Why not try Flydumps Cisco 642-503 vce or pdf exam dumps? All the new questions and answers were timely added to the Pass4itsure Cisco 642-503 study guide.Visit Flydumps.com to get free Cisco 642-503 VCE and PDF.
Exam A
QUESTION 1
Which of these statements is correct regarding user setup on ACS 4.0?
A. In the case of conflicting settings, the settings at the group level override the settings configured at the user level.
B. A user can belong to more than one group.
C. The username can contain characters such as “#” and “?”.
D. By default, users are assigned to the default group.
E. The ACS PAP password cannot be used as the CHAP password also.
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
QUESTION 2
Which two commands are used to only allow SSH traffic to the router Eth0 interface and deny other management traffic (BEEP, FTP, HTTP, HTTPS, SNMP, Telnet, TFTP) to the router interfaces? (Choose two.)
A. interface eth0
B. control-plane host
C. policy-map type port-filter policy-name
D. service-policy type port-filter input policy-name
E. management-interface eth0 allow ssh
F. line vty 0 5 transport input ssh
Correct Answer: BE Section: (none) Explanation
Explanation/Reference:
QUESTION 3
Refer to the exhibit. Why is the Cisco IOS Firewall authentication proxy not working?
A. The aaa authentication auth-proxy default group tacacs+ command is missing in the configuration.
B. The router local username and password database is not configured.
C. Cisco IOS authentication proxy only supports RADIUS and not TACACS+.
D. HTTP server and AAA authentication for the HTTP server is not enabled.
E. The AAA method lists used for authentication proxy should be named “pxy” rather than “default” to match the authentication proxy rule name.
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
QUESTION 4
When troubleshooting site-to-site IPsec VPN on Cisco routers, you see this console message:
%CRYPTO-6-IKMP_SA_NOT_OFFERED: Remote peer %15i responded with attribute [chars] not offered or changed
Which configuration should you verify?
A. the crypto ACL
B. the crypto map
C. the IPsec transform set
D. the ISAKMP policies
E. the pre-shared key
F. the DH group
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
QUESTION 5
Drop
A.
B.
C.
D.
Correct Answer: Section: (none) Explanation
Explanation/Reference:
Answer: Check certifyme eEngine, Download from Member Center
QUESTION 6
When verifying Cisco IOS IPS operations, when should you expect Cisco IOS IPS to start loading the signatures?
A. immediately after you configure the ip ips sdf location flash:filename command
B. immediately after you configure the ip ips sdf builtin command
C. after you configure a Cisco IOS IPS rule in the global configuration
D. after traffic reaches the interface with Cisco IOS IPS enabled
E. when the first Cisco IOS IPS rule is enabled on an interface
F. when the SMEs are put into active state using the ip ips name rule-name command
Correct Answer: E Section: (none) Explanation
Explanation/Reference:
QUESTION 7
Refer to the exhibit. Why is the Total Active Signatures count zero?
A. The 128MB.sdf file in flash is corrupted.
B. IPS is in fail-open mode.
C. IPS is in fail-closed mode.
D. IPS has not been enabled on an interface yet.
E. The flash:/128MB.sdf needs to be merged with the built-in signatures first.
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
QUESTION 8
When configuring FPM, what should be the next step after the PHDFs have been loaded?
A. Define a stack of protocol headers.
B. Define a traffic policy.
C. Define a service policy.
D. Define a class map of type “access-control” for classifying packets.
E. Reload the router.
F. Save the PHDFs to startup-config.
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
QUESTION 9
Refer to the exhibit. Which two statements are correct? (Choose two.)
A. Cisco IOS IPS will fail-open.
B. The basic signatures (previously known as 128MB.sdf) will be used if the built-in signatures fail to load.
C. The built-in signatures will be used.
D. SDEE alert messages will be enabled.
E. syslog alert messages will be enabled.
Correct Answer: AC Section: (none) Explanation
Explanation/Reference:
QUESTION 10
Refer to the exhibit. When you configure DHCP snooping, which ports should be configured as trusted ?
A. port A only
B. port E only
C. ports B and C
D. ports A, B, and C
E. ports B, C, and E
F. ports A, B, C, and E
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
QUESTION 11
Refer to the exhibit. Which optional AAA or RADIUS configuration command is used to support 802.1x guest VLAN functionality?
A. aaa authentication dot1x default group radius
B. aaa authorization network default group radius
C. aaa accounting dot1x default start-stop group radius
D. aaa accounting system default start-stop group radius
E. radius-server host 10.1.1.1 auth-port 1812 acct-port 1813
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
QUESTION 12
What does this command do?
router(config)# ip port-map user-1 port tcp 4001
A. enables application firewall inspection on a user-defined application that is mapped to TCP port 4001
B. enables NBAR to recognize a user-defined application on TCP port 4001
C. enables the Cisco IOS Firewall to inspect TCP port 4001 as part of the ip inspect name xxx TCP inspection rule
D. defines a user application in the PAM table where the user-defined application is called “user-1” and that application is mapped to TCP port 4001
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
QUESTION 13
What are the three authentication methods that you can use during IKE Phase 1? (Choose three.)
A. AAA or Local Authentication
B. Kerberos
C. pre-shared key
D. RSA signature
E. RSA encrypted nonce
F. DH
Correct Answer: CDE Section: (none) Explanation
Explanation/Reference: QUESTION 14
The PHDF stored in the router flash memory is required for which of these applications to function?
A. NBAR
B. CPPr
C. FPM
D. PAM
E. CoPP
F. Zone-Based Firewall
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
QUESTION 15
When you configure Cisco IOS WebVPN, you can use the port-forward command to enable which function?
A. web-enabled applications
B. Cisco Secure Desktop
C. full-tunnel client
D. thin client
E. CIFS
F. OWA
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
QUESTION 16
What are two benefits of using an IPsec GRE tunnel? (Choose two.)
A. It allows dynamic routing protocol to run over the tunnel interface.
B. It has less overhead than running IPsec in tunnel mode.
C. It allows IP multicast traffic.
D. It requires a more restrictive crypto ACL to provide finer security control.
E. It supports the use of dynamic crypto maps to reduce configuration complexity.
Correct Answer: AC Section: (none) Explanation
Explanation/Reference:
QUESTION 17
Drop A.
B.
C.
D.
Correct Answer: Section: (none) Explanation
Explanation/Reference:
Answer: Check certifyme eEngine, Download from Member Center
QUESTION 18
When you enter the switch(config)#aaa authentication dot1x default group radius command on a Cisco Catalyst switch, the Cisco IOS parser returns with the “invalid input detected” error message. What can be the cause of this error?
A. You must use the dot1x system-auth-control command first to globally enable 802.1x.
B. You must define the RADIUS server IP address first, using the switch(config)# radius-server host ip-address command.
C. You must enter the aaa new-model command first.
D. The method-list name is missing in the command.
E. The local option is missing in the command.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
QUESTION 19
Cisco IOS Zone-Based Firewall uses which of these to identify a service or application from traffic flowing through the firewall?
A. NBAR
B. extended access list
C. PAM table
D. deep packet inspection
E. application layer inspection
F. CEF table
Correct Answer: C Section: (none) Explanation
Explanation/Reference: QUESTION 20
Refer to the DMVPN topology diagram in the exhibit. Which two statements are correct? (Choose two.)
A. The hub router needs to have EIGRP split horizon disabled.
B. At the Spoke A router, the next hop to reach the 192.168.2.0/24 network is 10.0.0.1.
C. Before a spoke-to-spoke tunnel can be built, the spoke router needs to send an NHRP query to the hub to resolve the remote spoke router physical interface IP address.
D. At the Spoke B router, the next hop to reach the 192.168.1.0/24 network is 172.17.0.1.
E. The spoke routers act as the NHRP servers for resolving the remote spoke physical interface IP address.
F. At the Spoke A router, the next hop to reach the 192.168.0.0/24 network is 172.17.0.1.
Correct Answer: AC Section: (none) Explanation
Explanation/Reference:
The actual Cisco 642-503 exam questions and answers will sharpen your skills and expand your knowledge to obtain a definite success.save your money and time on your preparation for your Cisco 642-503 certification exam. You will find we are a trustful partner if you choose us as your assistance on your Cisco 642-503 certification exam. Now we add the latest Cisco 642-503 content and to print and share content.