CCNP2 V5.0 Quiz3

QUIZ3_CCNP2_V5.
0 Sida 1 av 7
1 High availability must be configured on router RTE using the dead peer detection (DPD) mechanism. DPD must be configured to detect
the dead peer as soon as possible, include a 10-second frequency, and use a 5-second retry interval. Which global configuration
command would correctly configure router RTE to do so?
crypto isakmp keepalive 10
crypto isakmp keepalive 10 5
crypto isakmp keepalive 10 on-demand
crypto isakmp keepalive 10 5 periodic
crypto isakmp keepalive 10 5 on-demand
2 What is the first step when launching the SDM Easy VPN Server wizard to set up an IPsec VPN server?
Configure the IKE proposals.
Configure Diffie-Hellman group 1, 2, or 5.
Select the encryption algorithm.
Select the interface for terminating IPsec.
Select either tunnel or transport mode.
3 Which two statements are true about the use of SDM to configure a site-to-site VPN between two Cisco routers? (Choose two.)
The SDM will allow a site-to-site VPN to be configured. However, Cisco IOS command-line interface experience is still required.
Although the SDM can configure a site-to-site VPN, it is not a function of the SDM to autodetect misconfigurations and propose fixes.
The SDM module that can be used to configure a site-to-site VPN is only available for the Cisco 2800 and 3800 series routers.
The SDM can autodetect site-to-site VPN misconfigurations and propose fixes.
With the use of SDM, no Cisco IOS command-line interface experience is required to configure a site-to-site VPN.
To configure site-to-site VPNs on Cisco 1800 and 2800 series routers, an SDM upgrade must be downloaded from www.cisco.com.
4 What are the two components of Cisco Easy VPN? (Choose two.)
Cisco Easy VPN GRE
Cisco Easy VPN Router wizard
Cisco Easy VPN Remote
Cisco Easy VPN One-Click wizard
Cisco Easy VPN Server
5 What are two features of the Internet Key Exchange (IKE) protocol? (Choose two.)
automatic key regeneration
can be used as a replacement of IPsec
negotiation of SA characteristics
packet encryption
tunnel negotiation
Create PDF files without this message

mhtml:file://D:\Mina by purchasing
dokument\NIT novaPDF
-09\CCNP 2 - printer (http://www.novapdf.com)
WAN\QUIZ3_CCNP2_V5.0.mht 2011-05-26
QUIZ3_CCNP2_V5.0 Sida 2 av 7
Refer to the exhibit. On the basis of the information that is displayed in the VPN Wizard configuration summary, which two statements
are true? (Choose two.)
A VPN peer must support one of the two IKE policies.
A VPN peer must support both IKE policies.
The inside FastEthernet interface must have an IP address in subnet 10.1.1.0/24.
The inside FastEthernet interface must have an IP address in subnet 10.1.2.0/24.
The mode that is chosen encrypts data but does not encrypt the IP header.
The mode that is chosen encrypts both the data and the IP header.
7 Which statement is true about secure GRE tunnels?

GRE has built-in encryption which provides cryptographically strong confidentiality.
GRE has built-in security features to secure any type of traffic.
IPsec can be used to secure OSI Layer 3 traffic across a GRE tunnel.
The transmission is secure because GRE encapsulates the datagram.
8 Which two statements about the Authentication Header (AH) and Encapsulating Security Payload (ESP) protocols are true? (Choose
two.)
With the use of ESP in transport mode, only the data portion of the original IP datagram is encrypted.
With the use of ESP in transport mode, only the IP header portion of the original IP datagram is encrypted.
With the use of ESP in transport mode, both the IP header and data portion of the original IP datagram are encrypted.
AH can only be deployed in transport mode.
AH can only be deployed in tunnel mode.
Tunnel mode and transport mode can be deployed with either ESP or AH or both.

Refer to the exhibit. High availability has been configured on router RTE by using the dead peer detection (DPD) mechanism. Router RTA must be
the primary peer, and router RTB the backup peer. Which set of commands would correctly configure this on router RTE?
crypto map MYMAP 10 ipsec-isakmp
set peer 10.1.2.1 default
set peer 10.1.2.2
set peer 10.1.2.1 dynamic
set peer 10.1.2.2
set peer 198.133.219.100 default
set peer 198.133.219.200
set peer 198.133.219.100 dynamic
set peer 198.133.219.200
10Which statement is true about Internet Key Exchange (IKE)?

An administrator must manually specify all of the IPsec security parameters at both peers.
Encryption keys can only change after an IPsec session has ended.
IKE provides anti-replay services.
Dynamic authentication of peers is not permitted.
11 Which statement is true about creating a new VPN connection entry in the Cisco VPN client?
Transparent tunneling must be enabled.
Mutual Group Authentication is selected by default in the Authentication tab.
The Name field in the Group Authentication form in the Authentication tab is case sensitive.
The Connection Entry field is case sensitive.
12

Refer to the exhibit. On the basis of the provided information, which two statements must be true? (Choose two.)
Interface Fa1 of router RTB is on the 192.168.200.0 /24 network.
The command crypto map MYMAP has been issued on interface Fa1 of router RTA.
The command ip address 192.168.191.2 255.255.255.0 has been issued on interface Fa1 of router RTA.
Router RTA has been configured with the command access-list 120 permit ip 192.168.200.0 0.0.0.255 192.168.0.0 0.0.0.255.
Router RTA has been configured with the command crypto ipsec transform-set MYMAP esp-des.
The output was generated by the show crypto isakmp command.
13
Refer to the exhibit. A tunnel is established between routers RTA and RTB. Which two statements are true about traffic that flows from

network A to network B? (Choose two.)

Traffic cannot flow between network A and network B until NAT is activated on RTA.
Because access-list 101 does not permit TCP or UDP, traffic will not be encrypted.
Routers inside the Internet will see packets with the destination IP address of 128.107.155.2.
Routers inside the Internet will see packets with the destination IP address of 192.168.0.2.
Traffic will go through an IPsec tunnel.
Traffic will go through a GRE tunnel.
14
Refer to the exhibit. Which task would specify the encryption algorithm, authentication algorithm, and key exchange method to be used
when negotiating a VPN connection with the remote device?
Selecting the interface on which the client connections will terminate.
Configuring IKE policies.
Configuring an IPSec transform set.
Configuring a group policy lookup method.
Configuring user authentication.
Configuring group policies on the local router.
15 Which statement about transparent tunneling is true when a new VPN connection entry is made in the Cisco VPN client?
When IPsec over UDP is selected, the port number is negotiated.
When IPsec over TCP is selected, the port number is negotiated.
The default mode is IPsec over TCP.
When IPsec over TCP is selected, the port numbers of the client and the gateway do not have to match.
16 Which statement about high availability for IOS IPsec VPNs is true?
Cisco IOS keepalive messages are sent by internal hosts to detect the active Hot Standby Routing Protocol (HSRP) enabled
router.
Dead peer detection (DPD) messages are sent by internal hosts to detect if the active HSRP enabled router is still active.
DPD messages are routinely sent between IKE enabled routers when IPsec traffic is flowing.
DPD and IOS keepalive features cannot be used in conjunction with multiple peers.
When outbound IPsec traffic must be sent and the peer does not respond, the router sends a DPD message to the peer.
17 With the Cisco Easy VPN Remote feature, which three devices can be configured to act as remote VPN clients? (Choose three.)
Cisco IOS routers
Cisco VPN 3002 hardware clients
Cisco VPN 3008 concentrators
Cisco VPN 3010 hardware clients
Cisco IDS sensors
Cisco PIX firewalls
18 Which three statements about GRE tunnels over IPsec are true? (Choose three.)
GRE allows the use of routing protocols across the tunnel.

GRE is a tunneling protocol developed by the ISO.

GRE has very secure protocols built-in to provide secure transit of traffic across the tunnel.
GRE tunnels are stateless.
GRE tunnels can be used to encapsulate IP, IPX, and AppleTalk protocols.
GRE tunnels over IPsec will not encrypt other Layer 3 protocols such as IPX.
19
Refer to the exhibit. A GRE tunnel must be configured between routers RTA and RTB. Assume that router RTB has been correctly
configured. Which set of commands would correctly configure router RTA to encrypt traffic destined for router RTB?
interface Tunnel0
tunnel source FastEthernet0
tunnel destination 172.16.3.1
interface Tunnel0
interface Tunnel0
interface Tunnel0
tunnel source Serial0
interface Tunnel0
interface Tunnel0
20
Refer to the exhibit. Which set of commands would correctly configure this router to display the output that is generated for policy 20 in
the exhibit?
crypto isakmp policy 20
hash md5
authentication rsa-sig

group 1
lifetime 5000
authentication pre-share
lifetime 10000
hash sha
authentication rsa-sig
group 1
hash sha
group 1
lifetime 10000


CCNP2 V5.0 Quiz3

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

CCNP2 V5.0 Quiz3

Transféré par

Droits d'auteur :

Formats disponibles

QUIZ3_CCNP2_V5.

Create PDF files without this message

7 Which statement is true about secure GRE tunnels?

Create PDF files without this message

10Which statement is true about Internet Key Exchange (IKE)?

Create PDF files without this message

Create PDF files without this message

network A to network B? (Choose two.)

Create PDF files without this message

GRE is a tunneling protocol developed by the ISO.

Create PDF files without this message

Create PDF files without this message

Vous aimerez peut-être aussi