Microsoft Introduces Digital Badges for Certifications and Exams

Pass Microsoft, CompTIA, HP, IBM, Oracle exams with Pass4itsure

2020 Latest 640-554 dumps to crack the CCNA Security exam,Share 640-554 pdf dumps for free

How to pass the 640-554 exam?I would suggest you first get good amount of knowledge, at last attempt the exam with Dumps.Where can I get CCNA security online 640-554 Dumps?Pass4itsure increases your chance to crack the CCNA Security exam 640-554 in first chance. https://www.pass4itsure.com/640-554.html 100% sure you will clear 640-554 Exams.

Someone know what’s happening with the CCNA Security Certification?

CCNA Security Overview: Security (CCNA Security):

Get more information on the
https://learningnetwork.cisco.com/community/certifications/security_ccna
https://learningcontent.cisco.com/cln_storage/text/cln/marketing/ccna_security_delta.pdf

CCNA Security Certification exam

640-554,210-260
  • 640-554: Implementing Cisco IOS Network Security
  • 210-260: Implementing Cisco Network Security

[New Updated] Latest Cisco 210-260 Dumps Exam Test Questions 100% Pass Youtube Training With A High Score

CCNA Security 640-554 Exam Details

Exam Number: 640-554
Types of questions: Multiple-Choice (single and multiple answer), Drag-and-Drop, Sim, Simlet, Testlet
Number of questions: 60 – 70
Time limit: 90 minutes
Passing Score: Varies
Prerequisites: No prerequisites to take the exam; however, CCNA ROUTE and SWITCH exams are also required for the CCNA Security certification.

Cisco 640-554: CCNA Security – Implementing Cisco IOS Network Security [Online Practice questions]

QUESTION 1
How are Cisco IOS access control lists processed?
A. Standard ACLs are processed first.
B. The best match ACL is matched first.
C. Permit ACL entries are matched first before the deny ACL entries.
D. ACLs are matched from top down.
E. The global ACL is matched first before the interface ACL.
Correct Answer: D
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml
Process ACLs Traffic that comes into the router is compared to ACL entries based on the order that the entries occur in
the router. New statements are added to the end of the list. The router continues to look until it has a match. If no
matches are found when the router reaches the end of the list, the traffic is denied. For this reason, you should have the
frequently hit entries at the top of the list. There is an implied deny for traffic that is not permitted. A single-entry ACL
with only one deny entry has the effect of denying all traffic. You must have at least one permit statement in an ACL or
all traffic is blocked. These two ACLs (101 and 102) have the same effect.

QUESTION 2
If you are implementing VLAN trunking, which additional configuration parameter should be added to the trunking
configuration?
A. no switchport mode access
B. no switchport trunk native VLAN 1
C. switchport mode DTP
D. switchport nonnegotiate
Correct Answer: D
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/layer2.html
Layer 2 LAN Port Modes
Table 17-2 lists the Layer 2 LAN port modes and describes how they function on LAN ports. switchport mode access
Puts the LAN port into permanent nontrunking mode and negotiates to convert the link into a nontrunk link. The LAN
port
becomes a nontrunk port even if the neighboring LAN port does not agree to the change.
switchport mode dynamic desirable
Makes the LAN port actively attempt to convert the link to a trunk link. The LAN port becomes a trunk port if the neighboring LAN port is set to trunk, desirable, or auto mode. This is the default mode for all LAN ports.
switchport mode dynamic auto
Makes the LAN port willing to convert the link to a trunk link. The LAN port becomes a trunk port if the neighboring LAN
port is set to trunk or desirable mode. switchport mode trunk Puts the LAN port into permanent trunking mode and
negotiates to convert the link into a trunk link. The LAN port becomes a trunk port even if the neighboring port does not
agree to the change.
switchport nonegotiate
Puts the LAN port into permanent trunking mode but prevents the port from generating DTP frames. You must configure
the neighboring port manually as a trunk port to establish a trunk link.

QUESTION 3
In which stage of an attack does the attacker discover devices on a target network?
A. reconnaissance
B. gaining access
C. maintaining access
D. covering tracks
Correct Answer: A

QUESTION 4
Which options are filtering options used to display SDEE message types? (Choose two.)
A. stop
B. none
C. error
D. all
Correct Answer: CD
SDEE Messages
Choose the SDEE message type to display:
All — SDEE error, status, and alert messages are shown.
Error — Only SDEE error messages are shown.
Status — Only SDEE status messages are shown.
Alerts — Only SDEE alert messages are shown.
Reference: http://www.cisco.com/c/en/us/td/docs/routers/access/cisco_router_and_security_device_manager/24/software/user/guide/IPS.html#wp1083698

QUESTION 5
Which IPsec transform set provides the strongest protection?
A. crypto ipsec transform-set 1 esp-3des esp-sha-hmac
B. crypto ipsec transform-set 2 esp-3des esp-md5-hmac
C. crypto ipsec transform-set 3 esp-aes 256 esp-sha-hmac
D. crypto ipsec transform-set 4 esp-aes esp-md5-hmac
E. crypto ipsec transform-set 5 esp-des esp-sha-hmac
F. crypto ipsec transform-set 6 esp-des esp-md5-hmac
Correct Answer: C
http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/4.1/user/guide/vpipsec.html
Table 22-2 IKEv2 Proposal Dialog Box
Name The name of the policy object. A maximum of 128 characters is allowed.
Description A description of the policy object. A maximum of 1024 characters is allowed. Priority The priority value of the
IKE proposal. The priority value determines the order of the IKE proposals compared by the two negotiating peers
when
attempting to find a common security association (SA). If the remote IPsec peer does not support the parameters
selected in your first priority policy, the device tries to use the parameters defined in the policy with the next lowest
priority
number. Valid values range from 1 to 65535. The lower the number, the higher the priority. If you leave this field blank,
Security Manager assigns the lowest unassigned value starting with 1, then 5, then continuing in increments of 5.
Encryption Algorithm
The encryption algorithm used to establish the Phase 1 SA for protecting Phase 2 negotiations. Click Select and select
all of the algorithms that you want to allow in the VPN:
?AES — Encrypts according to the Advanced Encryption Standard using 128-bit keys.
?AES-192 — Encrypts according to the Advanced Encryption Standard using 192-bit keys. ?AES-256 — Encrypts
according to the Advanced Encryption Standard using 256-bit keys.
?DES — Encrypts according to the Data Encryption Standard using 56-bit keys.
?3DES — Encrypts three times using 56-bit keys. 3DES is more secure than DES, but requires more processing for encryption and decryption. It is less secure than AES. A 3DES license is required to use this option.
?Null — No encryption algorithm.
Integrity (Hash) Algorithm
The integrity portion of the hash algorithm used in the IKE proposal. The hash algorithm creates a message digest,
which is used to ensure message integrity.
Click Select and select all of the algorithms that you want to allow in the VPN:
?SHA (Secure Hash Algorithm) — Produces a 160-bit digest. SHA is more resistant to brute-force attacks than MD5.
?MD5 (Message Digest 5) — Produces a 128-bit digest. MD5 uses less processing time than SHA. Prf Algorithm The
pseudo-random function (PRF) portion of the hash algorithm used in the IKE proposal. In IKEv1, the Integrity and PRF
algorithms are not separated, but in IKEv2, you can specify different algorithms for these elements. Click Select and
select
all of the algorithms that you want to allow in the VPN:
?SHA (Secure Hash Algorithm) — Produces a 160-bit digest. SHA is more resistant to brute-force attacks than MD5.
?MD5 (Message Digest 5) — Produces a 128-bit digest. MD5 uses less processing time than SHA.
Modulus Group
The Diffie-Hellman group to use for deriving a shared secret between the two IPsec peers without transmitting it to each
other. A larger modulus provides higher security but requires more processing time. The two peers must have a
matching modulus group. Click Select and select all of the groups that you want to allow in the
VPN:
?1 — Diffie-Hellman Group 1 (768-bit modulus).
?2 — Diffie-Hellman Group 2 (1024-bit modulus). This is the minimum recommended setting. ?5 — Diffie-Hellman Group
5 (1536-bit modulus, considered good protection for 128-bit keys). Select this option if you are using AES encryption.
Lifetime
The lifetime of the security association (SA), in seconds. When the lifetime is exceeded, the SA expires and must be
renegotiated between the two peers. As a general rule, the shorter the lifetime (up to a point), the more secure your IKE
negotiations will be. However, with longer lifetimes, future IPsec security associations can be set up more quickly than
with shorter lifetimes.
You can specify a value from 120 to 2147483647 seconds. The default is 86400.
Category The category assigned to the object. Categories help you organize and identify rules and objects.

QUESTION 6
DRAG DROP
Select and Place:

Pass4itsure 640-554 exam questions-q6

Correct Answer:

Pass4itsure 640-554 exam questions-q6-2

QUESTION 7
When using a stateful firewall, which information is stored in the stateful session flow table?
A. the outbound and inbound access rules (ACL entries)
B. the source and destination IP addresses, port numbers, TCP sequencing information, and additional flags for each
TCP or UDP connection associated with a particular session
C. all TCP and UDP header information only
D. all TCP SYN packets and the associated return ACK packets only
E. the inside private IP address and the translated inside global IP address
Correct Answer: B
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/intro.html
Stateful Inspection Overview
All traffic that goes through the ASA is inspected using the Adaptive Security Algorithm and either allowed through or
dropped. A simple packet filter can check for the correct source address, destination address, and ports, but it does not
check that the packet sequence or flags are correct. A filter also checks every packet against the filter, which can be a
slow process.
A stateful firewall like the ASA, however, takes into consideration the state of a packet:
?Is this a new connection?
If it is a new connection, the ASA has to check the packet against access lists and perform other tasks to determine if
the packet is allowed or denied. To perform this check, the first packet of the session goes through the “session
management path,” and depending on the type of traffic, it might also pass through the “control plane path.”
The session management path is responsible for the following tasks:
?Performing the access list checks
?Performing route lookups
?Allocating NAT translations (xlates)
?Establishing sessions in the”;fast pat”;
The ASA creates forward and reverse flows in the fast path for TCP traffic; the ASA also creates connection state
information for connectionless protocols like UDP, ICMP (when you enable ICMP inspection), so that they can also use
the fast
path.
Some packets that require Layer 7 inspection (the packet payload must be inspected or altered) are passed on to the
control plane path. Layer 7 inspection engines are required for protocols that have two or more channels:
A data channel, which uses well-known port numbers, and a control channel, which uses different port numbers for each
session. These protocols include FTP, H.323, and SNMP.
?Is this an established connection?
If the connection is already established, the ASA does not need to re-check packets; most matching packets can go
through the “fast” path in both directions. The fast path is responsible for the following tasks:
?IP checksum verification
?Session lookup
?TCP sequence number check
?NAT translations based on existing sessions
?Layer 3 and Layer 4 header adjustments
Data packets for protocols that require Layer 7 inspection can also go through the fast path. Some established session
packets must continue to go through the session management path or the control plane path. Packets that go through
the
session management path include HTTP packets that require inspection or content filtering. Packets that go through the
control plane path include the control packets for protocols that require Layer 7 inspection.

QUESTION 8
Scenario:
You are the security admin for a small company. This morning your manager has supplied you with a list of Cisco ISR
and CCP configuration questions. Using CCP, your job is to navigate the pre-configured CCP in order to find answers
to
your business question.

Pass4itsure 640-554 exam questions-q8

Which Class Map is used by the INBOUND Rule?
A. SERVICE_IN
B. Class-map-ccp-cls-2
C. Ccp-cts-2
D. Class-map SERVICE_IN
Correct Answer: C

QUESTION 9
When port security is enabled on a Cisco Catalyst switch, what is the default action when the configured maximum
number of allowed MAC addresses value is exceeded?
A. The port remains enabled, but bandwidth is throttled until old MAC addresses are aged out.
B. The port is shut down.
C. The MAC address table is cleared and the new MAC address is entered into the table.
D. The violation mode of the port is set to restrict.
Correct Answer: B
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/20ewa/configuration/guide/port_sec.html
Default Port Security Configuration Port security Disabled on a port Maximum number of secure MAC addresses
Violation mode Shutdown. The port shuts down when the maximum number of secure MAC addresses is exceeded,
and an SNMP trap notification is sent.
Aging Disabled
Aging type Absolute Static Aging Disabled
Sticky Disabled

QUESTION 10
Which security measure must you take for native VLANs on a trunk port?
A. Native VLANs for trunk ports should never be used anywhere else on the switch.
B. The native VLAN for trunk ports should be VLAN 1.
C. Native VLANs for trunk ports should match access VLANs to ensure that cross-VLAN traffic from multiple switches
can be delivered to physically disparate switches.
D. Native VLANs for trunk ports should be tagged with 802.1Q.
Correct Answer: A
http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml
Double Encapsulation Attack
When double-encapsulated 802.1Q packets are injected into the network from a device whose VLAN happens to be the
native VLAN of a trunk, the VLAN identification of those packets cannot be preserved from end to end since the 802.1Q
trunk would always modify the packets by stripping their outer tag. After the external tag is removed, the internal tag
permanently becomes the packet\\’s only VLAN identifier. Therefore, by double encapsulating packets with two different
tags,
traffic can be made to hop across VLANs.
This scenario is to be considered a misconfiguration, since the 802.1Q standard does not necessarily force the users to
use the native VLAN in these cases. As a matter of fact, the proper configuration that should always be used is to clear
the native VLAN from all 802.1Q trunks (alternatively, setting them to 802.1q-all- tagged mode achieves the exact same
result). In cases where the native VLAN cannot be cleared, then always pick an unused VLAN as native VLAN of all the
trunks; don\\’t use this VLAN for any other purpose.
Protocols like STP, DTP, and UDLD (check out [3]) should be the only rightful users of the native VLAN and their traffic
should be completely isolated from any data packets.

QUESTION 11
Which access list permits HTTP traffic sourced from host 10.1.129.100 port 3030 destined to host 192.168.1.10?
A. access-list 101 permit tcp any eq 3030
B. access-list 101 permit tcp 10.1.128.0 0.0.1 .255 eq 3030 192.1 68.1 .0 0.0.0.15 eq www
C. access-list 101 permit tcp 10.1.129.0 0.0.0.255 eq www 192.168.1.10 0.0.0.0 eq www
D. access-list 101 permit tcp host 192.1 68.1 .10 eq 80 10.1.0.0 0.0.255.255 eq 3030
E. access-list 101 permit tcp 192.168.1.10 0.0.0.0 eq 80 10.1.0.0 0.0.255.255
F. access-list 101 permit ip host 10.1.129.100 eq 3030 host 192.168.1.10 eq 80
Correct Answer: B
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml
Extended ACLs
Extended ACLs were introduced in Cisco IOS Software Release 8.3. Extended ACLs control traffic by the comparison of
the source and destination addresses of the IP packets to the addresses configured in the ACL.
IP
access-list access-list-number
[dynamic dynamic-name [timeout minutes]]
{deny|permit} protocol source source-wildcard
destination destination-wildcard [precedence precedence]
[tos tos] [log|log-input] [time-range time-range-name]
ICMP
access-list access-list-number
[dynamic dynamic-name [timeout minutes]]
{deny|permit} icmp source source-wildcard
Latest 640-554 Dumps | 640-554 Study Guide | 640-554 Braindumps 11 / 15
https://www.pass4itsure.com/640-554.html
2019 Latest pass4itsure 640-554 PDF and VCE dumps Download
destination destination-wildcard
[icmp-type [icmp-code] |icmp-message]
[precedence precedence] [tos tos] [log|log-input]
[time-range time-range-name]
TCP
access-list access-list-number
[dynamic dynamic-name [timeout minutes]]
{deny|permit} tcp source source-wildcard [operator [port]]
destination destination-wildcard [operator [port]]
[established] [precedence precedence] [tos tos]
[log|log-input] [time-range time-range-name]
UDP
access-list access-list-number
[dynamic dynamic-name [timeout minutes]]
{deny|permit} udp source source-wildcard [operator [port]]
destination destination-wildcard [operator [port]]
[precedence precedence] [tos tos] [log|log-input]
[time-range time-range-name]

QUESTION 12
Which option provides the most secure method to deliver alerts on an IPS?
A. IME
B. CSM
C. SDEE
D. syslog
Correct Answer: C

QUESTION 13
DRAG DROP
Select and Place:

Pass4itsure 640-554 exam questions-q13

Correct Answer:

Pass4itsure 640-554 exam questions-q13-2

Latest Cisco Implementing Cisco IOS Network Security 640-554 Dumps Download

【PDF】Cisco 640-554 dumps https://drive.google.com/open?id=1lrtuWMdG3Xq59abd_eoDZCA3oHnUYtNo

Video Description: Latest CCNA Security 640-554 dumps Practice test Questions and answers

Pass4itsure Have:

Pass4itsure Have

Summarize:

Pass the Cisco 640-554 exam with our 640-554 dumps. https://www.pass4itsure.com/640-554.html Pass4itsure exam dumps are latest updated in highly outclass manner on regular basis.

Microsoft Introduces Digital Badges for Certifications and Exams © 2018 Frontier Theme