Do not worry about your Cisco 642-511 exam, Flydumps now has published the new version of Cisco 642-511 exam dumps with more new added questions and answers, also you can free download the Cisco 642-511 vce test software and pdf dumps on https://www.pass4itsure.com/642-511.html.
QUESTION 60
The Cisco VPN Concentrator supports routing updates based on what protocol?
A. IS-IS
B. EIGRP
C. BGP
D. RIP
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
QUESTION 61
In remote access NAT environments with multiple encapsulation schemes enabled, which encapsulation method takes precedence?
A. NAT-transparency takes precedence over IPsec over TCP.
B. IPSec over UDP takes precedence over IPSec over TCP.
C. NAT-transparency takes precedence over IPsec over UDP.
D. IPsec over UDP takes precedence over NAT-transparency.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
QUESTION 62
Which statement about the Cisco VPN Concentrator load balancing feature is true?
A. Cisco VPN Concentrators load balance both site-to-site and remote access tunnels.
B. Cisco VPN Concentrators load balance site-to-site tunnels only.
C. Cisco VPN Concentrators load balance remote access tunnels only.
D. Cisco VPN Concentrator load balances administration sessions.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
QUESTION 63
In this network, if any PC at site A wants to access server B2, the PC IP address is translated to 20.20.20.X/24 (X = PC host address). For the Concentrator to perform the translation, how are the translated network IP address and wildcard mask configured on the Concentrator?
A. IP Address – 20.20.20.0 Wildcard Mask – 0.0.0.0
B. IP Address – 20.20.20.0 Wildcard Mask – 0.0.0.255
C. IP Address – 10.10.10.0 Wildcard Mask – 0.0.0.0
D. IP Address – 10.10.10.0 Wildcard Mask – 0.0.0.255
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
QUESTION 64
Which statement about the VPN client auto-initiate feature is true?
A. The auto-initiation feature is automatically configured in the VPNclient.ini file but disabled by default.
B. The auto-initiation feature is not resident in the VPNclient.ini file by default, it must be added.
C. The auto-initiation feature is automatically configured in the VPNclient.pcf file but disabled by default.
D. The auto-initiation feature is not resident in the VPNclient.pcf file by default, it must be added.
Correct Answer: B Section: (none) Explanation
Explanation/Reference: QUESTION 65
Which two protocols does the VPN Concentrator use to retrieve Certificate Revocation Lists? Choose two.
A. SSL
B. SSH
C. LDAP
D. HTTP
E. FTP
F. TFTP
Correct Answer: CD Section: (none) Explanation
Explanation/Reference:
QUESTION 66
Which of the following is the best PKI model for a large enterprise?
A. Central
B. Flat
C. Hub and Spoke
D. Hierarchical
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
QUESTION 67
Configuring a bandwidth policing policy is a two-step process: configuring, then applying the policing policy. Where are the configured bandwidth policing policies applied on the VPN Concentrator? Choose three.
A. must be applied to an interface
B. optionally applied to an interface
C. must be applied to a group
D. optionally applied to a group
E. must be applied to a LAN-to-LAN tunnel
F. optionally applied to a LAN-to-LAN tunnel
Correct Answer: ADF Section: (none) Explanation
Explanation/Reference:
QUESTION 68
Which is a correct way to enter an auto-update URL?
A. http://10.0.1.10/vpn3002-3.5.Rel-k9.bin
B. http://10.0.1.10/vpn3002-3.5.rel-k9.bin
C. tftp://10.0.1.10/vpn3002-3.5.Rel-k9.bin
D. ftp://10.0.1.10/vpn3002-3.5.Rel-k9.bin
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
QUESTION 69
To pre-configure a Cisco VPN client, what three files are required? Choose three.
A. unattended_setup.ini
B. user.pcf
C. data.ini
D. oem.ini
E. vpnclient.ini
F. client.ini
Correct Answer: BDE Section: (none) Explanation
Explanation/Reference:
QUESTION 70
What are three functions of IKE Phase 2? Choose three.
A. uses aggressive mode
B. uses main mode
C. optionally performs an additional DH exchange
D. verifies the other side’s identity
E. periodically renegotiates IPSec SAs to ensure security
F. negotiates IPSec SA parameters protected by an existing IKE SA
Correct Answer: CEF Section: (none) Explanation
Explanation/Reference:
QUESTION 71
Which statement is true?
A. IPSec over UDP is a non-negotiable, system-wide parameter.
B. IKE over UDP is negotiated on a group basis.
C. IPSec over UDP is negotiated on a group basis.
D. IKE over UDP is a non-negotiable, system-wide parameter.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
QUESTION 72
Which of the following IKE proposals can be used with digital certificates?
A. IKE-3DES-MD5
B. IKE-3DES-MD5-DH7
C. IKE-3DES-MD5-RSA
D. IKE-AES-128-SHA
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
QUESTION 73
Which of the firewalls supports Cisco Central Policy Protection?
A. Symantec
B. Zone Labs
C. Cyberguard
D. Network Ice BlackICE defender
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
QUESTION 74
LAB
e
A.
B.
C.
D.
Correct Answer: Section: (none) Explanation
Explanation/Reference:
Answer: Check certifyme eEngine, Download from Member Center
QUESTION 75
The Cisco VPN Concentrator supports routing updates based on what protocol?
A. OSPF
B. EIGRP
C. BGP
D. IS-IS
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
QUESTION 76
If CRL checking is enabled on the Cisco VPN Concentrator, where can the Cisco VPN Concentrator find the CRL?
A. The Cisco VPN Concentrator polls the CA for an updated list at a pre-defined rate.
B. The CA sends a CRL to the Cisco VPN Concentrator directly at least once a week.
C. The CRL distribution point is listed on the identity certificate.
D. The CRL is sent, out-of-band, to the administrator biweekly.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
QUESTION 77
Which of the following are valid authentication options for the Hardware Client? (Choose two)
A. User Authentication
B. Unit Authentication
C. IP Address Authentication
D. Interactive Group Authentication
Correct Answer: AB Section: (none) Explanation
Explanation/Reference:
QUESTION 78
What are the three steps in the Are You There feature configuration? Choose three.
A. Select the firewall setting.
B. Select the firewall.
C. Select are you there on the firewall.
D. Select are you there on the Cisco VPN Client.
E. Enable the firewall virtual interface.
F. Select are you there on the Cisco VPN Concentrator.
Correct Answer: ABF Section: (none) Explanation
Explanation/Reference:
QUESTION 79
What are the three group-auto-update parameters? Choose three.
A. client type
B. URL
C. TFTP server
D. TFTP file
E. revision
F. action required
Correct Answer: ABE Section: (none) Explanation
Explanation/Reference:
QUESTION 80
What are the two RRI features supported by the Cisco VPN Concentrator? Choose two.
A. tunnel mode RRI
B. transport mode RRI
C. client RRI
D. network extension RRI
E. LAN extension RRI
F. Cisco VPN Concentrator RRI
Correct Answer: CD Section: (none) Explanation
Explanation/Reference:
QUESTION 81
When configuring a custom firewall policy in the VPN Concentrator, what three configuration steps must be completed to create a custom firewall policy? Choose three.
A. Define a rule to restrict traffic.
B. Associate the new policy with a rule.
C. Assign the new rule to Cisco CPP.
D. Associate the new rule with the new policy.
E. Assign the new policy to Cisco CPP.
F. Define a new policy.
Correct Answer: ADE Section: (none) Explanation
Explanation/Reference:
QUESTION 82
If the Cisco VPN Concentrator sends the Cisco VPN 3002 a backup server list, what does the Cisco VPN 3002 do with any existing backup server addresses in its configuration?
A. adds the new list to the bottom of its existing list
B. merges the two lists and deletes duplicate IP addresses
C. deletes its configured list and goes with the Cisco VPN Concentrator-downloaded list
D. ignores the downloaded list and keeps the configured list
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
QUESTION 83
Which of the following are valid authentication options for the Hardware Client? (Choose two)
A. Unit authentication
B. Interactive group authentication
C. Interactive unit authentication
D. MAC address authentication
Correct Answer: AC Section: (none) Explanation
Explanation/Reference:
QUESTION 84
In the diagram, the firewall feature was enabled on the VPN Client. By clicking on the Firewall tab of the VPN Client connection status window, you can view the VPN Client’s firewall policy for the four connections, labeled 1 through 4 in the diagram. In the bottom half of the diagram, Connection 3 displays the policy applied to traffic between the VPN Client and WWW. According to the policy for connection 3, any local outbound traffic destined for destination address X will have action Y applied to this traffic. Select the correct action and destination address for this policy.
A. action drop, destination address, any
B. action forward, destination address, any
C. action forward, destination address, www.cisco.com
D. action drop, destination address, www.cisco.com
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
QUESTION 85
When the Cisco VPN 3002 is fully configured in client mode, what is the default status of the VPN tunnel?
A. The tunnel is up automatically.
B. The tunnel must be manually initiated via the Monitoring-tunnel status screen.
C. The tunnel must be manually initiated via the Monitoring-system status screen.
D. The manual and automatic modes are defined on the Cisco VPN Concentrator and then pushed to the Cisco VPN 3002 during tunnel establishment.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
QUESTION 86
Drag Drop question A.
B.
C.
D.
Correct Answer: Section: (none) Explanation
Explanation/Reference:
Answer: Check certifyme eEngine, Download from Member Center
QUESTION 87
When configuring address assignments, which method uses the Cisco VPN 3000 Concentrator to assign IP addresses from an internal pool?
A. remote client pool
B. per-user
C. configured pool
D. DHCP pool
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
QUESTION 88
If the Hardware Client cannot contact a backup server, what action is taken?
A. It starts over from the top of the backup server list.
B. It downloads a new backup server list from the Concentrator.
C. The tunnel establishment process is terminated.
D. It searches for new backup list.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
QUESTION 89
What auto-initiation parameters are defined by the AutoInitiationList?
A. a list of auto-initiation related section names within the INI file
B. a list of auto-initiation related section names within the PCF file
C. a list of networks that should be auto-initiated
D. a list of groups that should be auto-initiated
E. a list of users that should be auto-initiated
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
QUESTION 90
Which of the following is a limitation when using Quick Configuration?
A. It enables you to define attributes only on an individual basis.
B. It enables you to define attributes only on a global basis.
C. It enables you to define attributes only on an authentication server basis.
D. It enables you to define attributes only on a client basis.
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
QUESTION 91
What are two purposes of the X.509 Certificate Serial Number? Choose two.
A. It specifies the subject’s public key and hashing algorithm.
B. It specifies the start and expiration dates for the certificate.
C. It is a unique certificate numerical identifier in the CA domain.
D. It is the certificate number that is listed on the CRL when the certificate is revoked.
E. It identifies the CA’s public key and hashing algorithm.
F. It is used to identify the certificate during the IKE peer authentication process.
Correct Answer: CD Section: (none) Explanation
Explanation/Reference:
QUESTION 92
Which of the following is a Cisco proprietary-based solution?
A. IPSec over TCP
B. IPSec over UDP
C. NAT-T
D. NAT-U
Correct Answer: B Section: (none) Explanation
Explanation/Reference: QUESTION 93
For the Cisco VPN Concentrator, what are the two types of certificate enrollment? Choose two.
A. certified enrollment process
B. CERTC enrollment process
C. file-based enrollment process
D. PKCS#15 enrollment process
E. PKCS#7 enrollment process
F. SCEP
Correct Answer: CF Section: (none) Explanation
Explanation/Reference:
QUESTION 94
When the IPSec client-to-LAN applications are changed from pre-shared keys to digital certificates, what is true about the IPSec SA?
A. SA IKE authentication method should be changed
B. SA IPSec authentication method should be changed
C. when the digital certificate is validated, the IPSec SA template automatically is updated
D. when the digital certificate is activated, the IPSec SA template is automatically updated
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
QUESTION 95
When configuring the group VPN Client attributes in the VPN Concentrator, which three are VPN Client firewall settings? Choose three.
A. no firewall
B. enable authentication proxy
C. firewall required
D. enable content filtering
E. enable CBAC
F. firewall optional
Correct Answer: ACF Section: (none) Explanation
Explanation/Reference:
QUESTION 96
What are three steps in the IKE certificate authentication process? Choose three.
A. The identity certificate validity period is verified against the system clock of the Cisco VPN Concentrator.
B. The root certificate is not in the Cisco VPN Concentrator.
C. Identity certificates are exchanged during IPSec negotiations.
D. The identity certificate signature is validated using the stored root certificate.
E. The signature is validated using the stored identity certificate.
F. If enabled, the Cisco VPN Concentrator locates the CRL and validates the identity certificate.
Correct Answer: ADF Section: (none) Explanation
Explanation/Reference:
QUESTION 97
If the primary role of the VPN product is to perform remote access VPN with a few site-to-site connections, which product should you choose?
A. 2900
B. 3030
C. 3660
D. PIX Firewall 515
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
QUESTION 98
When doing swap configuration, how do you load the boot configuration file and make it the active configuration?
A. reboot the system
B. write to the config file
C. save the Config.bak file and reboot the system
D. update the Cisco VPN executable system software
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
QUESTION 99
What are the two steps in configuring network extension mode? Choose two.
A. Change the default address on the Cisco VPN 3002 private interface.
B. Enable network extension mode on the Cisco VPN Concentrator and push it down to the Cisco VPN 3002 during tunnel establishment.
C. Change the default address on the Cisco VPN 3002 public interface.
D. Enable network extension mode on the private interface.
E. Enable network extension mode on the public interface.
F. Answer No when the Cisco VPN 3002 prompts you to use PAT mode.
Correct Answer: AF Section: (none) Explanation
Explanation/Reference: QUESTION 100
LAB
A.
B.
C.
D.
Correct Answer: Section: (none) Explanation
Explanation/Reference:
Answer: Check certifyme eEngine, Download from Member Center
QUESTION 101
The network auto-discovery feature enables the Cisco VPN Concentrator to learn automatically which networks are reachable at both ends of a LAN-to-LAN tunnel. From which routing protocols can the Cisco VPN Concentrator learn these networks?
A. EIGRP
B. OSPF
C. RIP
D. RIP and OSPF
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
QUESTION 102
How can an administrator accommodate the different access needs in a Cisco VPN Concentrator?
A. by configuring rights and privileges parameters in the Cisco VPN Concentrator
B. by configuring user and group parameters in the Cisco VPN Concentrator
C. by configuring access and usage parameters in the Cisco VPN Concentrator
D. by configuring rights and privileges in the network authentication server
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
QUESTION 103
Which feature will not allow the Cisco VPN Client to connect without a firewall running?
A. AYT
B. Connectionless Firewall
C. Stateful Firewall
D. CIC Firewall
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
QUESTION 104
Which of the following are valid backup server options? (Choose two)
A. use list configured on Radius Server
B. use list configured on Client
C. use list configured on TACACS+ Server
D. use list configured on Concentrator
Correct Answer: BD Section: (none) Explanation
Explanation/Reference:
QUESTION 105
Which two DH groups does the VPN3000 Concentrator support for key exchange? Choose two.
A. 3
B. 4
C. 5
D. 6
E. 7
Correct Answer: CE Section: (none) Explanation
Explanation/Reference:
QUESTION 106
What routing protocol does the Hardware Client support?
A. OSPF
B. RIP
C. EIGRP
D. none of the above
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
QUESTION 107
What file must be modified to enable the Cisco VPN Software Client Auto-Initiation feature?
A. main.ini
B. user.ini
C. client.ini
D. vpnclient.ini
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
QUESTION 108
Which feature enables the Concentrator administrator to centrally define a set of rules for the Cisco VPN Client firewall?
A. AYT
B. CPP
C. Stateful Firewall
D. CIC Firewall
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
QUESTION 109
If there is a need to see the devices behind the Hardware Client, which mode of operation must be used?
A. main extension mode
B. aggressive extension mode
C. discovery extension mode
D. network extension mode
E. client extension mode
Correct Answer: D Section: (none) Explanation
Explanation/Reference: QUESTION 110
How do you activate a Cisco CPP custom policy?
A. enable custom CPP in the Cisco VPN Concentrator only
B. enable custom CPP in the client and Cisco VPN Concentrator
C. enable CPP in the Cisco VPN Concentrator and select the custom policy under policy management
D. enable CPP in the Cisco VPN Concentrator and select the custom policy under the pushed policy drop-down menu
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
The Cisco contains more than 400 practice questions for the Cisco 642-511 exams,including simulation-based questions.Also contains hands-on exercises and a customized copy of the Cisco 642-511 exams network simulation software.