Download New Updated (July) Cisco 640-554 Actual Test 121-130

By | July 27, 2015




The host A Layer 2 port is configured in VLAN 5 on switch 1, and the host B Layer 2 port is configured in VLAN 10 on switch 1. Which two actions you can take to enable the two hosts to communicate with each other? (Choose two.)



Configure inter-VLAN routing.


Connect the hosts directly through a hub.


Configure switched virtual interfaces.


Connect the hosts directly through a router.


Correct Answer: AC


VLANs divide broadcast domains in a LAN environment. Whenever hosts in one VLAN need to communicate with hosts in another VLAN, the traffic must be routed between them. This is known as inter-VLAN routing. On Catalyst switches it is accomplished by creating Layer 3 interfaces (Switch virtual interfaces (SVI) ).





Which two pieces of information should you acquire before you troubleshoot an STP loop? (Choose two.)



topology of the routed network


topology of the switched network


location of the root bridge


number of switches in the network


Correct Answer: BC


Forwarding loops vary greatly both in their origin (cause) and effect. Due to the wide variety of issues that can affect STP, this document can only provide general guidelines about how to troubleshoot forwarding loops.

Before you start to troubleshoot, you must obtain this information:

STP configuration details, such as which switch is the root and backup root, which links have a non-default cost or priority, and the location of blocking ports.





Which type of Cisco ASA access list entry can be configured to match multiple entries in a single statement?



nested object-class




extended wildcard matching


object groups


Correct Answer: D



Information About Object Groups

By grouping like objects together, you can use the object group in an ACE instead of having to enter an ACE for each object separately. You can create the following types of object groups:




ICMP type

For example, consider the following three object groups:

MyServices–Includes the TCP and UDP port numbers of the service requests that are allowed access to the internal network.

TrustedHosts–Includes the host and network addresses allowed access to the greatest range of services and servers.

PublicServers–Includes the host addresses of servers to which the greatest access is provided. After creating these groups, you could use a single ACE to allow trusted hosts to make specific service requests to a group of public servers.

You can also nest object groups in other object groups.




When Cisco IOS zone-based policy firewall is configured, which three actions can be applied to a traffic class? (Choose three.)















Correct Answer: ACD



Zone-Based Policy Firewall Actions

ZFW provides three actions for traffic that traverses from one zone to another:


Drop–This is the default action for all traffic, as applied by the “class class-default” that terminates every inspect-type policy-map. Other class-maps within a policy-map can also be configured to drop unwanted traffic.

Traffic that is handled by the drop action is “silently” dropped (i.e., no notification of the drop is sent to the relevant end-host) by the ZFW, as opposed to an ACL’s behavior of sending an ICMP “host unreachable” message to the host that sent the denied traffic. Currently, there is not an option to change the “silent drop” behavior. The log option can be added with drop for syslog notification that traffic was dropped by the firewall.


Pass–This action allows the router to forward traffic from one zone to another. The pass action does not track the state of connections or sessions within the traffic. Pass only allows the traffic in one direction. A corresponding policy must be applied to allow return traffic to pass in the opposite direction. The pass action is useful for protocols such as IPSec ESP, IPSec AH, ISAKMP, and other inherently secure protocols with predictable behavior. However, most application traffic is better handled in the ZFW with the inspect action.


Inspect–The inspect action offers state-based traffic control. For example, if traffic from the private zone to the Internet zone in the earlier example network is inspected, the router maintains connection or session information for TCP and User Datagram Protocol (UDP) traffic. Therefore, the router permits return traffic sent from Internet-zone hosts in reply to private zone connection requests. Also, inspect can provide application inspection and control for certain service protocols that might carry vulnerable or sensitive application traffic.

Audit-trail can be applied with a parameter-map to record connection/session start, stop, duration, the data volume transferred, and source and destination addresses.




With Cisco IOS zone-based policy firewall, by default, which three types of traffic are permitted by the router when some of the router interfaces are assigned to a zone? (Choose three.)



traffic flowing between a zone member interface and any interface that is not a zone member


traffic flowing to and from the router interfaces (the self zone)


traffic flowing among the interfaces that are members of the same zone


traffic flowing among the interfaces that are not assigned to any zone


traffic flowing between a zone member interface and another interface that belongs in a different zone


traffic flowing to the zone member interface that is returned traffic


Correct Answer: BCD



Rules For Applying Zone-Based Policy Firewall

Router network interfaces’ membership in zones is subject to several rules that govern interface behavior, as is the traffic moving between zone member interfaces:

A zone must be configured before interfaces can be assigned to the zone.

An interface can be assigned to only one security zone.

All traffic to and from a given interface is implicitly blocked when the interface is assigned to a zone, except traffic to and from other interfaces in the same zone, and traffic to any interface on the router.


Traffic is implicitly allowed to flow by default among interfaces that are members of the same zone. In order to permit traffic to and from a zone member interface, a policy allowing or inspecting traffic must be configured between that zone and any other zone.

The self zone is the only exception to the default deny all policy. All traffic to any router interface is allowed until traffic is explicitly denied.

Traffic cannot flow between a zone member interface and any interface that is not a zone member.

Pass, inspect, and drop actions can only be applied between two zones.

Interfaces that have not been assigned to a zone function as classical router ports and might still use classical stateful inspection/CBAC configuration.

If it is required that an interface on the box not be part of the zoning/firewall policy. It might still be necessary to put that interface in a zone and configure a pass all policy (sort of a dummy policy) between that zone and any other zone to which traffic flow is desired.

From the preceding it follows that, if traffic is to flow among all the interfaces in a router, all the interfaces m
ust be part of the zoning model (each interface must be a member of one zone or another).

The only exception to the preceding deny by default approach is the traffic to and from the router, which will be permitted by default. An explicit policy can be configured to restrict such traffic.




Which two options are advantages of an application layer firewall? (Choose two.)



provides high-performance filtering


makes DoS attacks difficult


supports a large number of applications


authenticates devices


authenticates individuals


Correct Answer: BE



Adding Intrusion Prevention

Gartner’s definition of a next-generation firewall is one that combines firewall filtering and intrusion prevention systems (IPSs). Like firewalls, IPSs filter packets in real time. But instead of filtering based on user profiles and application policies, they scan for known malicious patterns in incoming code, called signatures. These signatures indicate the presence of malware, such as worms, Trojan horses, and spyware.


Malware can overwhelm server and network resources and cause denial of service (DoS) to internal employees, external Web users, or both. By filtering for known malicious signatures, IPSs add an extra layer of security to firewall capabilities; once the malware is detected by the IPS, the system will block it from the network.

Firewalls provide the first line of defense in any organization’s network security infrastructure.


They do so by matching corporate policies about users’ network access rights to the connection information surrounding each access attempt. If the variables don’t match, the firewall blocks the access connection. If the variables do match, the firewall allows the acceptable traffic to flow through the network.


In this way, the firewall forms the basic building block of an organization’s network security architecture. It pays to use one with superior performance to maximize network uptime for business-critical operations. The reason is that the rapid addition of voice, video, and collaborative traffic to corporate networks is driving the need for firewall engines that operate at very high speeds and that also support application-level inspection. While standard Layer 2 and Layer 3 firewalls prevent unauthorized access to internal and external networks, firewalls enhanced with application-level inspection examine, identify, and verify application types at Layer 7 to make sure unwanted or misbehaving application traffic doesn’t join the network. With these capabilities, the firewall can enforce endpoint user registration and authentication and provide administrative control over the use of multimedia applications.







Refer to the exhibit. Using a stateful packet firewall and given an inside ACL entry of permit ip any, what would be the resulting dynamically configured ACL for the return traffic on the outside ACL?





permit tcp host eq 80 host eq 2300


permit ip eq 80 eq 2300


permit tcp any eq 80 host eq 2300


permit ip host eq 80 host eq 2300


Correct Answer: A

Explanation: _manager/4.1/user/guide/fwinsp.html


Understanding Inspection Rules

Inspection rules configure Context-Based Access Control (CBAC) inspection commands. CBAC inspects traffic that travels through the device to discover and manage state information for TCP and UDP sessions. The device uses this state information to create temporary openings to allow return traffic and additional data connections for permissible sessions.

CBAC creates temporary openings in access lists at firewall interfaces. These openings are created when inspected traffic exits your internal network through the firewall. The openings allow returning traffic (that would normally be blocked) and additional data channels to enter your internal network back through the firewall. The traffic is allowed back through the firewall only if it is part of the same session as the original traffic that triggered inspection when exiting through the firewall.


Inspection rules are applied after your access rules, so any traffic that you deny in the access rule is not inspected. The traffic must be allowed by the access rules at both the input and output interfaces to be inspected. Whereas access rules allow you to control connections at layer 3 (network, IP) or 4 (transport, TCP or UDP protocol), you can use inspection rules to control traffic using application-layer protocol session information.


For all protocols, when you inspect the protocol, the device provides the following functions:

Automatically opens a return path for the traffic (reversing the source and destination addresses), so that you do not need to create an access rule to allow the return traffic. Each connection is considered a session, and the device maintains session state information and allows return traffic only for valid sessions. Protocols that use TCP contain explicit session information, whereas for UDP applications, the device models the equivalent of a session based on the source and destination addresses and the closeness in time of a sequence of UDP packets.


These temporary access lists are created dynamically and are removed at the end of a session.

Tracks sequence numbers in all TCP packets and drops those packets with sequence numbers that are not within expected ranges.

Uses timeout and threshold values to manage session state information, helping to determine when to drop sessions that do not become fully established. When a session is dropped, or reset, the device informs both the source and destination of the session to reset the connection, freeing up resources and helping to mitigate potential Denial of Service (DoS) attacks.




Which option is the resulting action in a zone-based policy firewall configuration with these conditions?





no impact to zoning or policy


no policy lookup (pass)




apply default policy


Correct Answer: C



Zone Pairs

A zone pair allows you to specify a unidirectional firewall policy between two security zones. To define a zone pair, use the zone-pair security command. The direction of the traffic is specified by source and destination zones. The source and destination zones of a zone pair must be security zones.


You can select the default or self zone as either the source or the destination zone. The self zone is a systemdefined zone which does not have any interfaces as members. A zone pair that includes the self zone, along with the associated policy, applies to traffic directed to the device or traffic generated by the device. It does not apply to traffic through the device.


The most common usage of firewall is to apply them to traffic through a device, so you need at least two zones (that is, you cannot use the self zone).


To permit traffic between zone member interfaces, you must configure a policy permitting (or inspecting) traffic between that zone and another zone. To attach a firewall policy map to the target zone pair, use the servicepolicy type inspect command.


The figure below shows the application of a firewall policy to traffic flowing from zone Z1 to zone Z2, which means that the ingress interface for the traffic is a member of zone Z1 and the egress interface is a member of zone Z2.


Figure 2. Zone Pairs



If there are two zones and you require policies for traffic going in both directions (from Z1 to Z2 and Z2 to Z1), you must configure two zone pairs (one for each direction).


If a policy is not configured between zone pairs, traffic is dropped. However, it is not necessary to configure a zone pair and a service policy solely for the return traffic. By default, return traffic is not allowed. If a service policy inspects the traffic in the forward direction and there is no zone pair and service policy for the return traffic, the return traffic is inspected. If a service policy passes the traffic in the forward direction and there is no zone pair and service policy for the return traffic, the return traffic is dropped. In both these cases, you need to configure a zone pair and a service policy to allow the return traffic. In the above figure, it is not mandatory that you configure a zone pair source and destination for allowing return traffic from Z2 to Z1. The service policy on Z1 to Z2 zone pair takes care of it.




A Cisco ASA appliance has three interfaces configured. The first interface is the inside interface with a security level of 100. The second interface is the DMZ interface with a security level of 50. The third interface is the outside interface with a security level of 0. By default, without any access list configured, which five types of traffic are permitted? (Choose five.)



ound traffic initiated from the inside to the DMZ


outbound traffic initiated from the DMZ to the outside


outbound traffic initiated from the inside to the outside


inbound traffic initiated from the outside to the DMZ


inbound traffic initiated from the outside to the inside


inbound traffic initiated from the DMZ to the inside


HTTP return traffic originating from the inside network and returning via the outside interface


HTTP return traffic originating from the inside network and returning via the DMZ interface


HTTP return traffic originating from the DMZ network and returning via the inside interface


HTTP return traffic originating from the outside network and returning via the inside interface


Correct Answer: ABCGH



Security Level Overview

Each interface must have a security level from 0 (lowest) to 100 (highest). For example, you should assign your most secure network, such as the inside host network, to level 100. While the outside network connected to the Internet can be level 0. Other networks, such as DMZs can be in between. You can assign interfaces to the same security level. See the “Allowing Communication Between Interfaces on the Same Security Level” section for more information.

The level controls the following behavior:


Network access–By default, there is an implicit permit from a higher security interface to a lower security interface (outbound). Hosts on the higher security interface can access any host on a lower security interface. You can limit access by applying an access list to the interface. If you enable communication for same security interfaces (see the “Allowing Communication Between Interfaces on the Same Security Level” section), there is an implicit permit for interfaces to access other interfaces on the same security level or lower.


Inspection engines–Some inspection engines are dependent on the security level. For same security interfaces, inspection engines apply to traffic in either direction.

-NetBIOS inspection engine–Applied only for outbound connections.

-OraServ inspection engine–If a control connection for the OraServ port exists between a pair of hosts, then only an inbound data connection is permitted through the security appliance.

Filtering–HTTP(S) and FTP filtering applies only for outbound connections (from a higher level to a lower level).

For same security interfaces, you can filter traffic in either direction.

NAT control–When you enable NAT control, you must configure NAT for hosts on a higher security interface (inside) when they access hosts on a lower security interface (outside).

Without NAT control, or for same security interfaces, you can
choose to use NAT between any interface, or you can choose not to use NAT. Keep in mind that configuring NAT for an outside interface might require a special keyword.

established command–This command allows return connections from a lower security host to a higher security host if there is already an established connection from the higher level host to the lower level host.

For same security interfaces, you can configure established commands for both directions.




Which type of firewall technology is considered the versatile and commonly used firewall technology?



static packet filter firewall


application layer firewall


stateful packet filter firewall


proxy firewall


adaptive layer firewall


Correct Answer: C



Cisco IOS Firewall includes multiple security features:


clip_image008Cisco IOS Firewall stateful packet inspection provides true firewall capabilities to protect networks against unauthorized traffic and control legitimate business-critical data.

clip_image008[1]Authentication proxy controls access to hosts or networks based on user credentials stored in an authentication, authorization, and accounting (AAA) server.

clip_image008[2]Multi-VRF firewall offers firewall services on virtual routers with virtual routing and forwarding (VRF), accommodating overlapping address space to provide multiple isolated private route spaces with a full range of security services.

clip_image008[3]Transparent firewall adds stateful inspection without time-consuming, disruptive IP addressing modifications.

clip_image008[4]Application inspection controls application activity to provide granular policy enforcement of application usage, protecting legitimate application protocols from rogue applications and malicious activity.



Free VCE & PDF File for Cisco 640-554 Real Exam

Instant Access to Free VCE Files: CCNA | CCNP | CCIE …
Instant Access to Free PDF Files: CCNA | CCNP | CCIE …