Securing Networks with Cisco Routers and Switches : 642-503 Exam
642-503 SNRS
Securing Networks with Cisco Routers and Switches Exam
Exam Number: 642-503
Associated Certifications: CCSP
Duration: 75 minutes (53 questions)
Available Languages: English
Click Here to Register: Pearson VUE
Exam Policies: Read current policies and requirements
Exam Tutorial: Review type of exam questions
Exam Description Exam Topics Recommended Training Additional Resources
Exam Description
The Securing Networks With Cisco Routers and Switches exam (SNRS 642-503) is one of the exams associated with the Cisco Certified Security Professional certification. Candidates can prepare for this exam by taking the SNRS v2.0 course. This exam includes simulations and tests a candidate’s knowledge and ability to secure networks using Cisco routers and switches.
Exam Topics
The following information provides general guidelines for the content likely to be included on the exam. However, other related topics may also appear on any specific delivery of the exam. In order to better reflect the contents of the exam and for clarity purposes the guidelines below may change at any time without notice.
Implement Cisco Layer 2 security
Utilize Cisco IOS commands to mitigate Layer 2 attacks
Implement Cisco Identity-Based Networking Services on Cisco Catalyst Switches
Implement Identity Management using ACS as the Authentication Server
Configure Cisco IOS Firewalls to mitigate network threats using the CLI
Identify and describe the advanced capabilities of the IOS firewall feature set
Configure IOS Firewall to dynamically mitigate identified threats to the network
Verify and troubleshoot IOS Firewall configuration and operation.
Configure authentication proxy to apply security policies on a per-user basis
Verify and troubleshoot authentication proxy configuration and operation
Configure IOS zone-based Firewalls
Troubleshoot Zone-based Firewalls
Configure APPFW application Firewalls
Configure Granular Protocol Inspection
Configure Cisco IOS IPS to identify and mitigate threats to network resources using the CLI
Identify and describe the advanced capabilities of the IOS-IPS feature
Configure the IPS features to identify threats and dynamically block them from entering the network
Verify and troubleshoot IPS operation
Configure Cisco VPNs to provide secure connectivity for site-to-site and remote access communications using the CLI
Describe IPSec features and functionality
Configure secure connectivity for site-to-site IPSec VPN using pre-shared keys
Describe GRE features and functionality
Configure secure connectivity for site-to-site VPN using certificate authorities
Describe DMVPN features and functionality
Configure secure connectivity for site-to-site VPN using DMVPN
Verify and troubleshoot secure site-to-site connectivity operations
Implement Clientless IOS SSL VPN
Verify Clientless IOS SSL VPNs
Configure Easy VPN server with pre-shared keys
Configure Authentication, Authorization, and Accounting to provide basic secure access control for networks
Configure administrative access to the CSACS server
Configure CSACS system settings
Configure AAA clients on the CSACS
Configure users, groups and access rights
Configure shared profile components in CSACS
Configure network access profiles in CSACS
Configure NADS to enable AAA to use a Radius Server
Verify and troubleshoot AAA operation
Implement Network Foundation Protection using the CLI
Describe NFP features and functionality
Secure the management plane using Cisco IOS security features
Secure the data plane using Cisco IOS security features
Secure the control plane using Cisco IOS security features
Exam Number/Code: 642-503
Exam Name:Securing Networks with Cisco Routers and Switches
“Securing Networks with Cisco Routers and Switches”, also known as 642-503 exam, is a Cisco certification. With the complete collection of questions and answers, Actualtests has assembled to take you through 104 Q&As to your 642-503 Exam preparation. In the 642-503 exam resources, you will cover every field and category in CCSP helping to ready you for your successful Cisco Certification.
Free Demo DownloadActualtests offers free demo for 642-503 exam (Securing Networks with Cisco Routers and Switches). You can check out the interface, question quality and usability of our practice exams before you decide to buy it.
Free Sample :PassGuide-it certification Printable PDF Or software
Download: Actualtest offers free demo for IT certification Exams You can check out the interface, question quality and usability of our IT Simulation exams before you decide to buy it. We are the only one site can offer demo for almost all products
http://demo.passguide.com/download
QUESTION 11:
Please study the exhibit carefully.
Why is the Cisco IOS Firewall authentication proxy not working?
642-503
Actualtests.com – The Power of Knowing
A. HTTP server and AAA authentication for the HTTP server is not enabled.
B. The AAA method lists used for authentication proxy should be named “pxy” rather
than “default” to match the authentication proxy rule name.
C. Cisco IOS authentication proxy only supports RADIUS and not TACACS+.
D. The aaa authentication auth-proxy default group tacacs+ command is missing in the
configuration.
E. The router local username and password database is not configured.
Answer: A
Explanation:
To configure Authentication Proxy on the Cisco IOS router, follow these steps.
1. Enable AAA.
2. Define a TACACS+ server and its key.
3. Allow AAA traffic to the router.
4. Enable the router HTTP or HTTPS server for AAA.
5. Set global timers
6. Apply Authentication Proxy rules with ACLs.
Reference: CCSP SNRS Quick Reference Sheets
QUESTION 12:
When verifying Cisco IOS IPS operations, when should you expect Cisco IOS IPS to
start loading the signatures?
642-503
Actualtests.com – The Power of Knowing
A. immediately after you configure the ip ips sdf builtin command
B. when the SMEs are put into active state using the ip ips name rule-name command
C. after traffic reaches the interface with Cisco IOS IPS enabled
D. after you configure a Cisco IOS IPS rule in the global configuration
E. when the first Cisco IOS IPS rule is enabled on an interface
F. immediately after you configure the ip ips sdf location flash:filename command
Answer: E
QUESTION 13:
When troubleshooting site-to-site IPsec VPN on Cisco routers, you see this console
message:
%CRYPTO-6-IKMP_SA_NOT_OFFERED: Remote peer %15i responded with attribute
[chars] not offered or changed
Which configuration should you verify?
A. the IPsec transform set
B. the DH group
C. the crypto map
D. the crypto ACL
E. the pre-shared key
F. the ISAKMP policies
Answer: F
Explanation:
Select the ISAKMP policies for the connection – It is important that the ISAKMP policies
for both peers match. If the conections differ on each peer, they cannot negotiate the
VPN connection. You can configure multiple policies on each router, however, because
each router will search for a matching policy.
Reference – CCSP SNRS Exam Certification Guide
QUESTION 14:
When you implement 802.1x authentication on the ACS, which two configurations are
performed under the ACS System Configuration? (Choose two.)
A. Global Authentication Setup
B. Users
C. RACs
D. Logging
E. NAPs
F. Groups
642-503
Actualtests.com – The Power of Knowing
Answer: A,D
QUESTION 15:
Which two statements are true regarding classic Cisco IOS Firewall configurations?
(Choose two.)
A. You can apply the IP inspection rule in the outbound direction on the untrusted
interface.
B. For temporary openings to be created dynamically by Cisco IOS Firewall, you must
apply the IP inspection rule to the trusted interface.
C. You can apply the IP inspection rule in the inbound direction on the trusted interface.
D. For temporary openings to be created dynamically by Cisco IOS Firewall, the access
list for the returning traffic must be a standard ACL.
E. For temporary openings to be created dynamically by Cisco IOS Firewall, the inbound
access list on the trusted interface must be an extended ACL.
Answer: B,C
Explanation:
CBAC (Classic IOS Firewall) creates temporary openings in access lists at firewall
interfaces. These openings are created when specified traffic exits your internal network
through the firewall. The openings allow returning traffic (that would normally be
blocked) and additional data channels to enter your internal network back through the
firewall. The traffic is allowed back through the firewall only if it is part of the same
session as the original traffic that triggered CBAC when exiting through the firewall.
Reference: Cisco IOS Security Configuration Guide, Release 12.4T – Configuring
Context-based Acces Control
QUESTION 16:
ACS administrators use which URI (Uniform Resource Identifier) port to access the
Cisco ACS web interface?
A. 2002
B. 80
C. 443
D. 8080
E. 22
F. 127
Answer: A
Explanation:
Just about any administration tasks can be performed in the Cisco Secure ACS web
642-503
Actualtests.com – The Power of Knowing
interface. You access the web interface by browsing to http://:2002.
Reference: CCSP SNRS Quick Reference Sheets
Example
The following example URIs and their component parts (taken loosely from RFC 3986 -
STD 66):
QUESTION 17:
Please study the exhibit carefully.
Which optional AAA or RADIUS configuration command is used to support 802.1x
guest VLAN functionality?
A. aaa authentication dot1x default group radius
B. radius-server host 10.1.1.1 auth-port 1812 acct-port 1813
C. aaa accounting dot1x default start-stop group radius
D. aaa accounting system default start-stop group radius
E. aaa authorization network default group radius
Answer: E
Explanation:
Configuration for 802.1x:
Enable AAA with the “aaa new-model” command.
Specify authentication list for 802.1x with the “aaa authentication dot1x {default}
method” command.
Enable 802.1x authentication globally with the “dot1x system-auth-control” command
To activate 802.1x port-based authentication on a specific port, use the interface
configuration command “dot1x port-control {auto | force-authorized | force-unauthorized
}”
The “aaa authorization network default group radius” command is typically used on the
routers for user authorization of all network-related service requests, such as PPP, SLIP
and ARAP. However, in the context of the Catalyst switch, it allows RADIUS server
642-503
Actualtests.com – The Power of Knowing
authorization of VLAN assignment or per-user ACL’s.
Three tunnel attributez are used for RADIUS VLAN assignment:
Attribute 64 : Tunnel-Type=VLAN (type 13)
Attribute 65 : Tunnel-Medium-Type=802 (type 6)
Attribute 81 : Tunnel-Private-Group-ID=VLANID
The first two attributes have an integer value, and the last one is a text string identifying
the VLAN name.
Reference: CCSP SNRS Exam Certification Guide
QUESTION 18:
DRAG DROP
You work as a network technician at Certkiller .com. Your boss, miss Certkiller, is
interested in NFP (Network Foundation Protection) features. Match the proper features
with appropriate descriptions.
Answer:
QUESTION 19:
642-503
Actualtests.com – The Power of Knowing
DRAG DROP
You work as a network technician at Certkiller .com. Your boss, miss Certkiller, is
interested in Cisco IOS Firewall features. Match the proper features with appropriate
descriptions.
Note: not all features are used.
642-503
Actualtests.com – The Power of Knowing
Answer:
QUESTION 20:
DRAG DROP
You work as a network technician at Certkiller .com. Your boss, miss Certkiller, is
interested in ACS 4.0 component functions. Match the proper components with
appropriate functions.
642-503
Actualtests.com – The Power of Knowing
Answer:
Free download:pass4sure CCSP 642-503
Free download?testking CCSP 642-503
Download Free PassGuide Product, Help you pass any it Exams,Click Me
| Actualtests Free Downloads |
|
Type
|
Exam Bible |
NEW Questions & Answers |
Latest Updated
|
Download link |
 |
All Actual-Test 's Exam Pack |
858
|
1 days ago |
Full Download
|
Download Free Latest Actualtests Certification Braindumps
- Free Actualtest Actualtests CCSP 642-591
- Free Actualtest Actualtests CCSP 642-515
- Free Actualtest Actualtests CCSP 642-551
- Free Actualtest Actualtests CCSP 642-552
- Free Actualtest Actualtests CCSP 642-502
- Free Actualtest Actualtests CCSP 642-524
- Free Actualtest Actualtests CCSP 642-523
- Free Actualtest Actualtests CCSP 642-511
- Free Actualtest Actualtests CCSP 642-521
- Free Actualtest Actualtests CCSP 642-522
