CCNA Security

2020 Latest 640-554 dumps to crack the CCNA Security exam,Share 640-554 pdf dumps for free

How to pass the 640-554 exam?I would suggest you first get good amount of knowledge, at last attempt the exam with Dumps.Where can I get CCNA security online 640-554 Dumps?Pass4itsure increases your chance to crack the CCNA Security exam 640-554 in first chance. https://www.pass4itsure.com/640-554.html 100% sure you will clear 640-554 Exams.

Someone know what’s happening with the CCNA Security Certification?

CCNA Security Overview: Security (CCNA Security):

Get more information on the
https://learningnetwork.cisco.com/community/certifications/security_ccna
https://learningcontent.cisco.com/cln_storage/text/cln/marketing/ccna_security_delta.pdf

CCNA Security Certification exam

640-554,210-260
  • 640-554: Implementing Cisco IOS Network Security
  • 210-260: Implementing Cisco Network Security

[New Updated] Latest Cisco 210-260 Dumps Exam Test Questions 100% Pass Youtube Training With A High Score

CCNA Security 640-554 Exam Details

Exam Number: 640-554
Types of questions: Multiple-Choice (single and multiple answer), Drag-and-Drop, Sim, Simlet, Testlet
Number of questions: 60 – 70
Time limit: 90 minutes
Passing Score: Varies
Prerequisites: No prerequisites to take the exam; however, CCNA ROUTE and SWITCH exams are also required for the CCNA Security certification.

Cisco 640-554: CCNA Security – Implementing Cisco IOS Network Security [Online Practice questions]

QUESTION 1
How are Cisco IOS access control lists processed?
A. Standard ACLs are processed first.
B. The best match ACL is matched first.
C. Permit ACL entries are matched first before the deny ACL entries.
D. ACLs are matched from top down.
E. The global ACL is matched first before the interface ACL.
Correct Answer: D
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml
Process ACLs Traffic that comes into the router is compared to ACL entries based on the order that the entries occur in
the router. New statements are added to the end of the list. The router continues to look until it has a match. If no
matches are found when the router reaches the end of the list, the traffic is denied. For this reason, you should have the
frequently hit entries at the top of the list. There is an implied deny for traffic that is not permitted. A single-entry ACL
with only one deny entry has the effect of denying all traffic. You must have at least one permit statement in an ACL or
all traffic is blocked. These two ACLs (101 and 102) have the same effect.

QUESTION 2
If you are implementing VLAN trunking, which additional configuration parameter should be added to the trunking
configuration?
A. no switchport mode access
B. no switchport trunk native VLAN 1
C. switchport mode DTP
D. switchport nonnegotiate
Correct Answer: D
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/layer2.html
Layer 2 LAN Port Modes
Table 17-2 lists the Layer 2 LAN port modes and describes how they function on LAN ports. switchport mode access
Puts the LAN port into permanent nontrunking mode and negotiates to convert the link into a nontrunk link. The LAN
port
becomes a nontrunk port even if the neighboring LAN port does not agree to the change.
switchport mode dynamic desirable
Makes the LAN port actively attempt to convert the link to a trunk link. The LAN port becomes a trunk port if the neighboring LAN port is set to trunk, desirable, or auto mode. This is the default mode for all LAN ports.
switchport mode dynamic auto
Makes the LAN port willing to convert the link to a trunk link. The LAN port becomes a trunk port if the neighboring LAN
port is set to trunk or desirable mode. switchport mode trunk Puts the LAN port into permanent trunking mode and
negotiates to convert the link into a trunk link. The LAN port becomes a trunk port even if the neighboring port does not
agree to the change.
switchport nonegotiate
Puts the LAN port into permanent trunking mode but prevents the port from generating DTP frames. You must configure
the neighboring port manually as a trunk port to establish a trunk link.

QUESTION 3
In which stage of an attack does the attacker discover devices on a target network?
A. reconnaissance
B. gaining access
C. maintaining access
D. covering tracks
Correct Answer: A

QUESTION 4
Which options are filtering options used to display SDEE message types? (Choose two.)
A. stop
B. none
C. error
D. all
Correct Answer: CD
SDEE Messages
Choose the SDEE message type to display:
All — SDEE error, status, and alert messages are shown.
Error — Only SDEE error messages are shown.
Status — Only SDEE status messages are shown.
Alerts — Only SDEE alert messages are shown.
Reference: http://www.cisco.com/c/en/us/td/docs/routers/access/cisco_router_and_security_device_manager/24/software/user/guide/IPS.html#wp1083698

QUESTION 5
Which IPsec transform set provides the strongest protection?
A. crypto ipsec transform-set 1 esp-3des esp-sha-hmac
B. crypto ipsec transform-set 2 esp-3des esp-md5-hmac
C. crypto ipsec transform-set 3 esp-aes 256 esp-sha-hmac
D. crypto ipsec transform-set 4 esp-aes esp-md5-hmac
E. crypto ipsec transform-set 5 esp-des esp-sha-hmac
F. crypto ipsec transform-set 6 esp-des esp-md5-hmac
Correct Answer: C
http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/4.1/user/guide/vpipsec.html
Table 22-2 IKEv2 Proposal Dialog Box
Name The name of the policy object. A maximum of 128 characters is allowed.
Description A description of the policy object. A maximum of 1024 characters is allowed. Priority The priority value of the
IKE proposal. The priority value determines the order of the IKE proposals compared by the two negotiating peers
when
attempting to find a common security association (SA). If the remote IPsec peer does not support the parameters
selected in your first priority policy, the device tries to use the parameters defined in the policy with the next lowest
priority
number. Valid values range from 1 to 65535. The lower the number, the higher the priority. If you leave this field blank,
Security Manager assigns the lowest unassigned value starting with 1, then 5, then continuing in increments of 5.
Encryption Algorithm
The encryption algorithm used to establish the Phase 1 SA for protecting Phase 2 negotiations. Click Select and select
all of the algorithms that you want to allow in the VPN:
?AES — Encrypts according to the Advanced Encryption Standard using 128-bit keys.
?AES-192 — Encrypts according to the Advanced Encryption Standard using 192-bit keys. ?AES-256 — Encrypts
according to the Advanced Encryption Standard using 256-bit keys.
?DES — Encrypts according to the Data Encryption Standard using 56-bit keys.
?3DES — Encrypts three times using 56-bit keys. 3DES is more secure than DES, but requires more processing for encryption and decryption. It is less secure than AES. A 3DES license is required to use this option.
?Null — No encryption algorithm.
Integrity (Hash) Algorithm
The integrity portion of the hash algorithm used in the IKE proposal. The hash algorithm creates a message digest,
which is used to ensure message integrity.
Click Select and select all of the algorithms that you want to allow in the VPN:
?SHA (Secure Hash Algorithm) — Produces a 160-bit digest. SHA is more resistant to brute-force attacks than MD5.
?MD5 (Message Digest 5) — Produces a 128-bit digest. MD5 uses less processing time than SHA. Prf Algorithm The
pseudo-random function (PRF) portion of the hash algorithm used in the IKE proposal. In IKEv1, the Integrity and PRF
algorithms are not separated, but in IKEv2, you can specify different algorithms for these elements. Click Select and
select
all of the algorithms that you want to allow in the VPN:
?SHA (Secure Hash Algorithm) — Produces a 160-bit digest. SHA is more resistant to brute-force attacks than MD5.
?MD5 (Message Digest 5) — Produces a 128-bit digest. MD5 uses less processing time than SHA.
Modulus Group
The Diffie-Hellman group to use for deriving a shared secret between the two IPsec peers without transmitting it to each
other. A larger modulus provides higher security but requires more processing time. The two peers must have a
matching modulus group. Click Select and select all of the groups that you want to allow in the
VPN:
?1 — Diffie-Hellman Group 1 (768-bit modulus).
?2 — Diffie-Hellman Group 2 (1024-bit modulus). This is the minimum recommended setting. ?5 — Diffie-Hellman Group
5 (1536-bit modulus, considered good protection for 128-bit keys). Select this option if you are using AES encryption.
Lifetime
The lifetime of the security association (SA), in seconds. When the lifetime is exceeded, the SA expires and must be
renegotiated between the two peers. As a general rule, the shorter the lifetime (up to a point), the more secure your IKE
negotiations will be. However, with longer lifetimes, future IPsec security associations can be set up more quickly than
with shorter lifetimes.
You can specify a value from 120 to 2147483647 seconds. The default is 86400.
Category The category assigned to the object. Categories help you organize and identify rules and objects.

QUESTION 6
DRAG DROP
Select and Place:

Pass4itsure 640-554 exam questions-q6

Correct Answer:

Pass4itsure 640-554 exam questions-q6-2

QUESTION 7
When using a stateful firewall, which information is stored in the stateful session flow table?
A. the outbound and inbound access rules (ACL entries)
B. the source and destination IP addresses, port numbers, TCP sequencing information, and additional flags for each
TCP or UDP connection associated with a particular session
C. all TCP and UDP header information only
D. all TCP SYN packets and the associated return ACK packets only
E. the inside private IP address and the translated inside global IP address
Correct Answer: B
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/intro.html
Stateful Inspection Overview
All traffic that goes through the ASA is inspected using the Adaptive Security Algorithm and either allowed through or
dropped. A simple packet filter can check for the correct source address, destination address, and ports, but it does not
check that the packet sequence or flags are correct. A filter also checks every packet against the filter, which can be a
slow process.
A stateful firewall like the ASA, however, takes into consideration the state of a packet:
?Is this a new connection?
If it is a new connection, the ASA has to check the packet against access lists and perform other tasks to determine if
the packet is allowed or denied. To perform this check, the first packet of the session goes through the “session
management path,” and depending on the type of traffic, it might also pass through the “control plane path.”
The session management path is responsible for the following tasks:
?Performing the access list checks
?Performing route lookups
?Allocating NAT translations (xlates)
?Establishing sessions in the”;fast pat”;
The ASA creates forward and reverse flows in the fast path for TCP traffic; the ASA also creates connection state
information for connectionless protocols like UDP, ICMP (when you enable ICMP inspection), so that they can also use
the fast
path.
Some packets that require Layer 7 inspection (the packet payload must be inspected or altered) are passed on to the
control plane path. Layer 7 inspection engines are required for protocols that have two or more channels:
A data channel, which uses well-known port numbers, and a control channel, which uses different port numbers for each
session. These protocols include FTP, H.323, and SNMP.
?Is this an established connection?
If the connection is already established, the ASA does not need to re-check packets; most matching packets can go
through the “fast” path in both directions. The fast path is responsible for the following tasks:
?IP checksum verification
?Session lookup
?TCP sequence number check
?NAT translations based on existing sessions
?Layer 3 and Layer 4 header adjustments
Data packets for protocols that require Layer 7 inspection can also go through the fast path. Some established session
packets must continue to go through the session management path or the control plane path. Packets that go through
the
session management path include HTTP packets that require inspection or content filtering. Packets that go through the
control plane path include the control packets for protocols that require Layer 7 inspection.

QUESTION 8
Scenario:
You are the security admin for a small company. This morning your manager has supplied you with a list of Cisco ISR
and CCP configuration questions. Using CCP, your job is to navigate the pre-configured CCP in order to find answers
to
your business question.

Pass4itsure 640-554 exam questions-q8

Which Class Map is used by the INBOUND Rule?
A. SERVICE_IN
B. Class-map-ccp-cls-2
C. Ccp-cts-2
D. Class-map SERVICE_IN
Correct Answer: C

QUESTION 9
When port security is enabled on a Cisco Catalyst switch, what is the default action when the configured maximum
number of allowed MAC addresses value is exceeded?
A. The port remains enabled, but bandwidth is throttled until old MAC addresses are aged out.
B. The port is shut down.
C. The MAC address table is cleared and the new MAC address is entered into the table.
D. The violation mode of the port is set to restrict.
Correct Answer: B
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/20ewa/configuration/guide/port_sec.html
Default Port Security Configuration Port security Disabled on a port Maximum number of secure MAC addresses
Violation mode Shutdown. The port shuts down when the maximum number of secure MAC addresses is exceeded,
and an SNMP trap notification is sent.
Aging Disabled
Aging type Absolute Static Aging Disabled
Sticky Disabled

QUESTION 10
Which security measure must you take for native VLANs on a trunk port?
A. Native VLANs for trunk ports should never be used anywhere else on the switch.
B. The native VLAN for trunk ports should be VLAN 1.
C. Native VLANs for trunk ports should match access VLANs to ensure that cross-VLAN traffic from multiple switches
can be delivered to physically disparate switches.
D. Native VLANs for trunk ports should be tagged with 802.1Q.
Correct Answer: A
http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml
Double Encapsulation Attack
When double-encapsulated 802.1Q packets are injected into the network from a device whose VLAN happens to be the
native VLAN of a trunk, the VLAN identification of those packets cannot be preserved from end to end since the 802.1Q
trunk would always modify the packets by stripping their outer tag. After the external tag is removed, the internal tag
permanently becomes the packet\\’s only VLAN identifier. Therefore, by double encapsulating packets with two different
tags,
traffic can be made to hop across VLANs.
This scenario is to be considered a misconfiguration, since the 802.1Q standard does not necessarily force the users to
use the native VLAN in these cases. As a matter of fact, the proper configuration that should always be used is to clear
the native VLAN from all 802.1Q trunks (alternatively, setting them to 802.1q-all- tagged mode achieves the exact same
result). In cases where the native VLAN cannot be cleared, then always pick an unused VLAN as native VLAN of all the
trunks; don\\’t use this VLAN for any other purpose.
Protocols like STP, DTP, and UDLD (check out [3]) should be the only rightful users of the native VLAN and their traffic
should be completely isolated from any data packets.

QUESTION 11
Which access list permits HTTP traffic sourced from host 10.1.129.100 port 3030 destined to host 192.168.1.10?
A. access-list 101 permit tcp any eq 3030
B. access-list 101 permit tcp 10.1.128.0 0.0.1 .255 eq 3030 192.1 68.1 .0 0.0.0.15 eq www
C. access-list 101 permit tcp 10.1.129.0 0.0.0.255 eq www 192.168.1.10 0.0.0.0 eq www
D. access-list 101 permit tcp host 192.1 68.1 .10 eq 80 10.1.0.0 0.0.255.255 eq 3030
E. access-list 101 permit tcp 192.168.1.10 0.0.0.0 eq 80 10.1.0.0 0.0.255.255
F. access-list 101 permit ip host 10.1.129.100 eq 3030 host 192.168.1.10 eq 80
Correct Answer: B
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml
Extended ACLs
Extended ACLs were introduced in Cisco IOS Software Release 8.3. Extended ACLs control traffic by the comparison of
the source and destination addresses of the IP packets to the addresses configured in the ACL.
IP
access-list access-list-number
[dynamic dynamic-name [timeout minutes]]
{deny|permit} protocol source source-wildcard
destination destination-wildcard [precedence precedence]
[tos tos] [log|log-input] [time-range time-range-name]
ICMP
access-list access-list-number
[dynamic dynamic-name [timeout minutes]]
{deny|permit} icmp source source-wildcard
Latest 640-554 Dumps | 640-554 Study Guide | 640-554 Braindumps 11 / 15
https://www.pass4itsure.com/640-554.html
2019 Latest pass4itsure 640-554 PDF and VCE dumps Download
destination destination-wildcard
[icmp-type [icmp-code] |icmp-message]
[precedence precedence] [tos tos] [log|log-input]
[time-range time-range-name]
TCP
access-list access-list-number
[dynamic dynamic-name [timeout minutes]]
{deny|permit} tcp source source-wildcard [operator [port]]
destination destination-wildcard [operator [port]]
[established] [precedence precedence] [tos tos]
[log|log-input] [time-range time-range-name]
UDP
access-list access-list-number
[dynamic dynamic-name [timeout minutes]]
{deny|permit} udp source source-wildcard [operator [port]]
destination destination-wildcard [operator [port]]
[precedence precedence] [tos tos] [log|log-input]
[time-range time-range-name]

QUESTION 12
Which option provides the most secure method to deliver alerts on an IPS?
A. IME
B. CSM
C. SDEE
D. syslog
Correct Answer: C

QUESTION 13
DRAG DROP
Select and Place:

Pass4itsure 640-554 exam questions-q13

Correct Answer:

Pass4itsure 640-554 exam questions-q13-2

Latest Cisco Implementing Cisco IOS Network Security 640-554 Dumps Download

【PDF】Cisco 640-554 dumps https://drive.google.com/open?id=1lrtuWMdG3Xq59abd_eoDZCA3oHnUYtNo

Video Description: Latest CCNA Security 640-554 dumps Practice test Questions and answers

https://youtu.be/dWIS6y2aHIU

Pass4itsure Have:

Pass4itsure Have

Summarize:

Pass the Cisco 640-554 exam with our 640-554 dumps. https://www.pass4itsure.com/640-554.html Pass4itsure exam dumps are latest updated in highly outclass manner on regular basis.

[New Updated] Latest Cisco 210-260 Dumps Exam Test Questions 100% Pass Youtube Training With A High Score

What is Cisco 210-260 dumps? “Implementing Cisco Network Security” is the name of Cisco 210-260 exam dumps which covers all the knowledge points of the real Cisco exam. Latest Cisco 210-260 dumps exam test questions 100% pass youtube training with a high score. Pass4itsure Cisco 210-260 dumps exam questions answers are updated (310 Q&As) are verified by experts.

The associated certifications of 210-260 dumps is CCNA Security. Passing Cisco certification 210–260 exam is the stepping stone towards your career peak. Pass4itsure Cisco CCNA Security https://www.pass4itsure.com/210-260.html dumps sample questions can help you pass Cisco certification 210–260 exam successfully.

Exam Code: 210-260
Exam Name: Implementing Cisco Network Security
Q&As: 310

[New Updated Cisco 210-260 Dumps From Google Drive]: https://drive.google.com/open?id=0BwxjZr-ZDwwWU0xad3NvRWR4Qzg

[New Updated Cisco 200-155 Dumps From Google Drive]: https://drive.google.com/open?id=0BwxjZr-ZDwwWNHFtR0VqbXVEeUU

210-260 dumps

Pass4itsure Latest and Most Accurate Cisco 210-260 Dumps Exam Q&As:

QUESTION 11
What is the purpose of the Integrity component of the CIA triad?
A. to ensure that only authorized parties can modify data
B. to determine whether data is relevant
C. to create a process for accessing data
D. to ensure that only authorized parties can view data
210-260 exam Correct Answer: A
QUESTION 12
What VPN feature allows Internet traffic and local LAN/WAN traffic to use the same network connection?
A. split tunneling
B. hairpinning

C. tunnel mode
D. transparent mode
Correct Answer: A
QUESTION 13
Refer to the exhibit.
210-260 dumps

With which NTP server has the router synchronized?
A. 192.168.10.7
B. 108.61.73.243
C. 209.114.111.1
D. 132.163.4.103
E. 204.2.134.164
F. 241.199.164.101
210-260 dumps Correct Answer: A
QUESTION: 14
Each time our corporate development team makes a change to the service logic it is required to
publish a new version of the service contract. Our customers are complaining because their
service consumer programs become incompatible with new service contract versions and
therefore no longer work. Which of the following service-orientation principles is most likely
to help us solve this on-going problem? Select the correct answer.
A. Service Reusability
B. Service Statelessness
C. Service Loose Coupling
D. Service Autonomy
Answer: C
QUESTION: 15
When applying the Service Loose Coupling design principle, we want to the
coupling of the service logic to the service contract because that allows the service contract to
remain from the service logic. Select the correct answer.

A. increase, decoupled
B. reduce, decoupled
C. increase, coupled
D. reduce, coupled
210-260 pdf Answer: A
QUESTION: 16
Which of the following service-orientation principles support the application of the Service
Composability principle? SELECT ALL THAT APPLY
A. Standardized Service Contract
B. Service Autonomy
C. Service Integration
D. Service Statelessness
Answer: A, B, D
QUESTION: 17
The composition member is the runtime role assumed by a service with a capability that is
executing the parent composition logic required to compose capabilities within other services.
Select the correct answer.
A. True
B. False
210-260 vce Answer: B
QUESTION: 18
Which of the following characteristics is not a result of the consistent application of service
orientation principles? Select the correct answer.
A. reduced dependencies between services
B. increased availability and scalability of services
C. reduced behavioral predictability of services

D. increased awareness of services
Answer: C
QUESTION: 19
A service contract publishes information that makes guarantees about how the service will
behave at runtime and when it will be available. These types of guarantees are associated with
which service meta information type? Select the correct answer.
A. technology
B. programmatic
C. functional
D. quality of service
210-260 exam Answer: D
QUESTION: 20
As a first step toward replacing a corporate customer database, a company attempts to limit
access to customer services via an official Customer entity service. However, some time later it
is discovered that several applications have been bypassing the Customer service in order to
directly access the customer database. As a result, these applications exhibit which negative
form of coupling? Select the correct answer.
A. Contract-to-Implementation
B. Consumer-to-Implementation
C. Consumer-to-Contract
D. Contract-to-Technology
Answer: B
QUESTION: 21
Which of the following is not a design characteristic that is realized by the application of the
Service Reusability principle? Select the correct answer.
A. The service is defined by an agnostic functional context.
B. The service logic is generic.

C. The service is primarily associated with the task service model.
D. The service design approach is influenced by commercial product design practices.
210-260 dumps Answer: C
QUESTION: 22
The service-oriented architectural model is business-driven so that it can stay in alignment with
how the business may change over time. Select the correct answer.
A. True
B. False
Answer: A
QUESTION: 23
I have a service composition with three services. Service A retrieves a list of country codes
from a database and keeps this data in memory while interacting with Service B and Service C.
However, because Service A is concurrently invoked many times, and because each instance of
Service A loads its own copy of the country code data into memory, the demands on the
overall infrastructure become too high and performance and reliability are negatively affected.
Which service-orientation principle can be applied to help solve this problem? Select the
correct answer.
A. Service Reusability
B. Service Autonomy
C. Service Abstraction
D. Service Statelessness
210-260 pdf Answer: D
QUESTION: 24
Which service-orientation principle would be used to justify a corporate policy that limits or
restricts access to technical specifications that show design and technology details about the
underlying implementation of a published service? Select the correct answer.
A. Service Discoverability

B. Service Statelessness
C. Service Autonomy
D. Service Abstraction
Answer: D
QUESTION: 25
Which of the following are considered characteristics associated with service-oriented
technology architecture? Select the correct answer.
A. vendor-neutral
B. business-driven
C. enterprise-centric
D. All of the above
210-260 vce Answer: D
QUESTION: 26
Which of the following are runtime roles associated with service compositions? SELECT ALL
THAT APPLY
A. composition controller
B. composition member
C. composition sequencer
D. composition sub-controller
Answer: A, B, D
QUESTION: 27
Which of the following statements is true? Select the correct answer.
A. The controller service in a service composition automatically loses autonomy because it is
required to compose other services that lie outside of its controlled boundary.
B. The controller service in a service composition automatically loses autonomy because it is
designed as a task service to which service-orientation design principles are not applied.

C. The controller service in a service composition loses autonomy only when state deferral
logic is not built into the service composition design.
D. None of these statements are true.
210-260 exam Answer: A

However, there can be different formats available Cisco Implementing Cisco Network Security exam and it all depends on the choice and convenience of the people that what format they like for their Cisco 210-260 dumps exam preparation. Cisco certification https://www.pass4itsure.com/210-260.html dumps exam has a pivotal position in the IT industry, and I believe that a lot of IT professionals agree with it.

Read More Youtube:https://youtu.be/kWu7ntHP4UE