New Updated Cisco CCNA Security 640-554 Real Exam Download 141-150



With Cisco IOS Zone-Based Policy Firewall, where is the inspection policy applied?


A.      to the zone

B.      to the zone-pair

C.      to the interface

D.      to the global service policy


Correct Answer: B




Which statement is true about configuring access control lists to control Telnet traffic destined to

the router itself?


A.      The ACL is applied to the Telnet port with the ip access-group command.

B.      The ACL should be applied to all vty lines in the in direction to prevent an unwanted user

from connecting to an unsecured port.

C.      The ACL applied to the vty lines has no in or out option like ACL being applied to an interface.

D.      The ACL must be applied to each vty line individually.


Correct Answer: B




When configuring role-based CLI on a Cisco router, which step is performed first?


A.      Log in to the router as the root user.

B.      Create a parser view called “root view.”

C.      Enable role-based CLI globally on the router using the privileged EXEC mode Cisco IOS


D.      Enable the root view on the router.

E.       Enable AAA authentication and authorization using the local database.

F.       Create a root local user in the local database.


Correct Answer: D




Refer to the exhibit. Which statement about the aaa configurations is true?




A.      The authentication method list used by the console port is named test.

B.      The authentication method list used by the vty port is named test.

C.      If the TACACS+ AAA server is not available, no users will be able to establish a Telnet session

with the router.

D.      If the TACACS+ AAA server is not available, console access to the router can be authenticated

using the local database.

E.       The local database is checked first when authenticating console and vty access to the router.


Correct Answer: B




Which characteristic is a potential security weakness of a traditional stateful firewall?


A.      It cannot support UDP flows.

B.      It cannot detect application-layer attacks.

C.      It cannot ensure each TCP connection follows a legitimate TCP three-way handshake.

D.      It works only in promiscuous mode.

E.       The status of TCP sessions is retained in the state table after the sessions terminate.

F.       It has low performance due to the use of syn-cookies.


Correct Answer: B




Which statement about Cisco IOS IPS on Cisco IOS Release 12.4(11)T and later is true?


A.      uses Cisco IPS 5.x signature format

B.      requires the Basic or Advanced Signature Definition File

C.      supports both inline and promiscuous mode

D.      requires IEV for monitoring Cisco IPS alerts

E.       uses the built-in signatures that come with the Cisco IOS image as backup

F.       supports SDEE, SYSLOG, and SNMP for sending Cisco IPS alerts


Correct Answer: A




Refer to the exhibit and partial configuration. Which statement is true?




A.      All traffic destined for network will be denied due to the implicit deny all.

B.      All traffic from network will be permitted.

C.      Access-list 101 will prevent address spoofing from interface E0.

D.      This is a misconfigured ACL resulting in traffic not being allowed into the router in interface


E.       This ACL will prevent any host on the Internet from spoofing the inside network address as

the source address for packets coming into the router from the Internet.


Correct Answer: C




What will be disabled as a result of the no service password-recovery command?


A.      changes to the config-register setting

B.      ROMMON

C.      password encryption service

D.      aaa new-model global configuration command

E.       the xmodem privilege EXEC mode command to recover the Cisco IOS image


Correct Answer: B




What does the MD5 algorithm do?


A.      takes a message less than 2^64 bits as input and produces a 160-bit message digest

B.      takes a variable-length message and produces a 168-bit message digest

C.      takes a variable-length message and produces a 128-bit message digest

D.      takes a fixed-length message and produces a 128-bit message digest


Correct Answer: C




You have configured a standard access control list on a router and applied it to interface Serial 0

in an outbound direction. No ACL is applied to Interface Serial 1 on the same router. What

happens when traffic being filtered by the access list does not match the configured ACL

statements for Serial 0?


A.      The resulting action is determined by the destination IP address.

B.      The resulting action is determined by the destination IP address and port number.

C.      The source IP address is checked, and, if a match is not found, traffic is routed out interface

Serial 1.

D.      The traffic is dropped.


Correct Answer: D


Download Latest Complete collection of CCNA Security 640-554 Real Exam ,help you to pass exam 100%.

Ensurepass Cisco Certifications Exam Questions and Answers
Ensurepass CCNA Security Exams Questions and Answers



You must be logged in to post a comment.

Proudly powered by WordPress   Premium Style Theme by