Share your SECURE Experience

When implementing GET VPN, which of these is a characteristic of GDOI IKE?
A. GDOI IKE sessions are established between all peers in the network.
B. Security associations do not need to linger between members once a group member has
authenticated to the key server and obtained the group policy.
C. Each pair of peers has a private set of IPsec security associations that is only shared between
the two peers.
D. GDOI IKE uses UDP port 500.
Answer: C

is this correct ? I think its B …!
plz sare u reviews.. !
thanks…!!

I think B too.

Look at Book 3-399

Hi Guys

Checked the answer with a CCIE and answer is C.
B does not qualify as the SA must be active between the two members who are tunneling.

Thanks Steak&Chips,

I was thinking the same about GETVPN SA’s.

Do you have any thoughts on these 2?

“When configuring URL filtering with the Trend Micro filtering service, which of these steps must
you take to prepare for configuration?
A. define blacklists and whitelists
B. categorize traffic types
C. install the appropriate root CA certificate on the router
D. synchronize clocks via NTP to ensure accuracy of URL filter updates from the service
Answer: D or C (I think C as you need to set the time to download the certificate, not need to set up NTP “to ensure accuracy).

and:

When you are configuring DHCP snooping, how should you classify access ports?
A. untrusted
B. trusted
C. promiscuous
D. private

Because the question is vague and does not say whether this “access port” is under administrative control. So assuming it’s not under control I may go with A: untrusted.

Thanks.
dc

BTW, I plan on taking exam 10/21….

Nice DC – good luck – I haven’t seen these questions before…is this from any particular source?

Not 100% sure on the first question. Reading through this
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6643/white_paper_c89-492776.html

the answer looks like the pre-requisite is C : cisco.com certificate.

Defintely DHCP snooping answer is A : untrusted. The router is most likely on trunk mode = Trusted so all others would be untrusted.

Good questions !

They are mentioned on the previous page and I have them in my practice test.

THANKS!

Its D.
Take a look at this site:
https://supportforums.cisco.com/docs/DOC-8028#Clock_and_DNS

You need the to have correct time to register with Trend Micro

Hey Mike,

checked with some guys who passed and they say C. You have to have accurate time – not necessarily by NTP (as DC stated). Secondly “via NTP to ensure accuracy of URL filter updates from the service” is done after configuration and the question is about configuring the service.

need to elaborate a bit more – the accurate time is needed for the install and activation of the certificate – not really required for the filter updates.

Which of these is a configurable Cisco IOS feature that triggers notifications if an attack attempts
to exhaust critical router resources and if preventative controls have been bypassed or are not
working correctly?
A. Control Plane Protection
B. Management Plane Protection
C. CPU and memorythresholding
D. SNMPv3
Answer: A

I think right si B, because C is part of B, and in B there SNMP which you can you for C.

Well, I passed today with a score of 898. Not sure which questionable answers were right or wrong. Just a handful of new questions. Of course there was the zone firewall lab and the GETVPN scenario.

Thanks Steak&Chips and Igor and everyone else (esp “tut”).

@ Helper, I think C was correct (and C is part of A), but what do I know

Good luck everyone. Study the book and review the practice tests and you should pass.

DC

Congrats – DC ! pass is a pass – no one really cares about the final score.

Which one are you doing next?

I already have CCIP and CCNP (recently CCNA-S), I really just wanted to extend the IP/NP certs for another 3 years. If I keep on going it will be for CCNP security. I am getting old…

Think I will take a break for a little while…

thanks,

dc

Hello DC
I am a little confused regarding the GETVPN scenario question,could you please mention the show command you use to solve these question and I am not sure that the answers are right,could you confirm that please.

Which router is acting as the key server and which is acting as a group member?
(Choose two.)
A. Router 1 is the key server
B. Router 2 is the key server
C. Router 1 is the group member
D. Router 2 is the group member
E. The ISP router is the key server
F. The ISP router is the group member
G. Router 1 and Router 2 are both key servers
H. Router 1 and Router 2 are both group members
Answer: B,F

What is the Identity used to distinguish the GETVPNGROUP GDOI group?
A. the IP address of the peer
B. identity number 67890
C. group 14
D. GETVPNKEY
Answer: A,D

On the group member router, where is the crypto map applied and what is the ISAKMP shared
key? (Choose two.)
A. the crypto map is applied to the FastEthernet0/1 interface
B. the crypto map name is applied globally on the router and is active on all enabled a interfaces
C. the shared Key Is GETVPNKEY
D. the shared Key is 67890
Answer: A,B

to : Steak&Chips October 19th, 2011
I think B is right. If you look at book, so B is exact copy of description in book….

to : Michael October 22nd, 2011
first – don’t know
second – I suppose something like B, C
third – again suppose B, C

Configure URL Filtering

Consider the following implementation guidelines:
- You can combine local URL lists with server- or service-based filtering to create exceptions.
- Before using the Trend Micro URL filtering service, you must install appropriate root CA certificates on the router.

GDOI, which is the underlying standard for GET VPN, is standardized in RFC 3547. GDOI defines a key management protocol, based on IKE and ISAKMP. GDOI uses the same principles to generate symmetric encryption keys, but uses two keys: KEK and TEK. The key management protocol is an extension of IKE and ISAKMP, and uses User Datagram Protocol (UDP) port 848. One major difference of GDOI IKE is the fact that GDOI IKE SAs do not need to linger between members after initial establishment, but can be left to quickly expire after a group member has authenticated to the key server and obtained the group policy. The second major difference is that GDOI IKE sessions do not get established between all peers in a VPN, but only between each group member and the key server (or multiple key servers for redundancy).

Thanks RJD – I am sure the root cert is the answer – sorry helper. Also Control Plane Protection is the correct answer to that other question: MPP is only for access to the router itself. CPP backs up Data Plane protection if those controls start failing.

Has anyone seen this in the exam?
===========================================================
■
True positives: The IPS or IDS sensor triggered because of legitimate malicious activity.This is normal, desired operation.
■
False positives: The IPS or IDS sensor triggered because of nonmalicious activity.
■
True negatives: The IPS or IDS sensor failed to trigger when there was no malicious activity. This is normal, desired operation.
■
False negatives: The IPS or IDS sensor failed to trigger when there was malicious activity. This is usually because of errors caused bysignatures that are configured to be too specific.
================================

I didn’t have anything about false\true positives\negatives on my test.

I would not study the GETVPN answers as I have seen them change configurations in similar exercises in different tests. Instead be familiar with the show commands…

dc

what are the configuration questions in the secure 642-637 exam ?!

Hi,

@Steak&Chips : what sorry? which question?

about GDOI – RJD confirmed what I have written (by copying text from book)

thnx

I was referring to this one >>
A. Control Plane Protection
B. Management Plane Protection
C. CPU and memorythresholding
D. SNMPv3
Answer: A
I think right si B, because C is part of B, and in B there SNMP which you can you for C.

Answer is still A – its the only one that triggers notifications if the Data Plane is under stress – B is not involved in this feature at all.

Maybe I’m completely stupid, but Control on router has this options :
CoPP/CPPr, routing protocol auth/filter

On the contrary MPP has SNMP and CPU/memory tresholding.

How does Control let know?

thnx, and again sorry

btw, about GDO IKE (for others) – book page 505, there is exact answer.

Actually – after reviewing material and digging a bit deeper I am thinking that C is actually the correct answer. If you read this
“With CPU Thresholding Notification, users can configure CPU utilization thresholds, which trigger a notification when exceeded. Cisco IOS Software supports two CPU utilization thresholds:”
http://www.cisco.com/en/US/products/ps6642/products_data_sheet09186a00801f98de.html

That encompasses the entire question directly – SNMPv3 basically deals with SNMP authentication and no thresholding – MPP is the framework – not a configurable feature and COPPr is probably the ‘preventative controls that have been bypassed as well as Data Plane Countermeasures’.

I will switch to C in my exam and see what I get.

Hello,
Have a good day to all. my secure paper is on 10th November. Please can anybody help me out about the dumps of secure, that from where can be the latest dumps available freely.

Thank you.

anyone given 642-637 yet ???

Hey Guys,

Can you check this updated .vce out
http://www.examcollection.com/cisco/Cisco.ActualTests.642-637.v2011-10-26.by.Chips.89q.vce.file.html

Would especially appreciate anyone who has taken the test to try it.
Created D&D’s, fixed the incorrect questions (some still in doubt), fixed spellings and added some user feedback questions.
Cheers Chips

Great Job Steak&Chips. I like the simulator questions with examples of the show commands. This will really help out.

Passed today with 939…!! Thanks to God and thanks to all who have shared their experience on this website. I’ve uploaded the dumps with corrections at the following location:
http://www.4shared.com/document/kLuvtEGx/642-637_new.html

Thank you

Thanks Zahoor! Well done!

Did you have any new questions? Can you check out my VCE file and see if there are any corrections that need to be made?
http://www.examcollection.com/cisco/Cisco.ActualTests.642-637.v2011-10-26.by.Chips.89q.vce.file.html

Cheers Chips

Hi Steak, you worked really good. I studied your file thoroughly, one day before the exam. You have added few new questions and all those were there in the exam. There were two new question that I will post later after recalling. Your VCE has two or three answers that need to be revised (but I’m also not 100% sure), you could reconcile them from the file that I uploaded.
Steak, can you please help me in 642-627 and 642-647 ??
Thank you for your contribution.

I saw that Zahoor and I have changed the

*peer* matches no profile to the : This is a normal output is correct answer.

Also changed 2 x D&D – the 802.1x preparation and the show crypto map > show crypto isakmp policy.

I am sure the others are correct still – the CA / Trend Micro, the Illegal config vs this policy is not needed is still correct as the INSIDE zone has 2x interfaces.

If you could flesh out the 3 unknown questions would be fantastic

Ok thanks Steak and what about 642-627 and 642-647 ???

Still working 637 – as a group we will work 627 next — starting from next week.

Can you remember those details – people would be grateful

One new question that I’m recalling was like:
sh crypto isakmp profile
Encryption 3DES
hash sha-1
authentication rsa-sig
Group 2

The correct answer is: The authentication parameter is Digital Certificates

All D&D and Labs are the same

Uploaded a new .vce to
http://www.examcollection.com/642-637.html

It has another couple of fixed questions and some new additions. Had two test takers over the last week score in the mid-900′s using this file. Seems you have to expect 2-4 new questions so study as much as you can on all topics.

92 questions in total….Good luck to all!
Chips

I don’t see the new VCE steak? What’s there is the 89 q.&a.

Yeah – takes a few days to be seen – uploaded today – check back each day.

Please repost

well done, chips!

fyi: i took the exam today with 918/1000. there are about 3 new question that is not on
1. something about virtual interface (the exhibit is: show interface | virtual )

i will post it if it comes back to mind.

thanks all…..
i used the dump posted by Zahoor & Chips.

Guys/Gals,

Can someone please paste link to pdf for Secure Exam?

good job jt

thanks!.

@Rick, chips and Zahoor posted. scroll 1/2 page up.

I cleared my CCNA Security exam with 1000/1000 score…………hurreyy !!

gratulation … but this is the wrong page we discuss here exam 642-637

Cleared ASA & IPS and going for Secure, please confirm which dumps are valid?

Pass SECURE yesterday, 9XX
Use
http://www.4shared.com/document/kLuvtEGx/642-637_new.html by Zahoor

one new D&D which about routing authen
two question that not in this paper.

Good luck

@biggo: Congrats!!

What about simulation and hotspot same as in dumps?

congrats biggo
thx for sharing the dumps, could u just tell me whether u got the same simulation or there were any changes waiting for ur reply… bye

hey syed could u just tell me which dumps shal i refer for ASA plz…

@Sandy: 86 questions dump availabe on same forum (642-617)…I used the same

any idea are they still valid?

but it nowhere says 86, only 80q dumps from jay is with the highest rating are u talking about the same dumps?

download p4s new dumps from http://hotfile.com/dl/118881880/cf77719/617.rar.html

@Sandy: not sure about it but this version is still available on P4S site means still valid

Hello, I just got my CCNA security and I want to move to CCNP sec, I thought that the best will be start whit SECURE, do you guys think its ok? or should I start whit FIREWALL first? also, can you provide information about dumps, training videos and labs?

Thanks!

l passed the exam today with 9xxx, follow the comments on this forum and the dump from:-

http://www.examcollection.com/cisco
/Cisco.ActualTests.642-637.v2011-10-26.by.Chips.89q.vce.file.html

you will be save.

WARNING:- The Pass4sure dump is not valid, so much wrong answers, becarefull !!!!!!!!!

Can anyone help me whit a link for a study guide or books for CCNP security? I was thinking on buy the books but is to expensive for me here in chile I think I can afford 2 of them I need to get the SECURE and the FIREWALL, can anyone help me?

Also are there any CBT nuggets videos in some place?
Thanks!

@Anonymous:Which P4S dump you are talking about?

@syed, just forget the pass4sure dump for SECURE, use the one provided by my link above.

where i can get ccna security lab packet tracer

Preparing CCNP SECURITY SECURE, dose any one has the book CCNP SECURITY SECURE QUICK REFERNECE ?
If yes please be kind and show us a link ?

Regards

@Anonymous: Thanks, what about LAB and hotspot, is it same given in dumps?

Hi All,

I am just about to start the track for CCSP, any recommendations for which exam to start first and also for practice with labs.

Thanks for any responses.

hi thanks to Steak&Chips

yesterday cleared exam with 939 most of questions were from Steak&Chips file

D & D and simulations were same

In GET VPN Scenario sh crypto gdoi ks & sh crypto gdoi ks member commands not worked

but this scenario is easy you can guess the answer from options also

R1 is member router ip 192.168.1.1 & R2 is server router ip 192.168.2.2

5 to 6 questions were new

1) one question was on ipsec gre tunnel

2)one question was on ips disable signature

3) one question was on dhcp server with static mapping & with dhcp snooping problem facing user for connectivity answer i choosed clear arp option

4)on dvti there was one new question

in case i recall i will post other questions

@nilhos: what about the book or nuggest, or you have just used dumps?

nugget & book both are useful

nugget & book both are useful

Thanks Steak&Chips..

Just passed SECURE exam..
I used “http://www.examcollection.com/cisco
/Cisco.ActualTests.642-637.v2011-10-26.by.Chips.89q.vce.file.html”

Simulation is the same and also drag and drop sorts of questions..

2-3 new questions could not remember all of them..

one questions
Give the config for auto update configured and given the Cissco server’s link..also some commands when to update and how many times n week or so..

and answers options were,
auto update is configured to occur each day of week
auto update is configured to occur once a week in between 12-6 on sunday.
update is stored on the server at Cisco’s link.

Thanks
Mahesh

Also smae thing happened with me..
In GET VPN Scenario sh crypto gdoi ks & sh crypto gdoi ks member commands not worked

Guys, do the show crypto gdoi for GET VPN, that will give you info..thanks every 1 for the help and advise…you might like to have this as additional resource…this is “CCNP Security Secure Lab Guide”
http://www.megaupload.com/?d=3217462I

Thanks

Congrats to you guys Mahesh and Niljos.

There is a new file up at ExamCollection
http://www.examcollection.com/cisco/Cisco.ActualTests.642-637.v2011-11-02.by.Chips.92q.vce.file.html

It has some of the new questions in as well as a few corrections. Quite a few people who have passed with a 900+ now by using that file.

Can anyone provide nuggets and book link?

Hi friends,
I am now planing for 642-637 exam. but i con’t able understand from where i should start……please suggest me..

Asalam alaikum..any one have secure labs in packet tracer or gns?????????????????

i cleared the secure exam yesterday. Thanks to Steak&Chips.

Thanks Chips for creating the .vce. It was right on.
I passed with no problem. Well almost, I accidently skipped the simulator question. No worries at least I passed with a 878.

There was a new question about what is a state of a signature that was compiled but not getting hits. Something like that,

It then had Acitive, Inactive, Disabled and one other answer.

Hi friends,
plz share a link where we can download CBT about 642-637 exam

Please provide SECURE 642-637 Student Guide Link

Please provide SECURE 642-637 dumps for my id : soherwardiaa1@gmail.com

guys plz can anyone send me vcemanager file full version setup file plz i need it urgent thx

heres the email sandy143j@gmail.com

is the configuration for sims are correct in p4s, please advise. thanks

Hey paul can u send me the pass4dumps for 642-637?….my E-mail id bhattacharya1988@gmail.com

can anyone provide official guide?

where is the guide pdf material for secure ?

I am appearing this week, pls provide link for study guide

Dear All I can download Secure CBT training …. http://www.filesonic.com/file/3190762975/cns1028-single-link.rar.html wish u all have a great live ahead ..

@Amin, unable to download

I passed the Exam today with 9xx . Some questions was new but you can pass the exam, if you prepared the Dumps.

Thanks..

@Saqib, which dumps did u use?

@syed http://www.examcollection.com/642-637.html by Chips 92q.vce.

@saquib, thanks what about book or nuggets or u just have used these dumps?

Any one have cbt nuggets about 642-637 then plz share with us….

@Saqib: Also pls confirm if there are any wrong answers in 92Q dump like D & D ?

@syed use cbt nuggets.

@Saqib: Please provide or send it to me @online.ghufran@gmail.com

@syed download from

http://www.filesonic.vn/folder/14346445
or
http://www.filesonic.com/file/2783185775/1l.CNS1028.rar