxy default group tacacs+

　　D. aaa authorization auth-proxy default group tacacs+

　　E. aaa authorization auth-proxy group tacacs+

　　F. aaa authorization auth-proxy default group

　　Answer:D

　　13. Choose the two commands that are used to enable the router's HTTP server for AAA. (Choose two.)

　　A. http server

　　B. ip http server

　　C. enable ip http server

　　D. http authentication aaa

　　E. http server authentication aaa

　　F. ip http authentication aaa

　　Answer:BF

　　14. Refer to the output of a sh ip auth-proxy cache command below. Which port is being used by the client?

　　R2#sh ip auth-proxy cache

　　Authentication Proxy Cache

　　Client Name aaauser, Client IP 10.0.2.12, Port 2636, timeout 5, Time Remaining 3, state ESTAB

　　TestInside 642-502

　　A. 1645

　　B. 1646

　　C. 1812

　　D. 2636

　　E. 2640

　　F. 8080

　　Answer:D

　　15. The SDF uses which type of file format, with a definition of each signature along with relevant configurable

　　actions?

　　A. ASCII

　　B. HTML

　　C. JPEG

　　D. Word

　　E. text

　　F. XML

　　Answer:F

　　16. What is the purpose of the ip ips sdf builtin command?

　　A. to load IPS on a router using the built-in signatures

　　B. to load IP on a router using the attack-drop signatures

　　C. to unload IPS built-in signatures

　　D. to delete the IPS built-in signatures

　　E. to load IPS on a router using the built-in micro-engine

　　F. to disable IPS on a router using the built-in micro-engine

　　Answer:A

　　17. Refer to the exhibit. Given the output of the show ip ips configuration command, how many signatures are

　　active?

　　TestInside 642-502

　　A. 0

　　B. 50

　　C. 83

　　D. 100

　　E. 183

　　F. 1107

　　Answer:E

　　18. Choose the correct command to disable signature 1000 in the SDF file.

　　A. 1000 disable

　　B. no ip ips signature 1000

　　C. no ip ips signature 1000 enable

　　D. ip ips signature 1000 disable

　　E. ip signature 1000 disable

　　F. signature 1000 disable

　　Answer:D

　　19. Choose the correct command that will load the SDF into a router and merge the new signatures with those that

　　are already loaded in the router.

　　TestInside 642-502

　　A. copy flash ips-sdf

　　B. copy url ips-sdf

　　C. copy ips-sdf url

　　D. write flash ips-sdf

　　E. write ips-sdf url

　　F. write url ips-sdf

　　Answer:B

　　20. Choose the correct command to allow IKE to establish the IPSec security associations.

　　A. crypto map 10 isakmp

　　B. crypto map 10 manual

　　C. crypto map MYMAP ipsec-isakmp

　　D. crypto map MYMAP ipsec-manual

　　E. crypto map MYMAP 10 ipsec-isakmp

　　F. crypto map MYMAP 10 ipsec-manual

　　Answer:E

　　21. Refer to the exhibit. Given the output of the show crypto ipsec client ezvpn command, what do you

　　determine?

　　A. The default domain is cisco.

　　B. The socket is up and ready for data.

　　C. The remote router address is 10.0.2.39.

　　D. The tunnel is up and SAs have been established.

　　E. The tunnel is terminated at a remote router called VPNGATE1.

　　F. All hosts connecting through this router will have the address of 10.0.2.39.

　　Answer:D

　　TestInside 642-502

　　22. Refer to the exhibit. Given the output of the show crypto ipsec sa command, which encryption algorithm is

　　being used?

　　A. PCP

　　B. ESP

　　TestInside 642-502

　　C. DES

　　D. 3DES

　　E. AH

　　F. HMAC

　　Answer:C

　　23. Choose the correct command to generate two RSA key pairs for use with certificate authority.

　　A. key generate rsa general-keys

　　B. key generate rsa usage-keys

　　C. crypto key generate rsa general-keys

　　D. crypto key generate rsa usage-keys

　　E. enable crypto key generate rsa general-keys

　　F. enable crypto key generate rsa usage-keys

　　Answer:D

　　24. Choose the correct command to set a RADIUS key to cisco for all RADIUS servers.

　　A. router(config)# key cisco

　　B. router(config)# server key cisco

　　C. router(config)# radius-server cisco

　　D. router(config)# radius key cisco

　　E. router(config)# radius-server key cisco

　　F. router(config-if)# radius-server key cisco

　　Answer:E

　　25. Choose the correct command to enable RADIUS authentication on the router.

　　A. login default group radius

　　B. aaa authentication login radius

　　C. aaa authentication login group radius

　　D. authentication login default group radius

　　E. aaa authorization login default group radius

　　F. aaa authentication login default group radius

　　TestInside 642-502

　　Answer:F

　　26. Choose the correct global command that will specify the TACACS server.

　　A. host 10.1.1.4

　　B. server 10.1.1.4

　　C. tacacs-server host 10.1.1.4

　　D. tacacs-server 10.1.1.4

　　E. tacacs-host host 10.1.1.4

　　F. server-tacacs host 10.1.1.4

　　Answer:C

　　27. Which four files are required for basic HTTP connectivity to SDM? (Choose four.)

　　A. home.html

　　B. home.tar

　　C. home.cfg

　　D. sdm.tar

　　E. sdm.html

　　F. sdmconfig-xxxx.cfg

　　Answer:ABDF

　　28. Choose the correct command to enable local authentication for the HTTP interface.

　　A. router# ip http authentication enable

　　B. router# http authentication local

　　C. router(config)# ip http authentication enable

　　D. router(config)# ip http authentication local

　　E. router(config)# ip http authentication enable local

　　F. router(config)# ip http authentication local enable

　　Answer:D

　　29. Refer to the exhibit. An administrator cannot telnet to the router. The administrator is not prompted for a

　　username or password and cannot ping the router. After reviewing the output of a show running-config command,

　　TestInside 642-502

　　what do you determine?

　　A. AAA is not enabled.

　　B. Everything is configured correctly (the problem must be caused by something else).

　　C. An access control list is blocking traffic.

　　D. The wrong passwords are being used.

　　E. The TACACS server must be unreachable.

　　F. The wrong authentication method is applied to lines.

　　Answer:B

　　30. Refer to the LAN Wizard screen in the exhibit. How many bits would you input to configure this host for a

　　subnet consisting of two hosts on subnet 172.26.26.0?

　　A. 3

　　B. 4

　　TestInside 642-502

　　C. 24

　　D. 30

　　E. 128

　　F. 255

　　Answer:D

　　31. Refer to the exhibit. After reviewing the running-config file, what do you determine?

　　A. No one will be able to log in.

　　B. No one will be able to console in.

　　C. The wrong authentication method is applied to lines.

　　D. Users will use the local database to log in to console.

　　E. Users will use the password cisco to log in to console.

　　F. Users will use the local database to log in to vty.

　　Answer:D

　　32. Refer to the Cisco Secure ACS Administration Privileges setup screen in the exhibit. Which button should be

　　checked to give administrative privileges to everything?

　　TestInside 642-502

　　A. Add/Edit users in these groups

　　B. Cancel

　　C. Grant All

　　D. Revoke All

　　E. Setup of these groups

　　F. Submit

　　Answer:C

　　33. What is the minimum IOS release that supports SDM?

　　A. 11.2

　　B. 12.0

　　C. 12.1

　　D. 12.2

　　E. 6.1

　　Answer:D

　　TestInside 642-502

　　34. Refer to the Cisco Router and Security Device Manager page in the exhibit. What would be the result of

　　clicking the "Launch the selected task" button in the VPN configuration screen?

　　A. to start the GRE site-to-site VPN connection configuration

　　B. to edit the site-to-site VPN connection

　　C. to start the security audit

　　D. to start the Easy VPN Server configuration

　　E. to start the default site-to-site VPN connection configuration

　　F. to start the Easy VPN Remote configuration

　　Answer:E

　　35. Select the maximum number of routers SDM can manage simultaneously?

　　A. 1

　　B. 5

　　C. 50

　　D. 100

　　E. 1000

　　F. determined by router model

　　Answer:A

　　36. Select the two protocols used to provide secure communications between SDM and the target router. (Choose

　　TestInside 642-502

　　two.)

　　A. HTTPS

　　B. RCP

　　C. Telnet

　　D. SSH

　　E. HTTP

　　F. AES

　　Answer:AD

　　37. Select the command used to verify that SDM has been installed on a Cisco router.

　　A. show manager

　　B. show version

　　C. show sdm

　　D. show running-config

　　E. show flash

　　Answer:E

　　38. Which one of the following actions is used to send SDM generated commands to the target router?

　　A. Refresh

　　B. Save

　　C. Deliver

　　D. Download

　　E. Copy-config

　　Answer:C

　　39. Which one of the following actions is used to prevent newly configured SDM commands from being sent to a

　　target router?

　　A. Delete

　　B. Remove

　　C. Undo

　　D. Clear-commands

　　TestInside 642-502

　　E. Refresh

　　Answer:E

　　40. What does authentication proxy on the Cisco IOS Firewall do?

　　A. creates specific authorization policies for each user with Cisco Secure ACS, dynamic, per-user security and

　　authorization

　　B. provides additional visibility at intranet, extranet, and Internet perimeters

　　C. creates specific security policies for each user with Cisco Secure ACS, dynamic, per-user authentication and

　　authorization

　　D. provides secure, per-application access control across network perimeters

　　Answer:C

　　41. Where are access profiles stored with the authentication proxy features of the Cisco IOS Firewall?

　　A. PIX Firewall

　　B. Cisco router

　　C. Cisco VPN Concentrator

　　D. Cisco Secure ACS authentication server

　　Answer:D

　　42. How does the user trigger the authentication proxy after the idle timer expires?

　　A. authenticates the user

　　B. initiates another HTTP session

　　C. enters a new username and password

　　D. enters a valid username and password

　　Answer:B

　　43. Select the two issues to consider when implementing IOS Firewall IDS. (Choose two.)

　　A. memory usage

　　B. number of DMZs

　　C. signature coverage

　　D. number of router interfaces

　　TestInside 642-502

　　E. signature length

　　Answer:AC

　　44. Choose the two types of signature implementations that the IOS Firewall IDS can detect. (Choose two.)

　　A. atomic

　　B. dynamic

　　C. regenerative

　　D. cyclical

　　E. compound

　　F. complex

　　Answer:AE

　　45. What kind of signatures trigger on a single packet? (Choose one.)

　　A. regenerative

　　B. cyclical

　　C. atomic

　　D. dynamic

　　E. compound

　　Answer:C

　　46. Choose the three actions that the IOS Firewall IDS router may perform when a packet, or a number of packets

　　in a session, match a signature. (Choose three.)

　　A. forward packet to the Cisco IDS Host Sensor for further analysis

　　B. send an alarm to the Cisco IDS Director or Syslog server

　　C. send an alarm to Cisco Secure ACS

　　D. set the packet reset flag and forward the packet through

　　E. drop the packet immediately

　　F. return the packet to the sender

　　Answer:BDE

　　47. Which three statements about Cisco Secure ACS are true? (Choose three.)

　　TestInside 642-502

　　A. NAS can access multiple Cisco Secure ACS for Windows servers.

　　B. Cisco Secure ACS for Windows servers can only log onto external servers.

　　C. The Cisco Secure ACS for Windows server supports only TACACS+.

　　D. Database replication is supported by the Cisco Secure ACS for Windows servers.

　　E. The service used for authentication and authorization on a Cisco Secure ACS for Windows server is called

　　CSAdmin.

　　F. The Cisco Secure ACS for Windows servers uses the CSDBsynch service to manage the user and group

　　accounts.

　　Answer:ADF

　　48. Which three thresholds does CBAC on the Cisco IOS Firewall provide against DoS attacks? Choose three.

　　A. number of half-open sessions based upon time

　　B. total number of half-open TCP or UDP sessions

　　C. number of fully open sessions based upon time

　　D. number of half-open TCP-only sessions per host

　　E. total number of fully open TCP or UDP sessions

　　F. number of fully open TCP-only sessions per host

　　Answer:ABD

　　49. Which Easy VPN feature enables two IPSec peers to determine if the other is still "alive"?

　　A. Dead Peer Timeout

　　B. No Pulse Timer

　　C. Peer Death Monitor

　　D. Dead Peer Detection

　　E. Peer Heartbeat

　　Answer:D

　　50. Which protocol is commonly used to communicate AAA information between Cisco routers and AAA servers?

　　A. SSH

　　B. ARAP

　　C. TACACS+

　　TestInside 642-502

　　D. SSL

　　E. Syslog

　　Answer:C

　　51. Which ESP mode is used to provide end-to-end protection of message payloads between two hosts?

　　A. transport mode

　　B. encrypted mode

　　C. ESP mode

　　D. tunnel mode

　　Answer:A