Pass Your Cisco 642-637 Exam Easy!

Can anybody please share the link to download "Scalable VPN Authentication" Nugget, It is missing . Thanks

@ Rakesh
Please contact me spiro.chete my skype ID i will provide You I having 10 of my students will appear tomorrow in different locations

i don't have dnd questions and simulation what to do?
if i download this dump and it is showing only 105 questions but it as 135
any one can help me please

hey guys i have downloaded this dump but it shows only 107 questions what to do ? can any one tell me whether it is 107 or 135 questions

Passed the Exam on 15th June. Dump is very much valid. lots of DD. Lab and SIM is also same.

Thanks to user!
You are right.

@all
I have tested both models on GNS3
There are two routers R1 and R2
N1
On R1:
crypto ipsec transform-set myset esp-3des esp-sha-hmac
On R2:
crypto ipsec transform-set myset esp-aes esp-sha-hmac

On R2 (IKE-Respüonder)
#debug crypto isakmp

Jun 3 23:50:40.575: ISAKMP:(0):atts are acceptable. Next payload is 0
*Jun 3 23:50:40.575: ISAKMP:(0):Acceptable atts:actual life: 0
*Jun 3 23:50:40.575: ISAKMP:(0):Acceptable atts:life: 0
..
*Jun 3 23:50:40.939: ISAKMP: transform 1, ESP_3DES
*Jun 3 23:50:40.943: ISAKMP: attributes in transform:
*Jun 3 23:50:40.943: ISAKMP: encaps is 1 (Tunnel)
*Jun 3 23:50:40.943: ISAKMP: SA life type in seconds
*Jun 3 23:50:40.947: ISAKMP: SA life duration (basic) of 3600
*Jun 3 23:50:40.947: ISAKMP: SA life type in kilobytes
*Jun 3 23:50:40.9
R2#47: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Jun 3 23:50:40.947: ISAKMP: authenticator is HMAC-SHA
*Jun 3 23:50:40.947: ISAKMP:(1003):atts are acceptable.

N2
On R1:
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco address 172.16.0.2

On R2:
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key cisco address 172.16.0.1

On R2 (IKE-Responder)
#deb crypto isakmp
*Jun 4 00:35:32.943: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jun 4 00:35:32.943: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Jun 4 00:35:32.943: ISAKMP:(0):no offers accepted!

And finaly :)
https://supportforums.cisco.com/community/netpro/security/vpn/blog/2011/06/14/ipsec-troubleshooting-problem-scenarios-part-1

Also, the correct answer is:
"A. verify matching ISAKMP policies on each peer"

Hi all. I have found another mistake.

QUESTION NO: 34
You are troubleshooting an IPsec VPN problem. During debug
the message "attributes not acceptable" on the IKE responder
isakmp command. Which step should you take next?
A. verify matching ISAKMP policies on each peer
B. verify that an IKE security association has been established
C. verify that IPsec transform sets match on each peer
D. verify if default IPsec attributes are in place on each peer

imho corret answer A, not C

Passed with 87X . Valid dump

@Sec. Guy
No need to define class-default in ZBFW lab because of the default drop action that applied to all class.
After the configuration verify this with #sh run or #sh policy-map type inspect

Q9
The advantages of virtual tunnel interfaces (VTIs) over GRE VPN solutions are which three of the following? (Choose three.)
A. VTI can support QoS.
B. VTI provides a routable interface.
C. VTI supports nonencrypted tunnels.
D. VTI is more scalable than a GRE-based VPN solution.
E. IPsec VTIs need fewer established SAs to cover different types of traffic, both unicast and multicast, thus enabling improved scaling
F. IPsec VTIs require a loopback interface for configuration.

The dump says: BCE. I think the correct answers are ABE
http://www.cisco.com/en/US/technologies/tk583/tk372/technologies_white_paper0900aecd8029d629.pdf
"Quality of service (QoS)
---QoS can be used to improve the performance of di
fferent applications across the network. In this co
nfiguration, traffic
shaping is used between the two sites to limit the
total amount of traffic that should be transmitted
between the two sites. Additionally, the QoS
configuration can support any combination of QoS fe
atures offered in Cisco IOS Software to support any
of the voice, video, or data applications. "

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-services-tech/945-cisco-comparing-vpn-technologies.html
"Comparison Between Policy-Based and Route-Based VPNs
QoS is fully supported"


"

Thanks a lot Trescool !

I have uploaded a new vce file with some corrected answers.it will be available in 2 or 3 days.
Best of luck

In LAB 6, viewing that the question is:
-Use the "match protocol" classification option to statefully inspect HTTP traffic and drop all other traffic

On policy map config I thing must be added even:
Router(config-pmap-c)# class class-default
Router(config-pmap-c)# drop

So, the policy-map will looks like this:
Router(config)# policy-map type inspect IN-TO-OUT-POLICY
Router(config-pmap)# class type inspect HTTP_POLICY
Router(config-pmap-c)# inspect
Router(config-pmap-c)# class class-default
Router(config-pmap-c)# drop
Router(config-pmap-c)# exit

Hi all.
I have found a mistake in answer of DND #4 802.1x port states
Correct answer is
auto=in this mode allows only EAPOL, CDP,STP at first
force-auth=def port state when 802.1x is not globally enabled
force-unauth=port ignores all traffic

Chapter 5: 802.1X and Cisco Identity-Based Networking Services (IBNS) 101

Dear Mazhar,
you need only ccna(security) for ccnp(security) . I'd to advise firstly you should pass ccnp(routing and switching) and ccie.After finishing ccnp or ccie, more easy ccna(sec),ccnp(sec) or something.Good luck.

Hi,

I am completed ccna (640-802) certification ,i wanted to give CCNP security exm,so my
qusn: is it requier to give CCNA security or CCSA security exam .befor giving ccsp i am bit confuse in this .Plz tell me the correct procedure for this.

thanks in advance.

all question from dump. exam's date is 24.05

In this .vce file i got 22 D&D.But out of them 13 are note complete- means i can see only left side option, all right side options are blank for 13 items.help me on this.

@ Trescool
Thanks!
"and you cannot have 2 interfaces with the same subnet"
Yes, i agree with you :lol:
Were all questions from this dump, any modifications?

@Doka
Labs and sims the same!

@doka - In the exam i assure you that this is the correct one ;) believe me! and you cannot have 2 interfaces with the same subnet ;)

Question 68 - I think B it´s wrong

If a host in the INSIDE zone attempts to communicate via SSH with another host on a different interface within the INSIDE zone, communications must pass through the router self zone using the INTRAZONE policy.

I think it should be A

Hosts in the INSIDE zone, with addresses in the 10.10.10.0/24 network, can access any host in the 10.10.10.0/24 network using the SSH protocol.

Based on this document
http://www.cisco.com/en/US/docs/security/asa/asa72/asdm52/user/guide/csc.html

When configuring URL filtering with the Trend Micro filtering service, which of these steps must
you take to prepare for configuration?
A. define blacklists and whitelists
B. categorize traffic types
C. install the appropriate root CA certificate on the router
D. synchronize clocks via NTP to ensure accuracy of URL filter updates from the service
This is a tricky question
The correct answer is IMHO D
In this document https://supportforums.cisco.com/docs/DOC-8028
we read:
"First check the system clock and make sure it is correct. It needs to be correct so that the router can accept and validate the certificate it will pull from the Trend server during registration.

show clock

If it's not, correct it by pointing it to an NTP source or manually setting it
clock set 16:00:00 SEPT 21 2009"
Also nothing about "URL filter updates"
BUT this first step have two functions for the Trend Micro software (IOS based and GUI based)
" Step 4 In ASDM, verify time settings on the adaptive security appliance. Time setting accuracy is important for logging of security events and for automatic updates of CSC SSM software.

•If you manually control time settings, verify the clock settings, including time zone. Choose Configuration > Properties > Device Administration > Clock.

•If you are using NTP, verify the NTP configuration. Choose Configuration > Properties > Device Administration > NTP. "

@Trescool
Congrats bro !!! :)
Were all questions from this dump?
Lab and simlet are the same?
Thanks!

Hello guys passed with 928..there are still wrong questions??!!!but i think i´ve corrected some i wiil upload a new vce..but not everything will be correct
@Abu Hazem thank you very much for the information..lets try and wait ..

@Trescool,

I wish you the best in your exam.

To find work in UAE, you need to know people here to get you a job.

If you depends on the certifications, you need to have a lot of them in Cisco, Microsoft, Linux etc. as much as you have as high chance for you to find.

Good experience will help too.

But the most important is to have connections here and not to ask high salary, since you compete with Indians and Pakistanies who has a lot of certifications (thanks to dumps) and ask for little salary and have a huge connection here.

If you are a fresh, then it is better to have a good experience from your country first.

I´m going to do the exam tomorrow i still have some doubts but then i will edit und upload a new exam vce with some corrected answers..and hoppe that help you guys in the future. If you have some doubts sapint@gmail.com!

@ Abu Hazem, how to get a job as Network Engineer in United Arab Emirates.? can you give me some advices?! Thanks to you all for the crowdsourcing ;)

Thanks Abu for your valuable outputs.

Doka and Trescool thanks a lot for your comments

@Trescool:
All the very best for your exam.Do suggest us after the exams

I used the same answer as per doka

@all
Q4 D&D

uRPF is not Control plane but Data plane Mitigation Technique

Correct answer should be
Routing Protocol Authentication
Rate Limiting
VTP Authentication
Spanning Tree Protection

Hi All,

Use these pages in the cisco official book
43, 44, 45, 49, 50, 95, 96, 100, 101, 113, 339, 340, 374, 453

they can help you in some D&D, for example
Force Unauth --> doesn't allow any traffic as per the book, but in the dump it is something else.

Hi All,

sorry, for the delay, here are all your answers:

@Trescool

Yes, same lab and sim, and I answered the same in the dump.

Q:43, I answere "enable SCEP"

@doka

Thank you, I wish you to success in the exam.
All questions came from the dump. I got 70 questions including all the drag and drop, sim, lab.

@Riya,
All questions came from the dump, about the sections, I don't have the result paper now.

@Doka,

No 1000, which actually points to the fact that answers are not correct in dumps.
But there were 5 questions out of the dumps as well.

@bugs
Congrats!
Why not 1000? :)
In what sections you lost marks?
Thanks

Passed my exam today with 888.
DUMPS ARE VALID.
Get VPN and ZBFW simulations were exactly same.

@ Abu
Can you please mention what all sections were in exam and in which sections you lost marks

@bugs
All the best for your exams.Please help us to know what all sections are their in exam

@Abu Hazem
Congratulations!
Were there new/modified questions?
Thanks

Q:43 Cisco router to act as a certificate server, but the server won´t start.all CA parameters are correct?

Should D be the correct one? Verify that the correct time is being used and source is reachable?

@Abu Hazem .labs and sims?! valid?

Hi all,

I passed today with 908 score.

If you have a question, just put there and I will tell you what I answered.

@all
Q4 D&D

uRPF is not Control plane but Data plane Mitigation Technique

Correct answer should be
Routing Protocol Authentication
Rate Limiting
VTP Authentication
Spanning Tree Protection

@doka

I think u r right. Following all your comments.
I am giving my exam on Monday. Will update my results.

@Trescool,mindblown
:lol: all 3 answers are correct .
difficult-difficult .

@mindblown

http://www.cisco.com/en/US/docs/routers/access/cisco_router_and_security_device_manager/25/software/user/guide/DMVPN.html

This is used for NBMA network." would be "NHRP Network ID".

@doka et all, I think the correct answer for: "This is used for NBMA network" is NHRP Registration because the registration process is what provides support for NBMA Networks. The NHRP Registration process includes the components NHRP NHS and NHRP Client. A snip from: http://www.cisco.com/en/US/docs/ios/ios_xe/ipaddr/configuration/guide/iad_cfg_nhrp_xe.pdf is below:

NHRP allows two functions to help support these NBMA networks:
NHRP Registration: 1. NHRP allows Next Hop Clients (NHCs) to dynamically register with Next Hop Servers (NHSs). This registration function allows the NHCs to join the NBMA network without configuration changes on the NHSs , especially in cases where the NHC has a dynamic physical IP address or is behind a Network Address Translation (NAT) router that dynamically changes the physical IP address. In these cases, it would be impossible to preconfigure the logical virtual private network (VPN IP) to physical (NBMA IP) mapping for the NHC on the NHS.
Thanks.

@Trescool
Off Cert Guide Page 300
"Prior to IOS Release 15.0.1M, all traffic that was sourced and destined for devices inside the same zone was freely permitted. With this IOS release, the ability to configure a zone pair with the same zone as both source and destination is possible; this enables you to apply policies for traffic traveling within the same zone across the device, as illustrated in Figure 12-4"
AND Page 309
"With the release of IOS 15.0.1M, it is also possible to control the traffic within the same zone; this is referred to as intrazone. This is configured by creating a zone pair with the same two zone names as both source and destination."

@ Doka
My question here is: "communications must pass through the router self zone using the INTRAZONE policy" is this true? must pass through router self zone?!..i don´t think so..

Hi Trescool
I think the answer:
"If a host in the INSIDE zone attempts to communicate via SSH with another host on a different interface within the INSIDE zone, communications must pass through the router self zone using the INTRAZONE policy. "
is correct
in IOS 15.0.1M Cisco added a feature to give ability to configure policies between interfaces in same zone; so if IOS is of this level or above I would say B is correct (C) DD :)

Question 83 - I think B it´s wrong

An attacker has sent a spoofed ARP response that violates a static mapping. (in the image it´s a request...)

I would bet on C - The MAC address has matched a deny rule within the ACL.

Question 68 - I think B it´s wrong

If a host in the INSIDE zone attempts to communicate via SSH with another host on a different interface within the INSIDE zone, communications must pass through the router self zone using the INTRAZONE policy.

I think it should be A

Hosts in the INSIDE zone, with addresses in the 10.10.10.0/24 network, can access any host in the 10.10.10.0/24 network using the SSH protocol.

I don´t see anyware that traffic must pass through self zone ... in the intrazone conection..

IPS DRAG DROP is wrong

Checked 3 books!

False Positive
A false positive means that an alert has been triggered, but it was for traffic that does not constitute an actual attack. This type of traffic is often called benign traffic.

False Negative
A false negative occurs when attack traffic does not trigger an alert on the IDS/IPS device. This is often viewed as the worst type of false alarm—for obvious reasons.

True Positive
A true positive means that the IDS/IPS device recognized and responded to an attack.

True Negative
This means that nonoffending or benign traffic did not trigger an alarm

@ Congratulations Pablo
Any advice..?
Lab and Sims are valid?!

@pablo
Congratulations !!!
Please more details about D&Ds.
Thanks in advance!

Just passed the exam an hour ago. 949/1000
This dump is still valid.
Thanks everyone for your active collaboration during my study period. Next stop: FIREWALL

Drag and Drop question: Force-Unauthorized - wrong answer in this dump. The correct answer is "In this state, the port ignores all traffic". Check the official manual.

I think the answer:
NHRP NHS: This is used for NBMA network
is correct.
http://www.cisco.com/en/US/docs/ios/ios_xe/ipaddr/configuration/guide/iad_cfg_nhrp_xe.pdf
S.2
"NHRP allows two functions to help support these NBMA networks:
1.
NHRP Registration. NHRP allows Next Hop Clients (NHCs) to dynamically register with Next Hop
Servers (NHSs). This registration function allows the NHCs to join the NBMA network without
configuration changes on the NHSs
, especially in cases where the NHC has a dynamic physical IP
address or is behind a Network Address Translation (NAT) router that dynamically changes the
physical IP address. In these cases, it would be impossible to preconfigure the logical virtual private
network (VPN IP) to physical (NBMA IP)
mapping for the NHC on the NHS. "

@ Pablo
Well noticed...do you have any more doubts concerning to the questions?!

@Trescool:

Thanks a lot for your input. You pointed to the right document. However, when looking at it I noticed that the right answer for the "This is used for NBMA network." would be "NHRP Network ID".

Thanks a lot to all of you. I'm taking the exam in exactly 2 hours and 20 minutes. I'll post my results when I get back and let you know how valid this dump still is... wish me luck.

Thanks Trescool. I think you are right.

@ Pablo and to all
I think the answer to this question should be: based on:
http://www.cisco.com/en/US/docs/routers/access/cisco_router_and_security_device_manager/25/software/user/guide/DMVPN.html
and

Statically Configuring a Next Hop Server

A NHS normally uses the network layer forwarding table to determine where to forward NHRP packets and to find the egress point from an NBMA network. A NHS may also be statically configured with a set of IP address prefixes that correspond to the IP addresses of the stations it serves, and their logical NBMA network identifiers.

Perform this task to statically configure a Next Hop Server.
Associate the correct DMVPN parameter information on the left with the associated description on the right.

NHRP Hold time : When this expires, the network ID is no longer valid

Tunnel key: This needs to be same for all mGRE tunnels on the network

NHRP NHS: This is used for NBMA network.

Authentication String: This is used for DMVPN tunnel hubs and spokes to authenticate themselves.

I´m going to take the exam 22th of May

Can you please help me confirm the answer on drag & drop question about DMVPN parameter information. I have my doubts on the answer provided in the dump.

Associate the correct DMVPN parameter information on the left with the associated description on the right.

NHRP Hold time : When this expires, the network ID is no longer valid

Tunnel key: This needs to be same for all mGRE tunnels on the network

Authentication String: This is used for NBMA network.

NHRP Registration: This is used for DMVPN tunnel hubs and spokes to authenticate themselves.

Please what is the vtp=Get Vpn? is it the lab? (Which question number)
And what is the LAB = ZBFW ? (Which question number)
Thanks.

Material is valid.
There are some wrong answers .
I passed the exam
Big Thanks.

I passed today with 898! Thanks.

there are some answers are wrong. so please verify it I passed it on Saturday with 890. simulators have some problem in Get vpn simulator some commands are not working in exam, so prepare it properly and when configure zone base firewall all commands are must type manually do not use tab or ? mark bcoz it have some negative marking so Best of Luck to all...

Passed the exam today with score 9xx. This dump is still valid.
LAB=ZBFW
VTP=GET VPN
Thanks to everyone.

Dump is valid but there are some drag & drops are wrong in this dumps. verify it with another dump.

finally I passed the exam today, the dump is valid
many thanks for all

The dump is 100% valid. passed today and I am very grateful for this dump and all who contributed to it.

Q4 D&D

uRPF is not Control plane but Data plane Mitigation Technique

Correct answer should be
Routing Protocol Authentication
Rate Limiting
VTP Authentication
SPanning Tree Protection

Please correct me if I'm wrong
Reference Page 43 Secure Book

Guys what is the vtp=Get Vpn? is it the lab?

Still valid, no new question and VTP had diffrent configs, I passed with 849 ,I got all drag-and-drops in dump, I almost got all 22

Reviewing questions have question:

Q regarding results of an attacker performing a DHCP server spoofing attack
Answers (BC) DOS and Confidentialty breach. I strongly believe its AB DHCP snooping and DOS, anyone feels differently?

Can someone pls let us know if the answers (MCQ, D&D, SIMs) correct in this VCE. Not to offend azazredhat, there are some discussions here that mention some of the questions may have incorrect answers.
Thanks a bunch

It's ok, I now have the correct suite version to open the VCE - thanks again for this great forum - good luck to all!

which version of VCE was this most useful upload created with as I am getting the error, "this file was created with an older version ov Visual CE.." (I am using ver 1.9.815), many thanks!

Still valid, got 2 MCQ that is not in this dump and VTP had diffrent configs / ip's but passed with 8xx. Know all drag-and-drops in dump, I almost got all 22

I agree still Valid pass 9xx 70 question 776 pass mark GETVPN and ZBFW sims.

Dumps 100% Valid
same labs as in dumps as well as same questions asked.
I scored 8xx
Passing score is 776
Exam contains 70 questions

Guys the font in questions part for simulation labs (questions 130-135) are not clear, Is there any website that has a same questions with explanation like 9tut.com ?
any advice
thanks

Good luck Sam!

exam contains any changes ???
I have scheduled my exam on 22nd Apr.

Still valid. Passed with 8xx marks.

@roam--

vtp question means you have to answer the mcq and prove it by commands

@azazredhat
Thanks alot for the dump. today i passed the exam with score 900.
This dumb is 100% valid.

LAB: ZBFW
VTP: GETVPN

VTP is GET VPN...what is VTP ? please let me know

passed with 9xx,this dump is 100% valid..thanx azazredhat.ditto question in xam no change at all

@twinhead

ty for the answer azazredhat, just a comment about twinhead,
checking that cert guide, it seemed that question 4 D&D is indeed wrong acording to that cert guide just to let u know,

thank you for the dump, taking my test anytime son now, i let u know how it goes.

@sec = correct answer is attacker has sent a spoofed ARP response that violates a static mapping.

@mallet = mcq is alternate and lab is ZBFW and VTP is GET VPN

@twinhead = if you are confused then refer any other dump for solving your confusion.
Dont take anything negative buddy,just solve every single confusion before exam for better score

In real exam
Is it MCQ alternate or same vce?
lab only zone base firewall right?

in question83, MCQ

the correct answer is the MACaddress has matched a deny rule within the ACL? or an attacker has sent a spoofed ARP response that violates a static mapping.

thanks in advance, great dump btw

question 4 Drag and drops, i think is wrong, acording to oficial cert guide this is the correct:
■ True positives: The IPS or IDS sensor triggered because of legitimate malicious activity.This is normal, desired operation.
■ False positives: The IPS or IDS sensor triggered because of nonmalicious activity.This is usually because of errors caused by signatures that are configured to be too relaxed or broad in scope. In other words, the sensor mistook normal traffic patterns to be malicious.
■ True negatives: The IPS or IDS sensor failed to trigger when there was no malicious activity. This is normal, desired operation.
■ False negatives: The IPS or IDS sensor failed to trigger when there was malicious activity. This is usually because of errors caused by signatures that are configured to be too specific.

and im confused, in Q1 MCQ, refer to the exhibit, the correct answer is the peer has not matched any offered profiles??

@Nannes
this dumps is 100% valid
i passed today

got 963
dump 100% valid
thanks to azazredhat,Neil
lab=ZBFW
vtp=Get Vpn

Finally i cleared this exam by 9xx.
This dump is 100% valid.
Thanks

thank you
great upload