★ Pass on Your First TRY ★ 100% Money Back Guarantee ★ Realistic Practice Exam Questions
Free Instant Download NEW 640-554 Exam Dumps (PDF & VCE):
Available on:
https://www.certleader.com/640-554-dumps.html
The actual Cisco professionals have the possibility to become an expert inside it industry also want to get to the maximum regarding capability and accomplishment, so they really must be involved in different Cisco accreditation exams. Cisco 640-554 called Implementing Cisco IOS Network Security (IINS v2.0) is stepping-stone to examine the candidates information and ability inside a relevant industry of work. Ucertify Cisco 640-554 on the web apply assessments can promise that you are able to control individuals highly skilled and skilled works. Our own 640-554 apply exam contains the actual questions, guaranteeing an individual move the true 640-554 exam together with leading levels.
2021 Jul cisco press 640-554:
Q181. - (Topic 4)
Which access list permits HTTP traffic sourced from host 10.1.129.100 port 3030 destined to host 192.168.1.10?
A. access-list 101permit tcp any eq 3030
B. access-list 101 permit tcp 10.1.128.0 0.0.1 .255 eq 3030 192.1 68.1 .0 0.0.0.15 eq www
C. access-list 101 permit tcp 10.1.129.0 0.0.0.255 eq www 192.168.1.10 0.0.0.0 eq www
D. access-list 101 permit tcp host 192.1 68.1 .10 eq 8010.1.0.0 0.0.255.255 eq 3030
E. access-list 101 permit tcp 192.168.1.10 0.0.0.0 eq 80 10.1.0.0 0.0.255.255
F. access-list 101 permit ip host 10.1.129.100 eq 3030 host 192.168.1.10 eq 80
Answer: B
Explanation:
www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b 9a.shtml
Extended ACLs
Extended ACLs were introduced in Cisco IOS Software Release 8.3.Extended ACLs control traffic by the comparison of the source and destination addresses of the IP packets to the addresses configured in the ACL.
IP
access-list access-list-number
[dynamic dynamic-name [timeout minutes]]
{deny|permit} protocol source source-wildcard
destination destination-wildcard [precedence precedence]
[tos tos] [log|log-input] [time-range time-range-name]
ICMP
access-list access-list-number
[dynamic dynamic-name [timeout minutes]]
{deny|permit} icmp source source-wildcard
destinationdestination-wildcard
[icmp-type [icmp-code] |icmp-message]
[precedence precedence] [tos tos] [log|log-input]
[time-range time-range-name]
TCP
access-list access-list-number
[dynamic dynamic-name [timeout minutes]]
{deny|permit} tcp source source-wildcard[operator [port]]
destination destination-wildcard [operator [port]]
[established] [precedence precedence] [tos tos]
[log|log-input] [time-range time-range-name]
UDP
access-list access-list-number
[dynamic dynamic-name [timeout minutes]]
{deny|permit} udpsource source-wildcard [operator [port]]
destination destination-wildcard [operator [port]]
[precedence precedence] [tos tos] [log|log-input]
[time-range time-range-name]
Topic 5, Secure Network Management and Reporting
Q182. - (Topic 2)
What does the secure boot-config global configuration accomplish?
A. enables Cisco IOS image resilience
B. backs up the Cisco IOS image from flash to a TFTP server
C. takes a snapshot of the router running configuration and securely archives it in persistent storage
D. backs up the router running configuration to a TFTP server
E. stores a secured copy of the Cisco IOS image in its persistent storage
Answer: C
Explanation:
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_book.html
secure boot-config To take a snapshot of the router running configuration and securely archive it in persistent storage, use the secure boot-config command in global configuration mode. To remove the secure configuration archive and disable configuration resilience, use the no form of this command.
secure boot-config [restore filename] no secure boot-config Usage Guidelines Without any parameters, this command takes a snapshot of the router running configuration and securely archives it in persistent storage. Like the image, the configuration archive is hidden and cannot be viewed or removed directly from the command-line interface (CLI) prompt . It is recommended that you run this command after the router has been fully configured to reach a steady state of operation and the running configuration is considered complete for a restoration, if required. A syslog message is printed on the console notifying the user of configuration resilience activation. The secure archive uses the time of creation as its filename. For example, .runcfg-20020616-081702.ar was created July 16 2002 at 8:17:02.
The restore option reproduces a copy of the secure configuration archive as the supplied filename (disk0:running-config, slot1:runcfg, and so on). The restore operation will work only if configuration resilience is enabled. The number of restored copies that can be created is unlimited. The no form of this command removes the secure configuration archive and disables configuration resilience. An enable, disable, enable sequence has the effect of upgrading the configuration archive if any changes were made to the running configuration since the last time the feature was disabled. The configuration upgrade scenario is similar to an image upgrade. The feature detects a different version of Cisco IOS and notifies the user of a version mismatch. The same command can be run to upgrade the configuration archive to a newer version after new configuration commands corresponding to features in the new image have been issued. The correct sequence of steps to upgrade the configuration archive after an image upgrade is as follows:
.Configure newcommands
.Issue the secure boot-config command
secure boot-image
To enable Cisco IOS image resilience, use the secure boot-image command in global configuration mode. To disable Cisco IOS image resilience and release the secured image so that it can be safely removed, use the no form of this command.
secure boot-image
no secure boot-image
Usage Guidelines
This command enables or disables the securing of the running Cisco IOS image. The following two possible scenarios exist with this command.
.When turnedon for the first time, the running image (as displayed in the show version command output) is secured, and a syslog entry is generated. This command will function properly only when the system is configured to run an image from a disk with an Advanced
Technology Attachment (ATA) interface. Images booted from a TFTP server cannot be secured. Because this command has the effect of "hiding" the running image, the image file will not be included in any directory listing of the disk. The no form of this commandreleases the image so that it can be safely removed.
.If the router is configured to boot up with Cisco IOS resilience and an image with a different version of Cisco IOS is detected, a message similar to the following is displayed at bootup: ios resilience:Archived image and configuration version 12.2 differs from running version 12.3.
Run secure boot-config and image commands to upgrade archives to running version.
To upgrade the image archive to the new running image, reenter this command from the console. A message will be displayed about the upgraded image. The old image is released and will be visible in the dir command output.
Q183. - (Topic 4)
Which statement about an access control list that is applied to a router interface is true?
A. It only filters traffic that passes through the router.
B. It filters pass-through and router-generated traffic.
C. An empty ACL blocks all traffic.
D. It filters traffic in the inbound and outbound directions.
Answer: A
Explanation:
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-2mt/sec-acl-ov-gdl.html
The Order in Which You Enter Criteria Statements Note that each additional criteria statement that you enter is appended to the end of the access list statements. Also note that you cannot delete individual statements after they have been created. You can only delete an entire access list. The order of access list statements is important! When the router is deciding whether to forward or block apacket, the Cisco IOS software tests the packet against each criteria statement in the order in which the statements were created. After a match is found, no more criteria statements are checked.
If you create a criteria statement that explicitly permitsall traffic, no statements added later will ever be checked. If you need additional statements, you must delete the access list and retype it with the new entries.
Apply an Access Control List to an Interface With some protocols, you can apply up to twoaccess lists to an interfacE. one inbound access list and one outbound access list. With other protocols, you apply only one access list that checks both inbound and outbound packets.
If the access list is inbound, when a device receives a packet, Cisco software checks the access list's criteria statements for a match. If the packet is permitted, the software continues to process the packet. If the packet is denied, the software discards the packet.
If the access list is outbound, after receiving and routing a packet to the outbound interface, Cisco software checks the access list's criteria statements for a match. If the packet is permitted, the software transmits the packet. If the packet is denied, the software discards the packet.
Note Access lists that are applied to interfaces on a device do not filter traffic that originates from that device. The access list check is bypassed for locally generated packets, which are always outbound. By default, an access list that is applied to an outbound interfacefor matching locally generated traffic will bypass the outbound access list check; but transit traffic is subjected to the outbound access list check.
Q184. - (Topic 10)
What can the SMTP preprocessor in FirePOWER normalize?
A. It can extract and decode email attachments in client to server traffic.
B. It can look up the email sender.
C. It compares known threats to the email sender.
D. It can forward the SMTP traffic to anemail filter server.
E. It uses the Traffic Anomaly Detector.
Answer: A
Q185. - (Topic 10)
Which three actions can an inline IPS take to mitigate an attack? (Choose three.)
A. modifying packets inline
B. denying the connection inline
C. denying packets inline
D. resetting the connection inline
E. modifying frames inline
F. denying frames inline
Answer: A,B,C
Up to date cbt nuggets ccna security 640-554:
Q186. - (Topic 4)
Refer to the exhibit.
Which traffic ispermitted by this ACL?
A. TCP traffic sourced from any host in the 172.26.26.8/29 subnet on any port to host 192.168.1.2 port 80 or 443
B. TCP traffic sourced from host 172.26.26.21 on port 80 or 443 to host 192.168.1.2 on any port
C. any TCP traffic sourced from host 172.26.26.30 destined to host 192.168.1.1
D. any TCP traffic sourced from host 172.26.26.20 to host 192.168.1.2
Answer: C
Explanation:
www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b 9a.shtml
Extended ACLs
Extended ACLs were introduced in Cisco IOS Software Release 8.3. Extended ACLs control traffic by the comparison of the sourceand destination addresses of the IP packets to the addresses configured in the ACL.
IP
access-list access-list-number
[dynamic dynamic-name [timeout minutes]]
{deny|permit} protocol source source-wildcard
destination destination-wildcard [precedence precedence]
[tos tos] [log|log-input] [time-range time-range-name]
ICMP
access-list access-list-number
[dynamic dynamic-name [timeout minutes]]
{deny|permit} icmp source source-wildcard
destination destination-wildcard
[icmp-type [icmp-code] |icmp-message]
[precedence precedence] [tos tos] [log|log-input]
[time-range time-range-name]
TCP
access-list access-list-number
[dynamic dynamic-name [timeout minutes]]
{deny|permit} tcp source source-wildcard [operator [port]]
destination destination-wildcard [operator[port]]
[established] [precedence precedence] [tos tos]
[log|log-input] [time-range time-range-name]
UDP
access-list access-list-number
[dynamic dynamic-name [timeout minutes]]
{deny|permit} udp source source-wildcard [operator [port]]
destination destination-wildcard [operator [port]]
[precedence precedence] [tos tos] [log|log-input]
[time-range time-range-name]
Q187. - (Topic 10)
Refer to the exhibit.
What is the effect of the given command sequence?
A. It configures IKE Phase 1.
B. It configures a site-to-site VPN tunnel.
C. It configures a crypto policy with a key size of 14400.
D. It configures IPSec Phase 2.
Answer: A
Q188. - (Topic 7)
Refer to the exhibit.
Based on the show policy-map type inspect zone-pair session command output shown, what can be determined about this Cisco IOS zone based firewall policy?
A. All packets will be dropped since the class-defaulttraffic class is matching all traffic.
B. This is an inbound policy (applied to traffic sourced from the less secured zone destined to the more secured zone).
C. This is an outbound policy (applied to traffic sourced from the more secured zone destined tothe less secured zone).
D. Stateful packet inspection will be applied only to HTTP packets that also match ACL 110.
E. All non-HTTP traffic will be permitted to pass as long as it matches ACL 110.
F. All non-HTTP traffic will be inspected.
Answer: D
Explanation: Explanation: http://www.cisco.com/en/US/docs/ios/qos/command/reference/qos_m1.html
Match access-group To configure the match criteria for a class map onthe basis of the specified access control list (ACL), use the match access-group command in class-map configuration mode. To remove ACL match criteria from a class map, use the no form of this command. match access-group {access-group | name access-group-name} no match access-group access-group match protocol To configure the match criterion for a class map on the basis of a specified protocol, use the match protocol command in class-map configuration mode. To remove the protocol-based match criterion fromthe class map, use the no form of this command. Match protocol protocol-name no match protocol protocol-name
Q189. DRAG DROP - (Topic 9)
Answer:
Q190. - (Topic 10)
What is the effect of the send-lifetime local 23:59:00 31 December 31 2013 infinite command?
A. It configures the device to begin transmitting the authentication key to other devices at 00:00:00 local time on January 1, 2014 and continue using the key indefinitely.
B. It configures the device to begin transmitting the authentication key to other devices at 23:59:00 local time on December 31, 2013 and continue using the key indefinitely.
C. It configures the device to begin accepting the authentication key from other devices immediately and stop accepting the key at 23:59:00 local time on December 31, 2013.
D. It configures the device to generate a new authentication key and transmit it to other devices at 23:59:00 local time on December 31, 2013.
E. It configures the device to begin accepting the authentication key from other devices at 23:59:00 local time on December 31, 2013 and continue accepting the key indefinitely.
F. It configures the device to begin accepting the authentication key from other devices at 00:00:00 local time on January 1, 2014 and continue accepting the key indefinitely.
Answer: B