Question No. 46
Which of these is true regarding tunnel configuration when deploying a Cisco ISR as a DMVPN hub router?
A. Only one tunnel can be created per tunnel source interface.
B. Only one tunnel can be created and should be associated with a loopback interface for dynamic redundancy
C. The GRE tunnel key is used to encrypt the traffic going through the tunnel through the hub.
D. You can run multiple parallel DMVPNs on the hub router, but each tunnel requires a unique tunnel key.
Task 4 creates the mGRE tunnel interface. Enter the interface tunnel command and then configure basic GRE parameters. The tunnel mode gre multipoint command designates the tunnel interface as mGRE and the tunnel source command specifies the physical interface to which the GRE tunnel is bound. The tunnel key command is required and must match the tunnel key configured on the spokes. This command allows network administrators to run more than one DMVPN at a time on the same router. The GRE tunnel key therefore uniquely identifies the DMVPN.
Question No. 47
Which information is displayed when you enter the Cisco IOS command show epm session?
A. Enforcement Policy Module sessions
B. External Proxy Mappings, per authenticated sessions
C. Encrypted Policy Management sessions
D. Enhanced Protected Mode sessions
Question No. 48
Step 1 – The VPN Client initiates IKE Phase 1.
Step 2 – The VPN Client establishes an ISAKMP SA.
Step 3 – The Easy VPN Server accepts the SA proposal.
Step 4 – The Easy VPN Server initiates a username and password challenge.
Step 5 – The mode configuration process is initiated.
Step 6 – The RRI process is initiated.
Step 7 – IPSec quick mode completes the connection process
Question No. 49
In an 802.1X environment, which feature allows for non-802.1X-supported devices such as printers and fax machines to authenticate?
D. 802.1X guest VLAN
Question No. 50
Which protocol is EAP encapsulated in for communications between the authenticator and the authentication server?
Note: EAPOL is used between the supplicant and the authenticator, while RADIUS is used between the authenticator and the authentication server.
Question No. 51
You are a network administrator that is deploying a Cisco router that needs to support both PAT and site-to-site VPN on one public IP address. In order to make both work simultaneously, how should the NAT configuration be set up?
A. The VPN configuration should be set up with a static NAT configuration.
B. Because PAT does support AH, the VPN tunnel must not be configured with Encapsulating Security Payload (ESP).
C. An ACL should be attached to the nat command to permit the NAT traffic and deny the VPN traffic.
D. The nat configuration command needs to include a range of IP addresses with the overload word on the end.
E. A route-map should be used with the nat command to support the use of AH and ESP.
F. The ip nat inside command needs to exclude the VPN source address in the NAT pool.
Question No. 52
When uploading an IPS signature package to a Cisco router, what is required for the upload to self-extract the files?
A. the idconf on the end of the copy command
B. a public key on the Cisco router
C. IPS must be disabled on the upload interface
D. HTTP Secured server must be enabled
First, the signature package must be downloaded from Cisco.com. Go to the download section of Cisco.com and navigate to Products > Security > Integrated Router/Switch Security > Integrated Threat Control > Cisco IOS Intrusion Prevention System Feature Software > IOS IPS Signature Data File. Download the latest package, which should have a filename in the format IOS-Sxxx-CLI.pkg. Put the file on the server from which you will transfer it to the router. Use the copy command to transfer the file to the router’s idconf alias. This causes the router to download and unpack the contents of the file (XML files)
Question No. 53
Which of these allows you to add event actions globally based on the risk rating of each event, without having to configure each signature individually?
A. event action summarization
B. event action filter
C. event action override
D. signature event action processor
Question No. 54
You are troubleshooting reported connectivity issues from remote users who are accessing corporate headquarters via an IPsec VPN connection. What should be your first step in troubleshooting these issues?
A. issue a show crypto isakmp policy command to verify matching policies of the tunnel endpoints
B. ping the tunnel endpoint
C. run a traceroute to verify the tunnel path
D. debug the connection process and look for any error messages in tunnel establishment
Page 398 - Very Important - several Questions from this Troubleshooting Flow Follow these steps to proceed through the recommended flow for troubleshooting IKE peering:
Step 1. Verify peer reachability using the ping and traceroute commands with the tunnel source and destination IP addresses on both peers. If connectivity is verified, proceed to Step 2; otherwise, check the path between the two peers for routing or access (firewall or access list) issues.
Step 2. Verify the IKE policy on both peers using the show crypto isakmp policy command. Debug messages revealed by the debug crypto isakmp command will also point out IKE policy mismatches.
Step 3. Verify IKE peer authentication. The debug crypto isakmp command will display unsuccessful authentication. Step 4. Upon successful completion of Steps 1–3, the IKE SA should be establishing. This can be verified with the show crypto isakmp sa command and looking for a state of QM_IDLE.
Question No. 55
Which command will enable a SCEP interface when you are configuring a Cisco router to be a certificate server?
A. scep enable (under interface configuration mode)
B. crypto pki seep enable
C. grant auto
D. ip http server
Question No. 56
Which solution on a Cisco router requires the loading of a protocol header definition file (PHDF)?
A. Reflexive access control lists
C. Flexible Packet Matching
D. Control Plane Policing
FPM is implemented using a filtering policy that is divided into four tasks:
Question No. 57
Refer to the exhibit. Assuming that all other supporting configurations are correct, what can be determined from the partial IP admission configuration shown?
A. The router will forward authentication requests to a AAA server for authentication and authorization.
B. The user maint3nanc3 will have complete CLI command access once authenticated.
C. After a period of 20 minutes, the user will again be required to provide authentication credentials.
D. The authentication proxy will fail, because the router's HTTP server has not been enabled.
E. All traffic entering interface GO/1 will be intercepted for authentication, but only Telnet traffic will be authorized.
Question No. 58
When performing NAT, which of these is a limitation you need to account for?
A. exhaustion of port number translations
B. embedded IP addresses
C. security payload identifiers
D. inability to provide mutual connectivity to networks with overlapping address spaces
Question No. 59
Cisco IOS Software displays the following message: DHCP_SNOOPING_5-DHCP_SNOOPING_MATCH_MAC_FAIL. What does this message indicate?
A. The message indicates that an attacker is pretending to be a DHCP server on an untrusted port.
B. The source MAC address in the Ethernet header does not match the address in the "chaddr" field of the DHCP request message.
C. The message indicates that the DHCP snooping has dropped a DHCP message that claimed an existing, legitimate host is present on an unexpected interface.
D. A Layer 2 port security MAC address violation has occurred on an interface that is set up for untrusted DHCP snooping.
Actual Log from Switch configured for DHCP spoofing 007850: Nov 26 09:02:55.484 CET: %DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL: DHCP_SNOOPING drop message because the chaddr doesn't match source mac, message type: DHCPRELEASE, chaddr: 0016.4487.6527, MAC sa: 0017.422e.d204 The switch logging message basically says that the MAC address of the client contained in the chaddr (client hardware address) field in the DHCP message does not match the source MAC address of the frame in which the DHCP message is encapsulated. In other words, the interfacefor which the DHCP message was created does not match the interface through which the message was actually transmitted.
Question No. 60
Which two types of deployments can be implemented for a zone-based policy firewall? (Choose two.)
A. routed mode
B. interzone mode
C. fail open mode
D. transparent mode
E. inspection mode