|
||||||||||||
Home
Tutorials
Exam Formatter
Upload
FAQ
Contact
|
||||||||||||
|
Practice Exams:
Microsoft
Cisco
CompTIA
RedHat
Citrix
|
||||||||||||
|
HP
IBM
CheckPoint
CIW
LPI
Novell
VMware
CWNP
EXIN
Other
|
||||||||||||
|
||||||||||||
|
All the simlet and lab, question are the same, but the answer may be not like exactly from the vce.
My score 878 after 30 mintues.
Thanks all, special thanks to Neil.
@sashans - jesi izlazio na ispit? Vrijedi li ovaj vce?
the class-default drop command is not necessery in the ZBFW sim,i think.
look at this
Configuring Zone-Based Policy Firewall Policy-Maps
The policy-map applies firewall policy actions to one or more class-maps to define the service-policy that will be applied to a security zone-pair. When an inspect-type policy-map is created, a default class named class class-default is applied at the end of the class. The class class-default’s default policy action is drop, but can be changed to pass. The log option can be added with the drop action. Inspect cannot be applied on class class-default.
sorurce: http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml
pozz iz srbije :)
thanks,
Passed today with 860 dump still valid...
Thanks for your great work man.
I passed yesterday the exam. It was about 10 new Drag & Drop but those questions are similar to those in neils dump. Thanks to all of you for your contribution!
@nubie this is how I answered yesterday this Drag & Drop question, I hope this is helpful I would suggest to go thru Cisco Press Book you have all explanations there.
- MAB
-this method is used when clients dont support the 802.1x supplicant but need to be authenticated to an 802.1x network
- Restricted VLAN
-this solution is used when users fail authentication and have an 802.1x – compliant device
- Guest VLAN
-this method offers limited access for users without an 802.1x client. by default, it takes 90 seconds for the machine to get assigned to this specific VLAN
- WEB auth
-Clients that use this method can be reauthenticated. if reauthentication fails, then the switch can assign the port to the guest VLAN if its not configured
MAB -this method is used when clients dont support the 802.1x supplicant but need to be authenticated to an 802.1x network
Restricted VLAN -this solution is used when users fail authentication and have an 802.1x – compliant device
Guest VLAN - -this method offers limited access for users without an 802.1x client. by default, it takes 90 seconds for the machine to get assigned to this specific VLAN
WEB auth Clients that use this method can be reauthenticated. if reauthentication fails, then the switch can assign the port to the guest VLAN if its not configured
-Guest VLAN
-Restricted VLAN
-MAB
-WEB auth
——————————
-this method is used when clients dont support the 802.1x supplicant but need to be authenticated to an 802.1x network
-this solution is used when users fail authentication and have an 802.1x – compliant device
-this method offers limited access for users without an 802.1x client. by default, it takes 90 seconds for the machine to get assigned to this specific VLAN
-Clients that use this method can be reauthenticated. if reauthentication fails, then the switch can assign the port to the guest VLAN if its not configured
Pls can any one tell me why
I also tried
Class Class-default as Muhha suggested not accepted too. I think i got 78% on the Lab though.
Thanks to you guys....all the way to CCIE
Score 837 points. This exam is very stressed. A lot of new D&D and few new questions. The questions have a inverse order but with Neil contend you will pass!! Make shure that you will answer all 122 Neil questions because you will fail.
The lab is the same and the Simlet is the same.
A special thanks for Neil for your correction and a kick on ass to Actualtests that offer a dump with a lot of wrong questions
I received 890 points and it was 9 additional questions in my test.
some of questions have the sequence or wording of answer changed, but the sense is thesame.
I have received 70 questions as well.
If you do your preparation well those 9 questions will not be an issue…
almost all of them are mentioned by colleagues before, like the reason to err-disable or EAP types and how they work..
Pay attention to this information here, below,
do preparation well and every thing will be ok.
thank to every body again for your help and particularly to Neil.
The SIM is always the same and if you look back to Neil's dump there is an 989 score using the same configuration for the SIM. Just my two cents. Good luck!
For about "?" mark - I believe it worked for me.
Anyhow, even though I ruined the lab (assumption) and possible a few new drag-n-drop questions, I still passed with 847. The passing score was 774 which is pretty relaxing and number of questions was 70. Just make sure you've done everything else correctly besides sim.
I need help with one of LABs from Neils Dump and I am thinking that Neil missed class class-default command in his configuration.In LAB was requested to match HTTP and drop all other traffic …..Can you please review my configuration its down below, Thanks a lot!!!
LAB:
Note that when performing the configuration, you should use the exact names highlighted in bold below:
- Globally create zones and label them with the following names:
– OUTSIDE
– INSIDE
- Assign interfaces to zones as indicated in the exhibit
- Create a zone pair for traffic flowing from the inside to outside zones named IN-TO-OUT
- Define a zone-based firewall policy named IN-TO-OUT-POLICY
– Use the “match protocol” classification option to statefully inspect HTTP traffic and drop all other traffic
– Use a class-map named HTTP_POLICY
- Apply zone-based firewall policy IN-TO-OUT-POLICY to the zone pair
*** Globally created zones ***
zone security OUTSIDE
exit
zone security INSIDE
exit
*** Assigning zones to the interfaces ***
int fa0/0/0
no shut
zone-member security OUTSIDE
exit
int fa0/0/1
no shut
zone-member security INSIDE
exit
*** Created policy ***
class-map type inspect match-any HTTP_POLICY
match protocol http
exit
policy-map type inspect IN-TO-OUT-POLICY
class type inspect HTTP_POLICY
inspect
class class-default *** This is what I added ***
drop
exit
*** Created zone pair, applied policy. ***
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect IN-TO-OUT-POLICY
end
copy run start
n abt d 8 questions, hav u chckd wid the othr dump [muhha], was der ny question frm tat......
n were those 8 question D&D or MCQ
Plzzz reply, I'll be writing xam within few days........
n abt d labs, was it same as in this dump.....
nywy congrats once again 4 passing d xam n thnx in advance.......
Need a beer...
Thank you for your feedback.
just one other question regarding the exam.
does the autocompete works on the CLI on the simlet in the exam or not?
if the question mark is supported on the CLI of the simlet during the exam?
Thank you!
Duplex mismatch
Port channel misconfiguration
BPDU guard violation
UniDirectional Link Detection (UDLD) condition
Late-collision detection
Link-flap detection
Security violation
Port Aggregation Protocol (PAgP) flap
Layer 2 Tunneling Protocol (L2TP) guard
DHCP snooping rate-limit
Incorrect GBIC / Small Form-Factor Pluggable (SFP) module or cable
Address Resolution Protocol (ARP) inspection
Inline power
http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00806cd87b.shtml
So it may be the specific wording, maybe of the "inline" thing.
BTW, there was one more question I just remembered, it was to match most of these EAP types to its definitions and/or some particular feature of each
■ EAP-MD5
■ PEAPv0-MSCHAPv2
■ LEAP
■ EAP-TLS
■ EAP-TTLS
■ EAP-FAST
Sorry gents. My memory just goes this far :-)
regarding this question posted:
Which of the folling causes a port to go into error disabled status?
BPDU guard violation
inline power disabled, devide req pow
speed mismatch
dhcp snooping rate limit
port channel misconf
as far as I see, all of them are the possible reasons for err-disable state, or?
God bless you all && thanks very much again, Neil
____
Which of the folling causes a port to go into error disabled status?
BPDU guard violation
inline power disabled, devide req pow
speed mismatch
dhcp snooping rate limit
port channel misconf
_____
Which of the following belong to the data plane?
traffic filtering
transport protection
traffic conditioning
protection against attacks
RBAC
routing protocol authentication
_____
Match (not all needed)
1.- when this expires, the net id is no longer valid
2.- this needs to be the same for all mgre tunnels in the network
3.- this is used for NMBA networks
4.- this is used by DMVPN tunnel hubs and spokes to authenticate themselves
A.- tunnel key
B.- nhrp hold time
C.- nhrp nhs
D.- nhrp registration
E.- nhrp net id
F.- nhrp autthentication string
______
who uses PHDF?
Multiple options, one was FPM, which I think was the right one
______
Match 802.1x port states definitions
1.- Forced-Authorized
2.- Forced-Unauthorized
3.- Auto
A.- In this state, 802.1x is disabled on the port. All traffic is allowed as normal without restriction. This is the default port state when 802.1x is not globally enabled.
B.- In this mode, the port begins in the unauthorized state and allows only EAPOL, CDP, and STP traffic. After the supplicant is authenticated, the port transitions to the authorized state and normal traffic is allowed.
C.- In this state, the port ignores all traffic, including any attempts to authenticate.
n abt the D&D questions, were all of them new or also frm the dumps ?
Again, thanks Neil && Good Luck to everybody.
5. When configuring URL filtering with the Trend Micro filtering service. Which of these steps must you take to prepare for configuration?
a. Define blacklists and whitelists
b. Categorize traffic types
c. Synchronize clocks via NTP to ensure accuracy of URL filter updates from the service
d. Install the appropriate root CA certificate on the router
Answer on Chips = D
Answer on Neil = B
6. Which of these correct regarding the functionally of DVTI tunnels?
a. DVTI tunnels are created dynamically from a preconfigured template as tunnels are established to the hub
b. DVTI tunnels appear on the hub as tunnel interfaces
c. The hub router needs a static DVTI tunnel to each spoke router in order to establish remote communications from spoke to spoke
d. Spoke router require a virtual template to clone the configuration on which the DVTI tunnel is established
Answer on Chips = D
Answer on Neil = A
7. When implementing GET VPN, which of these is a characteristic of GDOI IKE?
a. GDOI IKE sessions are established between all peers in the network
b. GDOI IKE uses UDP port 500
c. Security associations do not need to linger between members once a group member has authenticated to the key server and obtained the group policy
d. Each pair of peers has a private set of IPsec security associations that is only shared between the two peers
Answer on Chips = D
Answer on Neil = C
3. Refer to the exhibit. Given the output shown, what can be determined?
%SW_DAI-4-ACL_DENY: 1 Invalid ARPs (Req) on Fa1/1, vlan 200. ([0001.ba21.321c/192.168.1.10/0000.0000.0000/192.168.1.20/12:32:18 UTC Mon Sep 20 2010])
a. An attacker has sent a spoofed DHCP address.
b. An attacker has sent a spoofed ARP response that violates a static mapping.
c. The MAC address has matched a deny rule within the ACL.
d. This is an invalid proxy ARP packet, as indicated by the 0000.0000.0000 MAC address on the destination
Answer on Chips = C. The MAC address has matched a deny rule within the ACL.
Answer on Neil = B. An attacker has sent a spoofed ARP response that violates a static mapping.
4. You have configured Management Plane Protection on an interface on a Cisco router. What is the resulting action on implementing MPP?
a. Inspection of protected management interfaces is automatically configured to ensure that management protocols comply with standards.
b. The router gives preference to the configured management interface. If that interface becomes unavailable, management protocols will be allowed on alternate interfaces.
c. Along with normal user data traffic, management traffic is also allowed only on the protected interface.
d. Only management protocols are allowed on the protected interface.
Answer on Chips = C. Along with normal user data traffic, management traffic is also allowed only on the protected interface.
Answer on Neil = D. Only management protocols are allowed on the protected interface.
1. Refer to the exhibit. The INSIDE zone has been configured and assigned to two separate router interfaces. All other zones and interfaces have been properly configured. Given the configuration example shown, what can be determined.
a. Hosts in the INSIDE zone, with addresses in the 10.10.10.0/24 network, can access any host in the 10.10.10.0/24 network using the SSH protocol.
b. If a host in the INSIDE zone attempts to communicate via SSH with another host on a different interface within the INSIDE zone, communications must pass through the router self zone using the INTRAZONE policy.
c. This is an illegal configuration. You cannot have the same source and destination zones.
d. This policy configuration is not needed, traffic within the same zone is allowed to pass by default.
Answer on Chips = C. This is an illegal configuration. You cannot have the same source and destination zones.
Answer on Neil = B. If a host in the INSIDE zone attempts to communicate via SSH with another host on a different interface within the INSIDE zone, communications must pass through the router self zone using the INTRAZONE policy.
2. When using Cisco Easy VPN, what are the three options for entering an XAUTH username and password for establishing a VPN connection from the Cisco Easy VPN remote router? (Choose three.)
a. using an external AAA server
b. entering the information via the router crypto ipsec client ezvpn connect CLI command in privileged EXEC mode
c. using the router local user database
d. entering the information from the PC via a browser
e. storing the XAUTH credentials in the router configuration file
Answer on Chips = B,C,E
Answer on Neil = B,D,E
Plz tell me bcoz i'll be taking xam nxt week.
Is this dump still valid ?
BTW, bought Pass4Sure and flunked first attempt with 750, as of today Pass4sure and Actualtest have the same 122qs, plus quite a few wrong answers and none of the new questions mentioned here... Rely on Neil's.
Passed the exam today with 880, neil's 122qs dump is still valid with 7-8 new questions.As discussed all the new questions is from
1. control plane and data plane functionality for switch and router
2. Eap types and their working
3. 802.1X port status and design strategy (auto, force-authorized, host multi-domain etc.)
4. DHCP snooping design plan
5. NHRP client and server (NHS, NHRP network ID, registration spoke, NBMA etc.)
6.How will interface changes to error-disable
If you cover these 6 topics along with 122qs dump you can surely get more than 950 in this exam.
Any suggestions for the exam,i am going to attend the exam on Monday (9th July).
a)Unicast UDP transmission
b)Multicast UDP transmission
However, when reading through the e-book, i came across the following:
Unicast Versus Multicast Rekeying Methods
Unicast
-Might require adjustment of router buffers and queues
if there are a large number of peers
-Use if infrastructure is only unicast capable
*Requires rekey acknowledgment
Multicast
-Must have multicast-capable infrastructure
-Requires rekey acknowledgment Retransmits the key several times
without acknowledgments
-Fastest and most scalable method
The fact that Unicast key transmission requires acknowledgement means that TCP must be the preferred protocol used for Unicast transmission of keys.Somebody correct me if i am wrong
1.You are troubleshooting an IPsec VPN problem. During debugging of IPsec operations, you see the message “attributes not acceptable” on the IKE responder after issuing the debug crypto isakmp command. Which step should you take next?
A. verify matching ISAKMP policies on each peer
B. verify that an IKE security association has been established between peers
C. verify that IPsec transform sets match on each peer
D. verify if default IPsec attributes are in place on each peer
2. virtual-access1 unassigned yes unset down down
virtual-access2 192.168.1.1 yes unset up up
When you are using dynamic IPsec VTI tunnels, what can you determine about virtual-access interfaces from the output shown?
A.The Virtual-Access1 interface currently does not have an IPsec peer connection established.
B.The Virtual-Access2 interface does not yet have an IPsec peer defined.
C.The Virtual-Access1 interface is in the down/down state, because the virtual tunnel source physical interface is down.
D.The Virtual-Access1 interface, which is used internally by the Cisco IOS software, is always down.
I'm planning to take the exam by 7th July, If you guys have any updated dumps,Please share it or mail me @ Zeusrandeep@gmail.com
there is no way around studying, if you study hard you should have a change...
1. skim the book (only read pages you dont understand by skimming)
2. watch the CBT nuggets and replicate the labs to get the commands in your head
3. take some practise tests like this one, and mere than once
I have to take the exam at the end of this month but i didn't start studying yet, i have the Cisco press but it is very big and my time is limited because of work.
can any one advice what to do?
thanks
checking the correct timing is being used is the most accurate, when dealing with CA on cisco routers you should use NTP or hardware clock
if the IOS can't find any NTP the server will not start then you should use hardware clock instead ie: Router# clock set hh:mm:ss day month year
& if you already correctly configured Ca server it should be enabled automatically.
You have configured a Cisco router to act a PKI certificate server. However,you are experiencing problems starting the server. You have verified that al CA parameters have been correctly configured. What is the next step you should take in troubleshooting this problem?
A. Disable and restart the router’s HTTP server function
B. Verify the RSA key pair and generate new keys
C. Verify that correct time is being used and source are reachable
D. Enable the SCEP interface
1.Refer to the exhibit. The INSIDE zone has been configured and assigned to two separate router interfaces. All other zones and interfaces have been properly configured. Given the configuration example shown, what can be determined.
A.
Hosts in the INSIDE zone, with addresses in the 10.10.10.0/24 network, can access any host in the 10.10.10.0/24 network using the SSH protocol.
B.
If a host in the INSIDE zone attempts to communicate via SSH with another host on a different interface within the INSIDE zone, communications must pass through the router self zone using the INTRAZONE policy.
C.
This is an illegal configuration. You cannot have the same source and destination zones.
D.
This policy configuration is notneeded, traffic within the same zone is allowed to pass by default.
Thanks to all
cheers
bfreeze
and they are the same
1. control plane and data plane functionality for switch and router
2. Eap types and their working
3. 802.1X port status and design strategy (auto, force-authorized, host multi-domain etc.)
4. DHCP snooping design plan
5. NHRP client and server (NHS, NHRP network ID, registration spoke, NBMA etc.)
6.drag and drop - when the interface changes to error-disable
thanks for your contributions
I think that most important chapters (for new questions) which you need to read from book are:
- Control plane and data plane functionality for switch and router
- Eap types and their working
- 802.1X port status and design strategy
- DHCP snooping design plan
I've got 857 points and I wasn't sure that I've got correct answers for 5 new questions (mostly drag&drop). Minimum for passing is 776.
I hope It will help you.
What did you scored and what chapters did you focus reading on? I thinking about taking this in a few weeks. Thanks!
##################
@Badorka directed at right target about new questions:
1. control plane and data plane functionality for switch and router
2. Eap types and their working
3. 802.1X port status and design strategy (auto, force-authorized, host multi-domain etc.)
4. DHCP snooping design plan
5. NHRP client and server (NHS, NHRP network ID, registration spoke, NBMA etc.)
6.drag and drop - when the interface changes to error-disable
Drag and drop with 802.1x, nhrp and dhcp snooping and how working types of eap. We must attention and read exactly a question.
##################
Tnx to @Mr.Security for answer.
The answer to this question is easy. If you read the question carefully, it stated "You have verified that all CA parameters have been correctly configured".
For CA to work you have to enable SCEP interface and since the configurations have been confirmed correct, you don't need to enable SCEP interface again. Make sense?
Second the question asked for troubleshooting steps so the best answer is:
Verify that correct time is being used and source are reachable.
Daemain guide is correct for this question. I hope this helps.
today i have passed the exam. this dump is valid
1. control plane and data plane functionality for switch and router
2. Eap types and their working
3. 802.1X port status and design strategy (auto, force-authorized, host multi-domain etc.)
4. DHCP snooping design plan
5. NHRP client and server (NHS, NHRP network ID, registration spoke, NBMA etc.)
6.drag and drop - when the interface changes to error-disable
I have a question drag and drop with 802.1x, nhrp and dhcp snooping and how working types of eap. We must attention and read exactly a question.
You have configured a Cisco router to act a PKI certificate server. However, you are experiencing problems starting the server. You have verified that all CA parameters have been correctly configured. What is the next step you should take in troubleshooting this problem?
Enable the SCEP interface or Verify that correct time is being used and source are reachable?
Troubleshooting Flow
In the event of problems with the Cisco IOS Software PKI Client not enrolling, follow these steps to troubleshoot the issue:
Step 1. Verify the reachability between the PKI client and the CA server using standard connectivity testing methods. Also, ensure that the SCEP server is functioning by running the debug crypto pki transactions command.
Step 2. Verify that the time on the PKI client is set properly. Incorrect time can cause devices to reject certificates.
Can you pls give some details about the new Drag and Drop questions
is there any update on this document since many of you mentioned that there are new questions. I planned to take exam this week but probably will cancel it for now.
10 new questions are too many, I think. Please update it if possible.
Thank's in advance,
but if you typed
R1>en
R1#conf t
R1(config)#zone security inside
seems you did alright ......
seems ur IOS doesn't support ZBPF....what are u using ?
https://www.wetransfer.com/dl/o1I0yDon/95930dbab10d2b908a0df9b1b91ae7bbe5a82946e3dd49f506f16fa87ec66849f3c8fe8d3b35ca0
Cheers,
I passed my exam yesterday , a few new questions but the dump from neil is still valid. questions I can remember are DHCP snooping implementation, there was a drag and drop on EAP types, another one for reasons for error disable.