★ Pass on Your First TRY ★ 100% Money Back Guarantee ★ Realistic Practice Exam Questions
Free Instant Download NEW 640-554 Exam Dumps (PDF & VCE):
Available on:
https://www.certleader.com/640-554-dumps.html
Guarantee to be able to Cisco Cisco exam, Pass4sure.com offers you what exactly you need to pass Cisco Cisco exam which is a Cisco certification. Each of our practice tests which contain most recent actual questions along with actual answers are incomparable in good quality and 100% promise to make you pass the Cisco Cisco exam. Normally, we can give you a full refund of your respective purchasing price. We would be the only vendor who offers a couple of versions without fee any other service fees, printable Pdf and test engine.
2021 Sep ccna security study guide 640-554:
Q171. - (Topic 10)
In which three ways does the TACACS protocol differ from RADIUS? (Choose three.)
A. TACACS uses TCP to communicate with the NAS.
B. TACACS can encrypt the entire packet that is sent to the NAS.
C. TACACS supports per-command authorization.
D. TACACS authenticates and authorizes simultaneously, causing fewer packets to be transmitted.
E. TACACS uses UDP to communicate with the NAS.
F. TACACS encrypts only the password field in an authentication packet.
Answer: A,B,C
Q172. - (Topic 4)
Which single Cisco IOS ACL entry permits IP addresses from 172.16.80.0 to 172.16.87.255?
A. permit 172.16.80.0 0.0.3.255
B. permit 172.16.80.0 0.0.7.255
C. permit 172.16.80.0 0.0.248.255
D. permit 176.16.80.0 255.255.252.0
E. permit 172.16.80.0 255.255.248.0
F. permit 172.16.80.0 255.255.240.0
Answer: B
Explanation:
www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b 9a.shtml ACL Summarization NotE. Subnet masks can also be represented as a fixed length notation. For example, 192.168.10.0/24 represents 192.168.10.0 255.255.255.0. This list describes how to summarize a range of networks into a single network for ACL optimization. Consider these networks. 192.168.32.0/24 192.168.33.0/24 192.168.34.0/24 192.168.35.0/24 192.168.36.0/24 192.168.37.0/24 192.168.38.0/24 192.168.39.0/24
The first two octets and the last octet are the same for each network. This table is an explanation of how to summarize these into a single network.
The third octet for the previous networks can be written as seen in this table, according to the octet bit position and address value for each bit.
Decimal 128 64 32 16 8 4 2 1 32 0 0 1 0 0 0 0 0 33 0 0 1 0 0 0 0 1 34 0 0 1 0 0 0 1 0 35 0 0 1 0 0 0 1 1 36 0 0 1 0 0 1 0 0 37 0 0 1 0 0 1 0 1 38 0 0 1 0 0 1 1 0 39 0 0 1 0 0 1 1 1 M M M M M D D D
Since the first five bits match, the previous eight networks can be summarized into one network (192.168.32.0/21 or 192.168.32.0 255.255.248.0). All eight possible combinations of the three low-order bits are relevant for the network ranges in question. This command defines an ACL that permits this network. If you subtract 255.255.248.0 (normal mask) from 255.255.255.255, it yields 0.0.7.255. access-list acl_permit permit ip 192.168.32.0 0.0.7.255
Q173. - (Topic 10)
Which three ESP fields can be encrypted during transmission? (Choose three.)
A. Security Parameter Index
B. Sequence Number
C. MAC Address
D. Padding
E. Pad Length
F. Next Header
Answer: D,E,F
Q174. - (Topic 10)
When a company puts a security policy in place, what is the effect on the company's business?
A. minimizing risk
B. minimizing total cost of ownership
C. minimizing liability
D. maximizing compliance
Answer: A
Q175. - (Topic 10)
If you change the native VLAN on the trunk port to an unused VLAN, what happens if an attacker attempts a double-tagging attack?
A. The trunk port would go into an error-disabled state.
B. A VLAN hopping attack would be successful.
C. A VLAN hopping attack would be prevented.
D. The attacked VLAN will be pruned.
Answer: C
Rebirth ccna security 640-554 portable command guide pdf:
Q176. - (Topic 10)
What is the default privilege level for a new user account on a Cisco ASA firewall?
A. 0
B. 1
C. 2
D. 15
Answer: C
Q177. - (Topic 4)
Which priority is most important when you plan out access control lists?
A. Build ACLs based upon your security policy.
B. Always put the ACL closest to the source of origination.
C. Place deny statements near the top of the ACL to prevent unwanted trafficfrom passing through the router.
D. Always test ACLs in a small, controlled production environment before you roll it out into the larger production network.
Answer: A
Q178. - (Topic 7)
Which option is a characteristic of a stateful firewall?
A. can analyze traffic at the application layer
B. allows modification of security rule sets in real time to allow return traffic
C. will allow outbound communication, but return traffic must be explicitly permitted
D. supports user authentication
Answer: B
Explanation:
http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/ security_manager/4.1/user/guide/fwinsp.html
Understanding Inspection Rules Inspection rules configure Context-Based Access Control (CBAC) inspection commands. CBAC inspects traffic that travels through the device to discover and manage state information for TCP and UDP sessions. The device uses this state information to create temporary openings to allow return traffic and additional data connections for permissible sessions. CBAC creates temporary openings in access lists at firewall interfaces. These openings are created when inspected traffic exits your internal network through the firewall. The openings allow returning traffic (that would normally be blocked) and additional data channels to enter your internal network back through the firewall. The traffic is allowed back through the firewall only if it is part of the same session asthe original traffic that triggered inspection when exiting through the firewall.
Inspection rules are applied after your access rules, so any traffic that you deny in the access rule is not inspected. The traffic must be allowed by the access rules at both the input and output interfaces to be inspected. Whereas access rules allow you to control connections at layer 3 (network, IP) or 4 (transport, TCP or UDP protocol), you can use inspection rules to control traffic using application-layer protocol session information. For all protocols, when you inspect the protocol, the device provides the following functions:
.Automatically opens a return path for the traffic (reversing the source and destination addresses), so that you do not need to create an accessrule to allow the return traffic. Each connection is considered a session, and the device maintains session state information and allows return traffic only for valid sessions. Protocols that use TCP contain explicit session information, whereas for UDP applications, the device models the equivalent of a session based on the source and destination addresses and the closeness in time of a sequence of UDP packets. These temporary access lists are created dynamically and are removed at the end of a session.
.Tracks sequence numbers in all TCP packets and drops those packets with sequence numbers that are not within expected ranges.
.Uses timeout and threshold values to manage session state information, helping to determine when to drop sessions that do not become fully established. When a session is dropped, or reset, the device informs both the source and destination of the session to reset the connection, freeing up resources and helping to mitigate potential Denial of Service (DoS) attacks.
Q179. - (Topic 6)
Which statement describes a best practice when configuring trunking on a switch port?
A. Disable double tagging by enabling DTP on the trunk port.
B. Enable encryption on the trunk port.
C. Enable authentication and encryption on the trunk port.
D. Limit the allowed VLAN(s) on the trunk to the native VLAN only.
E. Configure an unused VLAN as the native VLAN.
Answer: E
Explanation: Explanation: http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008 013159f.shtml
Double Encapsulation Attack When double-encapsulated 802.1Q packets are injected into the network from a device whose VLAN happens to be the native VLAN of a trunk, the VLAN identification of those packets cannot be preserved from end to end since the 802.1Q trunk would always modify the packets by stripping their outer tag. After the external tag is removed, the internal tag permanently becomes the packet's only VLAN identifier. Therefore, by double encapsulating packets with two different tags, traffic can be madeto hop across VLANs. This scenario is to be considered a misconfiguration, since the 802.1Q standard does not necessarily force the users to use the native VLAN in these cases. As a matter of fact, the proper configuration that should always be used is toclear the native VLAN from all 802.1Q trunks (alternatively, setting them to 802.1q-all-tagged mode achieves the exact same result). In cases where the native VLAN cannot be cleared, then always pick an unused VLAN as native VLAN of all the trunks; don't use this VLAN for any other purpose. Protocols like STP, DTP, and UDLD (check out [3]) should be the only rightful users of the native VLAN and their traffic should be completely isolated from any data packets.
Q180. - (Topic 9)
When configuring SSL VPN on the Cisco ASA appliance, which configuration step is required only for Cisco AnyConnect full tunnel SSL VPN access and not required for clientless SSL VPN?
A. user authentication
B. group policy
C. IP address pool
D. SSL VPN interface
E. connection profile
Answer: C
Explanation:
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_sslvpn/configuration/15-2mt/sec-conn-sslvpnssl-vpn.html
Cisco AnyConnect VPN Client Full Tunnel Support Remote Client Software from the SSL VPN Gateway Address Pool Manual Entry to the IP Forwarding Table Remote Client Software from the SSL VPN Gateway The Cisco AnyConnect VPN Client software package is pushed from the SSL VPN gateway to remote clientswhen support is needed. The remote user (PC or device) must have either the Java Runtime Environment for Windows (version 1.4 later), or the browser must support or be configured to permit Active X controls. In either scenario, the remote user must have local administrative privileges.
Address Pool The address pool is first defined with the ip local pool command in global configuration mode. The standard configuration assumes that the IP addresses in the pool are reachable from a directly connected network.
Address Pools for Nondirectly Connected Networks
If you need to configure an address pool for IP addresses from a network that is not directly connected, perform the following steps:
Create a local loopback interface and configure it with an IP addressand subnet mask from the address pool.
Configure the address pool with the ip local pool command. The range of addresses must fall under the subnet mask configured in Step 1.
Set up the route. If you are using the Routing Information Protocol (RIP), configure the router rip command and then the network command, as usual, to specify a list of networks for the RIP process. If you are using the Open Shortest Path First (OSPF) protocol, configure the ip ospf network point-to-point command in the loopback interface. As a third choice (instead of using the RIP or OSPF protocol), you can set up static routes to the network.
Configure the svc address-pool command with the name configured in Step 2.
Manual Entry to the IP Forwarding Table
If the SSL VPN software client is unable to update the IP forwarding table on the PC of the remote user, the following error message will be displayed in the router console or syslog:
Error : SSL VPN client was unable to Modify the IP forwarding table ......
This error can occur if the remote client does not have a default route. You can work around this error by performing the following steps:
Open a command prompt (DOS shell) on the remote client.
Enter the route print command.
If a default route is not displayed in the output, enter the route command followed by the add and mask keywords. Include the default gateway IP address at the end of the route statement. See the following example:
C:\>route ADD 0.0.0.0 MASK 0.0.0.0 10.1.1.1