★ Pass on Your First TRY ★ 100% Money Back Guarantee ★ Realistic Practice Exam Questions

Free Instant Download NEW 640-554 Exam Dumps (PDF & VCE):
Available on: https://www.certleader.com/640-554-dumps.html


Counting on outstanding technologies, better services for customers. Actualtests offer Round the clock customer service regarding Cisco examinee and you may obtain what you need understand anytime. Your fulfillment in our 640-554 will be the services purpose, their combined development with consumers will be the prolonged pursuit in the large part. Thus do not think twice to get hold of us all when you have questions associated with 640-554 test.

2021 Sep ccna security 640-554 portable command guide download:

Q31. - (Topic 3) 

Under which option do you create a AAA authentication policy in Cisco Configuration Professional? 

A. Authentication Policies 

B. Authentication Policies – Login 

C. AAA Servers and Groups 

D. AAA Summary 

Answer: B 


Q32. - (Topic 10) 

Which Cisco AnyConnect VPN feature enables DTLS to fall back to a TLS connection? 

A. perfect forward secrecy 

B. dead peer detection 

C. keepalives 

D. IKEv2 

Answer: B 


Q33. - (Topic 2) 

What does the MD5 algorithm do? 

A. takes a message less than 2^64 bits as input and produces a 160-bit message digest 

B. takes a variable-length message and producesa 168-bit message digest 

C. takes a variable-length message and produces a 128-bit message digest 

D. takes a fixed-length message and produces a 128-bit message digest 

Answer: C 

Explanation: 

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080094203. shtml 

Message Digest 5 (MD5)—This is a one way hashing algorithm that produces a 128-bit hash. Both MD5 andSecure Hash Algorithm (SHA) are variations on MD4, which is designed to strengthen the security of this hashing algorithm. SHA is more secure than MD4 and MD5. Cisco uses hashes for authentication within the IPsec framework. 


Q34. - (Topic 10) 

Which statement about a PVLAN isolated port configured on a switch is true? 

A. The isolated port can communicate only with the promiscuous port. 

B. The isolated port can communicate with other isolated ports and the promiscuous port. 

C. The isolated port can communicate only with community ports. 

D. The isolated port can communicate only with other isolated ports. 

Answer: A 


Q35. - (Topic 2) 

Which statement about Control Plane Policing is true? 

A. Control Plane Policing allows QoS filtering to protect the control plane against DoS attacks. 

B. Control Plane Policing classifies traffic into three categories to intercept malicious traffic. 

C. Control Plane Policing allows ACL-based filtering to protect the control plane against DoS attacks. 

D. Control Plane Policing intercepts and classifies all traffic. 

Answer: A 


640-554 free draindumps

Up to the minute cbt nuggets ccna security 640-554:

Q36. - (Topic 3) 

Refer to the exhibit. 

Which statement about this output is true? 

A. The user logged into the router with the incorrect username and password. 

B. The login failed because there was no default enable password. 

C. The login failed because the password entered was incorrect. 

D. The user logged in and was given privilege level 15. 

Answer: C 

Explanation: 

http://www.cisco.com/en/US/docs/ios/12_2/debug/command/reference/dbfaaa.html 

debug aaa authentication 

To display information on AAA/Terminal Access Controller Access Control System Plus 

(TACACS+) authentication, use the debug aaa authentication privileged EXEC command. 

To disable debugging command, use the no form of the command. 

debug aaa authentication no debug aaa authentication The following is sample output from the debug aaa authentication command. A single EXEC login that uses the "default" method list and the first method, TACACS+, is displayed. The TACACS+ server sends a GETUSER request to prompt for the username and then a GETPASS request to prompt for the password, and finally a PASS response to indicate a successful login. The number 50996740 is the session ID, which is unique for each authentication. Use this ID number to distinguish between different authentications if several are occurring concurrently. 

Router# debug aaa authentication 

6:50:12:

 AAA/AUTHEN: create_user user='' ruser='' port='tty19' rem_addr='172.31.60.15' authen_type=1 service=1 priv=1 

6:50:12:

 AAA/AUTHEN/START (0): port='tty19' list='' action=LOGIN service=LOGIN 

6:50:12:

 AAA/AUTHEN/START (0): using "default" list 

6:50:12:

 AAA/AUTHEN/START (50996740): Method=TACACS+ 

6:50:12:

 TAC+ (50996740): received authen response status = GETUSER 

6:50:12:

 AAA/AUTHEN (50996740): status = GETUSER 

6:50:15:

 AAA/AUTHEN/CONT (50996740): continue_login 

6:50:15:

 AAA/AUTHEN (50996740): status = GETUSER 

6:50:15:

 AAA/AUTHEN (50996740): Method=TACACS+ 

6:50:15:

 TAC+: send AUTHEN/CONT packet 

6:50:15:

 TAC+ (50996740): received authen response status = GETPASS 

6:50:15:

 AAA/AUTHEN (50996740): status = GETPASS 

6:50:20:

 AAA/AUTHEN/CONT (50996740): continue_login 

6:50:20:

 AAA/AUTHEN (50996740): status = GETPASS 

6:50:20:

 AAA/AUTHEN (50996740): Method=TACACS+ 

6:50:20:

 TAC+: send AUTHEN/CONT packet 

6:50:20:

 TAC+ (50996740): received authen response status = PASS 

6:50:20:

 AAA/AUTHEN (50996740): status = PASS 

Topic 4, IOS ACLs 


Q37. - (Topic 6) 

Which statement best represents the characteristics of a VLAN? 

A. Ports in a VLAN will not share broadcasts amongst physically separate switches. 

B. A VLAN can only connect across a LAN within the same building. 

C. A VLAN is a logical broadcast domain that can span multiple physical LAN segments. 

D. A VLAN provides individual port security. 

Answer: C 

Explanation: 

http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/configuration/guide/cl i_rel_4_0_1a/VLANs.html 

Configuring VLANs You can use virtual LANs (VLANs) to divide the network into separate logical areas. VLANs can also be considered as broadcast domains. Any switch port can belong to a VLAN, and unicast, broadcast, and multicast packets are forwarded and flooded only to end stations in that VLAN. Each VLAN is considered a logical network, and packets destined for stations that do not belong to the VLAN must be forwarded through a router. 


Q38. - (Topic 7) 

Which three statements about the Cisco ASA appliance are true? (Choose three.) 

A. The DMZ interface(s) on the Cisco ASA appliance most typically use a security level between 1 and 99. 

B. The Cisco ASA appliance supports Active/Active or Active/Standby failover. 

C. The Cisco ASA appliance has nodefault MPF configurations. 

D. The Cisco ASA appliance uses security contexts to virtually partition the ASA into multiple virtual firewalls. 

E. The Cisco ASA appliance supports user-based access control using 802.1x. 

F. An SSM is required on the Cisco ASA appliance to support Botnet Traffic Filtering. 

Answer: A,B,D 

Explanation: 

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/int5505.html 

Security Level Overview Each VLAN interface must have a security level in the range 0 to 100 (from lowest to highest). For example, you should assign your most secure network, such as the inside business network, to level 100. The outside network connected to the Internet can be level 

0. Other networks, such as a home network can be in between. You can assign interfaces to the same security level. See the "Allowing Communication Between VLAN Interfaces on the Same Security Level" section for more information. 

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html Active/Standby Failover Overview Active/Standby failover lets you use a standby security appliance to take over the functionality of a failed unit. When the active unit fails, it changes to the standby state while the standby unit changes to the active state. The unitthat becomes active assumes the IP addresses (or, for transparent firewall, the management IP address) and MAC addresses of the failed unit and begins passing traffic. The unit that is now in standby state takes over the standby IP addresses and MAC addresses. Because network devices see no change in the MAC to IP address pairing, no ARP entries change or time out anywhere on the network. 

Active/Active Failover Overview Active/Active failover is only available to security appliances in multiple context mode. In an Active/Active failover configuration, both security appliances can pass network traffic. In Active/Active failover, you divide the security contexts on the security appliance into failover groups. A failover group is simply a logical group of oneor more security contexts. You can create a maximum of two failover groups on the security appliance. The admin context is always a member of failover group 1. Any unassigned security contexts are also members of failover group 1 by default. 

The failovergroup forms the base unit for failover in Active/Active failover. Interface failure monitoring, failover, and active/standby status are all attributes of a failover group rather than the unit. When an active failover group fails, it changes to the standbystate while the standby failover group becomes active. The interfaces in the failover group that becomes active assume the MAC and IP addresses of the interfaces in the failover group that failed. The interfaces in the failover group that is now in the standby state take over the standby MAC and IP addresses. 

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/contexts.html 

Security Context Overview You can partition a single security appliance into multiple virtual devices, known as security contexts. Each context is an independent device, with its own security policy, interfaces, and administrators. Multiple contexts are similar to having multiple standalone devices. Many features are supported in multiple context mode, including routing tables, firewall features, IPS, and management. Some features are not supported, including VPN and dynamic routing protocols. 


Q39. - (Topic 6) 

Which two countermeasures can mitigate MAC spoofing attacks? (Choosetwo.) 

A. IP source guard 

B. port security 

C. root guard 

D. BPDU guard 

Answer: A,B 


Q40. - (Topic 2) 

What does level 5in this enable secret global configuration mode command indicate? 

router#enable secret level 5 password 

A. The enable secret password is hashed using MD5. 

B. The enable secret password is hashed using SHA. 

C. The enable secret password is encrypted usingCisco proprietary level 5 encryption. 

D. Set the enable secret command to privilege level 5. 

E. The enable secret password is for accessing exec privilege level 5. 

Answer: D 

Explanation: 

http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfpass.html 

To configure the router to require an enable password, use either of the following commands in global configuration mode: 

Router(config)# enable password [level level] {password| encryption-type encrypted-password} 

Establishes a password for a privilege command mode. 

Router(config)# enable secret [level level] {password | encryption-type encrypted-password} 

Specifies a secret password, saved using a non-reversible encryption method. (If enable password and enable secret are both set, users must enter the enable secret password.) 

Use either of these commands with the level option to define a password for a specific privilege level. 

After you specify the level and set a password, give the password only to users who need to have access at this level. Use the privilege level configuration command to specify commands accessible at various levels.