Академический Документы
Профессиональный Документы
Культура Документы
huss.shaneen@ymail.com
QUESTION NO: 214
Pause
Connect
Do Nothing
Disconnect
Aswer: A
QUESTION NO: 215
Refer to the exhibit. In this tunnel mode GRE multipoint example, which command
on the hub router distinguishes one spoken form the other?
A.
B.
C.
D.
no ip route
ip nhrp map
ip frame-relay
tunnel mode gre multipoint
Answer: B
QUESTION NO: 216
A network engineer must configure a now VPN tunnel Utilizing IKEv2 For with th
ree reasons would a configuration use IKEv2 instead d KEv1?
(Choose three.)
A.
B.
C.
D.
E.
F.
Answer:BEF
QUESTION NO: 217
A network engineer is troubleshooting a site VPN tunnel configured on a Cisco A
SA and wants to validate that the tunnel is sending and receiving traffic. Which
command accomplishes this task?
A. show crypto ikev1 sa peer
B. show crypto ikev2 sa peer
C. show crypto ipsec sa peer
D. show crypto isakmp sa peer
Answer: C
QUESTION NO: 218
When troubleshooting clientless SSL VPN connections, which option can be verifie
d on the client PC?
A.
B.
C.
D.
address assignment
DHCP configuration
tunnel group attributes
host file misconfiguration
Answer C
QUESTION NO: 219
Which two commands are include in the command show dmvpn detail? (Choose two.)
A.
B.
C.
D.
E.
Show
Show
Show
Show
Show
ip nhrp
ip nhrp nhs
crypto ipsec sa detail
crypto session detail
crypto sockets
Answer: BD
QUESTION NO: 220
An engineer has integrated a new DMVPN to link remote offices across the intern
et using Cisco IOS routers. When connecting to remote sites, pings and voice dat
a appear to flow properly and all tunnel stats seem to show that are up. However
, when trying to connect to a remote server using RDP, the connection fails. Whi
ch action resolves this issue?
A. Change DMVPN timeout values.
B. Adjust the MTU size within the routers.
C. Replace certificate on the RDP server.
D. Add RDP port to the extended ACL.
Answer: C
QUESTION NO: 221
Which feature is a benefit of Dynamic Multipoint VPN?
A.
B.
C.
D.
Answer: D
QUESTION NO: 222
An engineer has configured Cisco AnyConnect VPN using IKEv2 on a Cisco ISO rout
er. The user cannot connect in the Cisco AnyConnect client, but receives an aler
t message Use a browser to gain access. Which action does the engineer take to eli
minate this issue?
A.
B.
C.
D.
Answer: C
QUESTION NO: 223
Refer to the exhibit. A network administrator is running DMVPN with EIGRP, when
the administrator looks at the routing table on spoken 1 it displays a route to
the hub only. Which command is missing on the hub router, which includes spoke 2
and spoke 3 in the spoke 1 routing table?
A.
B.
C.
D.
no inverse arp
neighbor (ip address)
no ip split-horizon egrp 1
redistribute static
Answer: A
QUESTION NO: 224
Which algorithm provides both encryption and authentication for plane communica
tion?
A.
B.
C.
D.
E.
F.
RC4
SHA-384
AES-256
SHA-96
3DES
AES-GCM
Answer: F
QUESTION NO: 225
Refer to the exhibit. Client 1 cannot communication with Client 2. Both clients
are using Cisco AnyConnect and have established a successful SSL VPN connection
to the hub ASA. Which command on the ASA is missing?
A.
B.
C.
D.
Answer: B
QUESTION NO: 226
Which statement regarding GET VPN is true?
A. When you implement GET VPN with VRFs, all VHFs must be defined in the GDOI gr
oup configuration on the key server.
B. T ne pseudotime that is used for replay checking is synchronized via NTP.
C. Group members must acknowledge all KEK and TEK rekeys, regardless of configur
ation.
D. TEK rekesys can be load-balanced between two key servers operating in COOP.
E. The configuration that defines which traffic to encrypt is present only on th
e key server.
Answer: E
?
QUESTION NO: 227
Which two statements comparing ECC and RSA are true? (Choose two.)
A.
B.
C.
D.
E.
Key
ECC
Key
ECC
ECC
Answer: BC
QUESTION NO: 228
Which two options arc purposes of the key server in Cisco IOS GETVPN? (Choose t
wo.)
A.
B.
C.
D.
to
to
to
to
Answer: AD
QUESTION NO: 229
Refer to the exhibit
What is the purpose of the given configuration?
A.
B.
C.
D.
Answer: C
QUESTION NO: 230
Refer to the exhibit. The IKEv2 site-to-site VPN tunnel between two routers is d
own. Based on the debug output, which type of mismatch might be the problem?
A. transform set
B. peer identity
C. PSK
D. Crypto policy
Answer: B
QUESTION NO: 231
What URL do you use to download a packet capture file in a format which can be
used by a packet analyzer?
A.
B.
C.
D.
https://<hostname>/<capture_name>/pcap
ftp://<hostname>/<capture_name>/
https: //<asdm_enabled_interface:port>/<capture_name>
https://<asdm_enabled_interface:port>/admin/capture/<capture_name>/pcap
Answer: D
QUESTION NO: 232
Refer to the exhibit. An engineer is troubleshooting a new GRE over IPSEC tunnel
. The tunnel is established, but the engineer cannot ping from spoke 1 to spoke
2. Which type of traffic is being blocked?
A.
B.
C.
D.
spoke2
to spoke1
spoke1
to spoke2
Answer: C
QUESTION NO: 233
A user is experiencing issues connecting to a Cisco AnyConnect VPN and receives
this error message:
The AnyConnect package on the secure gateway could not be located. You may be ex
periencing network connectivity issues. Please try connecting again.
Which option is the likely cause of this issue?
A.
B.
C.
.
D.
Answer: C
QUESTION NO: 234
Which two operational advantages does GetVPN offer over site-to-site IPsec tunn
el in a private MPLS-based core network? (Choose two.)
A. Key servers perform encryption and decryption of all the data in the network,
which allows for tight security policies.
B. Traffic uses one VRF to encrypt data and a different on to decrypt data, whic
h allows for multicast traffic isolation.
C. GETVPN is tunnel-less, which allows any group member to perform decryption an
d routing around network failures.
D. Packets carry original source and destination IP addresses, which allows for
optimal routing of encrypted traffic.
E. Group Domain of Interpretation protocol allows for homomorphic encryption, wh
ich allows group members to operate on messages without decrypting them
Answer: BC
QUESTION NO: 235
What are two benefits of DMVPN Phase 3 (Choose two.)
A. It introduces hierarchical DMVPN deployments.
B. It introduces non-hierarchical DMVPN deployments.
C. Administrators can use summarization of routing protocol updates from hum to
spokes.
D. It supports L2TP over IPSec as one of the VPN protocols.
Answer: AC
QUESTION NO: 236
Which command identifies an AnyConnect profile that was uploaded to an IOS rout
er's flash?
A.
B.
C.
D.
Answer: D or B
QUESTION NO: 237
An administrator received a report that a user cannot connect to the headquarte
rs site using Cisco AnyConnect and receives this error. The installer was not ab
le to start the Cisco VPN client, clientless access is not available, Which opti
on is a possible cause for this error?
A. The client version of Cisco AnyConnect is not compatible with the Cisco ASA s
oftware image.
B. The operating system of the client machine is not supported by Cisco AnyConne
ct.
C. The driver for Cisco AnyConnect is outdatate.
D. The installed version of Java is not compatible with Cisco AnyConnect.
Answer: A
QUESTION NO: 238
Certificates
Pre-shared keys
RSA public keys
Diffie-Hellman Group 2
Answer: B
QUESTION NO: 239
What is the name of the transform set being used on the ISR?
A.
B.
C.
D.
Default
ESP AES ESP-SHA HMAC
SP-AES-256-MD5-TRANS
TSET
Answer: B
QUESTION NO: 240
In what state is the IKE security association in on the Cisco ASA?
A.
B.
C.
D.
Answer: C
QUESTION NO: 241
Which crypto map tag is being used on the Cisco ASA?
A.
B.
C.
D.
outside_cryptomap
VPN-to-ASA
L2L-Tunnel
outside_map1
Answer: D
key ring
DH group
integrity
tunnel name
encryption
Answer: BCE
QUESTION NO: 243
Which command can be used to troubleshoot an IPv6 FlexVPN spoke-to-hub connecti
vity failure?
A.
B.
C.
D.
show
show
show
show
crypto
crypto
crypto
crypto
Answer: A
QUESTION NO: 244
Refer to the exhibit. An engineer encounters a debug message. Which action can t
he engineer take to eliminate this error message?
A. Use stronger encryption suite.
B. Correct the VPN peer address.
C. Make adjustment to IPSec replay window.
D. Change the preshared key to match.
Answer: C
QUESTION NO: 245
Which three parameters are specified in the isakmp (IKEv1) policy? (Choose thre
e.)
A.
B.
C.
D.
E.
F.
the
the
the
the
the
the
authentication method
transform-set
hashing algorithm
session key
lifetime
peer
Answer: ACE
QUESTION NO: 246
Refer to the exhibit. What is the problem with the IKEv2 site-to-site VPN tunnel
?
A.
B.
C.
D.
E.
incorrect PSK
incorrect tunnel group
crypto access list mismatch
crypto policy mismatch
incorrect certificate
Answer: C
?
Refer to the exhibit. A customer cannot establish an IKEv2 site-to-site VPN tunn
el between two Cisco ASA devices. Based on the syslog message, which action can
bring up the VPN tunnel?
A.
B.
C.
D.
E.
F.
Answer: A
QUESTION NO: 248
Which three parameters must match on all routers in a DMVPN Phase 3 cloud? (Cho
ose three )
A.
B.
C.
D.
E.
F.
Answer: DEF
QUESTION NO: 249
Which option is an example of an asymmetric algorithm?
A.
B.
C.
D.
3DES
RSA
IDEA
AES
Answer: B
QUESTION NO: 250
Which VPN feature allows remote access clients to print documents lo local netw
ork printers?
A.
B.
C.
D.
loopback addressing
split tunneling
dynamic virtual tunnels
Reverse Route Injection
Answer: B
QUESTION NO: 251
Refer to the exhibit
sec VPIV tunnel?
A. Pre-Shared Key
B. transform set
C. crypto access list
D. Phase 1 policy
Answer: A
?
?
A.
B.
C.
D.
E.
Answer: BD
QUESTION NO: 253
Which two features are required when configuring a DMVPN network? (Choose two.)
A. Dynamic crypto map
B. IPsec encryption
C. GRE tunnel interface
D. Next Hop Resolution Protocol
E. Dynamic routing protocol
Answer: CD
QUESTION NO: 254
Refer to the exhibit. VPN load balancing provides a way to distribute remote acc
ess, IPsec, and SSL VPN connections across multiple security appliances. Which r
emote access client types does the load balancing feature support?
A.
B.
C.
D.
Answer: D
QUESTION NO: 255
Which two are features of GETVPN but not DMVPN and FlexVPN?
(Choose two.)
A.
B.
C.
D.
E.
Answer: BE
QUESTION NO: 256
Using the Next Generation Encryption technologies, which is the minimum accepta
ble encryption level to protect sensitive information?
A.
B.
C.
D.
AES
AES
AES
AES
92 bits
128 bits
256 bits
512 bits
Answer: B
QUESTION NO: 257
An engineer is troubleshooting a DMVPN spoken router and sees a CRPTO-4-IKMP_BA
D_MESSAGE debug message that a spoke router failed its sanity check or is malform
ed Which issue does the error message indicate?
A.
B.
C.
D.
Answer: A
QUESTION NO: 258
You are troubleshooting DMVPN NHRP registration failure. Which command can you
use to view request counters?
A.
B.
C.
D.
show
show
show
show
ip
ip
ip
ip
nhrp
nhrp
nhrp
nhrp
tunntl
nhs detail
incomplete
incomplete tunnel tunnel_interfaceo number
Answer: B
QUESTION NO: 259
Refer to the exhibit. Which VPN solution does this configuration represent?
A.
B.
C.
D.
site-to-site
FlexVPN
GETVPN
DMVPN
Answer: C
QUESTION NO: 260
Refer to the exhibit. Which technology does this configuration demonstrate?
A. AnyConnect SSL over IPv4+IPv6
B. AnyConnect FlexVPN over IPv4+IPv6
C. AnyConnect SSL IPv6+IPv4
D. AnyConnect Flex VPN IPv6+IPv4
Answer: B
QUESTION NO: 261
If Web VPN bookmarks are grayed out on the home screen, which action should you
take to begin troubleshooting?
A.
B.
C.
D.
Answer: B
Which address pool is being assigned to the users connecting via the AnyConnecl
client?
A.
B.
C.
D.
AC_Address_Pool
Remote_Address
GutSide_Address_Pool
VPN_Address_Pool
Answer: D
QUESTION NO: 263
10/10.15.40-50/24
209.165 201.20-30/24
192 168.1 100-150/24
10.10.15 20-30/24
Answer: D
QUESTION NO: 264
Which two networks will be included in the secured VPN tunnel? (Choose two.)
A.
B.
C.
D.
E.
10.10. 9.0/16
All networks will be securely tunneled.
Networks with a source of any4
10.10.9.0/24
DM/network
Answer: AE