★ Pass on Your First TRY ★ 100% Money Back Guarantee ★ Realistic Practice Exam Questions
Free Instant Download NEW 640-554 Exam Dumps (PDF & VCE):
Available on:
https://www.certleader.com/640-554-dumps.html
The particular Cisco 640-554 answers and questions are usually up to date simply by our technicians instantly. You will get the newest simulated check questions which are in line with the present Cisco exam. Much more importantly, the actual revise day lengthy in order to A hundred and eighty times, exhibiting you will probably have half a years time for you to study 640-554 places.
2021 Jun cbt nuggets ccna security 640-554 jeremy:
Q111. - (Topic 4)
Refer to the exhibit.
This Cisco IOS access list has been configured on the FA0/0 interface in the inbound direction.
Which four TCP packets sourced from 10.1.1.1 port 1030 and routed to the FA0/0 interface are permitted? (Choose four.)
A. destination ip address: 192.168.15.37 destination port: 22
B. destination ip address: 192.168.15.80 destination port: 23
C. destination ip address: 192.168.15.66 destination port: 8080
D. destination ip address: 192.168.15.36 destination port: 80
E. destination ip address: 192.168.15.63 destination port: 80
F. destination ip address: 192.168.15.40 destination port: 21
Answer: B,C,D,E
Explanation:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a 0080100548.shtml
Extended ACLs (registered customers only) control traffic by comparing the source and destination addresses of the IP packets to the addresses configured in the ACL. You can also make extended ACLs more granular and configured to filter traffic by criteria such as:
Protocol
Port numbers
Differentiated services code point (DSCP) value
Precedence value
State of the synchronize sequence number (SYN) bit
The command syntax formats of extended ACLs are:
IP
access-list access-list-number [dynamic dynamic-name [timeout minutes]]
{deny | permit} protocol source source-wildcard destination
destination-wildcard
[precedence precedence] [tos tos] [log | log-input]
[time-range time-range-name][fragments]
Internet Control Message Protocol (ICMP)
access-list access-list-number [dynamic dynamic-name [timeout minutes]]
{deny | permit}
icmp source source-wildcard destination destination-wildcard [icmp-type
[icmp-code] | [icmp-message]] [precedenceprecedence] [tos tos] [log |
log-input] [time-range time-range-name][fragments]
Transport Control Protocol (TCP)
access-list access-list-number [dynamic dynamic-name [timeout minutes]]
{deny | permit} tcp
source source-wildcard [operator [port]] destination destination-wildcard
[operator [port]] [established] [precedence precedence] [tos tos] [log |
log-input] [time-range time-range-name][fragments]
User Datagram Protocol (UDP)
access-list access-list-number [dynamic dynamic-name [timeout minutes]]
{deny | permit} udp
source source-wildcard [operator [port]] destination destination-wildcard
[operator [port]] [precedence precedence] [tos tos] [log | log-input]
[time-range time-range-name][fragments]
Q112. - (Topic 10)
What type of algorithm uses the same key to encrypt and decrypt data?
A. a symmetric algorithm
B. an asymmetric algorithm
C. a Public Key Infrastructure algorithm
D. an IP security algorithm
Answer: A
Q113. - (Topic 8)
Which two protocols enable Cisco Configuration Professional to pull IPS alerts from a Cisco ISR router? (Choose two.)
A. syslog
B. SDEE
C. FTP
D. TFTP
E. SSH
F. HTTPS
Answer: B,F
Explanation:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/prod_white_pa
per0900aecd805c4ea8.html
Step 4: Enabling IOS IPS
The fourth step is to configure IOS IPS using the following sequence of steps:
Step 4.1: Create a rule name (This will be used on an interface to enable IPS)
ip ips name <rule name> < optional ACL>
router#configure terminal router(config)# ip ips name iosips
You can specify an optional extended or standard access control list (ACL) to filter the traffic that will be scanned by this rule name. All traffic that is permitted by the ACL is subject to inspection by the IPS. Traffic that is denied by the ACL is not inspected by the IPS.
router(config)#ip ips name ips list ?
<1-199> Numbered access list
WORD Named access list
Step 4.2: Configure IPS signature storage location, this is the directory `ips' created in Step ip ips config location flash:<directory name>
router(config)#ip ips config location flash:ips
Step 4.3: Enable IPS SDEE event notification
ip ips notify sdee router(config)#ip ips notify sdee
To use SDEE, the HTTP server must be enabled (via the `ip http server' command). If the HTTP server is not enabled, the router cannot respond to the SDEE clients because it cannot see the requests. SDEE notification is disabled by default and must be explicitly enabled.
Q114. - (Topic 10)
Which type of secure connectivity does an extranet provide?
A. other company networks to your company network
B. remote branch offices to your company network
C. your company network to the Internet
D. new networks to your company network
Answer: A
Q115. DRAG DROP - (Topic 1)
Answer:
Improved ccna security 640-554 official cert guide pdf download:
Q116. - (Topic 9)
Which option describes the purpose of Diffie-Hellman?
A. used between the initiator and the responder to establish a basic security policy
B. used to verify the identity of the peer
C. used for asymmetric public key encryption
D. used to establish a symmetric shared key via a public key exchange process
Answer: D
Explanation:
http://www.cisco.com/en/US/docs/routers/access/cisco_router_and_security_device_manager/25/software/user/guide/IKE.html
D-H Group Diffie-Hellman (D-H) Group. Diffie-Hellman is a public-key cryptography protocol that allows two routers to establish a shared secret over an unsecure communications channel. The options are as follows:
.group1—768-bit D-H Group. D-H Group 1.
.group2—1024-bit D-H Group. D-H Group 2. This group provides more security than group 1, but requires more processing time.
.group5—1536-bit D-H Group. D-H Group 5. This group provides more security than group 2, but requires more processing time.
Note.If your router does not support group5, it will not appear in the list.
.Easy VPN servers do not support D-H Group 1.
Q117. - (Topic 10)
What is an advantage of implementing a Trusted Platform Module for disk encryption?
A. It provides hardware authentication.
B. It allows the hard disk to be transferred to another device without requiring re-encryption.dis
C. It supports a more complex encryption algorithm than other disk-encryption technologies.
D. It can protect against single points of failure.
Answer: A
Q118. - (Topic 5)
Which statement is true when you have generated RSA keys on your Cisco router to prepare for secure device management?
A. You must then zeroize the keys to reset secure shell before configuring other parameters.
B. The SSH protocol is automatically enabled.
C. You must then specify the general-purpose key size used for authentication with the crypto key generate rsa general-keys modulus command.
D. All vty ports are automatically enabled for SSH to provide secure management.
Answer: B
Explanation: Explanation:
http://www.cisco.com/en/US/tech/tk583/tk617/technologies_tech_note09186a00800949e2. shtml
Generate an RSA key pair for your router, which automatically enables SSH.
carter(config)#crypto key generate rsa
Refer to crypto key generate rsa - Cisco IOS Security Command Reference, Release 12.3 for more information on the usage of this command.
Q119. - (Topic 10)
Which FirePOWER preprocessor engine is used to prevent SYN attacks?
A. Rate-Based Prevention
B. Portscan Detection
C. IP Defragmentation
D. Inline Normalization
Answer: A
Q120. - (Topic 2)
What are three of the security conditions that Cisco Configuration Professional One-Step Lockdown can automatically detect and correct on a Cisco router? (Choose three.)
A. One-Step Lockdown can set the enable secret password.
B. One-Step Lockdown can disable unused ports.
C. One-Step Lockdown can disable the TCP small servers service.
D. One-Step Lockdown can enable IP Cisco Express Forwarding.
E. One-Step Lockdown can enable DHCP snooping.
F. One-Step Lockdown can enable SNMP version 3.
Answer: A,C,D