Open-ended questionsun.pdf
-
Upload
sandeepchodhury -
Category
Documents
-
view
219 -
download
0
Transcript of Open-ended questionsun.pdf
-
8/9/2019 Open-ended questionsun.pdf
1/38
2
1 What node defines the traffic to be encrypted in GET VPN?
Answer:Key server
2 What command do you need to enable proper IOS IPS processing of
fragmented IP packets?
Answer:Ip virtual-reassembly
3 What uRPF mode would you use in the environment with asymmetric
routing enabled?
Answer:loose
4 What is the ACL keyword you would use to permit all valid returning
TCP session traffic for
sessions initiated from the protected network?
Answer:established
5 What IOS firewall mode does not support the inspection and filtering
of Peer-to-Peer traffic?
Answer:transparent
6 What IOS feature allows you to configure RADIUS attributes locally
per-user?
www.CareerCert.info
http://www.careercert.info/http://www.careercert.info/ -
8/9/2019 Open-ended questionsun.pdf
2/38
3
Answer:IOS local aaa
7 What is the RADIUS attribute name that specifies a peruser
group-policy name for the ASA
firewall?
Answer:class
8.There are two ARP Configuration info in interface e0 dump, output B
what happened about
output B ?
Outpiut A
192.168.1.73(mac ee:dd:aa:23:73 to 255.255.255.255. :who is
192.168.1.51s mac address
192.168.1.51(mac:11:22:33:44:51) to 192,168,1,73(macee:dd:aa:23:73
reply:
192.168.1.51s mac address is mac:11:22:33:44:51
Outpiut B
06:02:50.891192 arp reply 192.168.1.73 is-at 00:e0:4d:07:3b:ff
(00:e0:4d:07:3b:ff)
06:02:51.951540 arp reply 192.168.1.73 is-at 00:e0:4d:07:3b:ff
(00:e0:4d:07:3b:ff)
www.CareerCert.info
http://www.careercert.info/http://www.careercert.info/ -
8/9/2019 Open-ended questionsun.pdf
3/38
4
06:02:52.990617 arp reply 192.168.1.73 is-at 00:e0:4d:07:3b:ff
(00:e0:4d:07:3b:ff)
Answer:Output is lean 192.168.1.73s mac address and reply itself mac
address to 192.168.1.73
9.There is a router, following is Configuration info:
Ip inspect name myfw http
Ip inspect name myfw tcp
Ip inspect name myfw udp
Int interface-id
Ip inspect myfw in
Ip inspect myfw out
Ip access-g 101 in
Access-l 101 permit tcp any host Webserver eq 80
Access-l 101 deny ip any any
Asked above for the configuration of CBAC is to do the work?
Answer:Yes
10.Please write a method, Prevent dos attack on ASA
Answer:TCP Intercept
www.CareerCert.info
http://www.careercert.info/http://www.careercert.info/ -
8/9/2019 Open-ended questionsun.pdf
4/38
5
11.Switches connect to IPS, There are two vlan which trunk protocol will
be use?
Answer:802.1q
12.IPS6.1 added a new feature that can automatically learn attack and to
prevent attacks, which
feature?
Answer:Anomaly detection(AD)
13.There is a vpn, do not set tunnel, can do some of the features such as
native multicast,please
write the full name
Answer:Group Encrypted Transport (GET) VPN
14.What RFC outlined special use only IP address space from the A, B,
and C classes for ipv4?
Answer:RFC 3330
15.You are attempting to configure RIP version 2 so that it will unicast
messages to its RIP
neighbor. You have confirmed you have correctly configured the
neighbor command on the
www.CareerCert.info
http://www.careercert.info/http://www.careercert.info/ -
8/9/2019 Open-ended questionsun.pdf
5/38
6
device. What other command is required in this configuration?
Answer:Passive-interface
16.What is the resulting trunk configuration for the devices shown?
Hostname SW1
Interface gigabitethernet 0/9
Switchport trunk encapsulation dotlq
Switchport mode trunk
Switchport nonegotiate
Hostname SW2
Interface Gigabitethernet 0/9
Switchport trunk encapsulation dotlq
Switchport mode dynamic auto
Answer:Trunk off
19.What is the default behavior for a Catalyst switch if it receives a frame
and it possesses no
entry for the destination MAC address in the CAM?
Answer:Flood the frame
www.CareerCert.info
http://www.careercert.info/http://www.careercert.info/ -
8/9/2019 Open-ended questionsun.pdf
6/38
7
20.What command is used to create the remote SPAN VLAN in RSPAN?
Answer:Remote-span
21.What Cisco Catalyst switch STP mechanism can produce an
inconsistent state for a switch
port?
Answer:Loopguard
22.Your Cisco IPS sensor fired an alert for a non-malicious packet that
was attempting to enter
your network. What does Cisco term this type of condition?
Answer:False positive
24.Your Cisco IPS sensor fired an alert for a malicious packet that was
attempting to enter our
network. What is this conditional termed by Cisco?
Answer: true positive
25.Your Cisco IPS sensor did not fire an alert when a non-malicious
packet entered the network.
What does Cisco term this event?
www.CareerCert.info
http://www.careercert.info/http://www.careercert.info/ -
8/9/2019 Open-ended questionsun.pdf
7/38
8
Answer:Ture negative
26.Describe the difference between the restrict and protect options with
the Catalyst Port Security
feature?
Answer:The protect option will prevent unauthorized MAC addresses
from communicating through the
port, but it send no SNMP traps and does not increment the violation
counter. Restrict mod
do these things.
27.You need to limit traffic on your router to prevent dos attacks. You are
specifically concerned
about traffic destined to the router itself as opposed to through data
Answer: Control Plane Policing
28.At what layer of the OSI model does ISAKMP function?
Answer:Session
29.At what layer of the OSI model does S-HTTP function?
Answer:Application
www.CareerCert.info
http://www.careercert.info/http://www.careercert.info/ -
8/9/2019 Open-ended questionsun.pdf
8/38
9
31.You have learned that multicast will use RPF to guard against loops in
multicast transmissions.
What does RPF use to perform this check?
Answer:The routing table
32.How will a user be authenticated if the RADIUS servers respond with
a FAIL message? aaa
authentication enable default group radius enable
Answer:The user fails authention
33.What OSPF authentication type supports the use of multiple
authentication keys?
Answer:MD5
34.What is the default hash function used with "secret" type of password
encryptions?
Answer:MD5
35.What is the command to stop the router from responding to address
resolution requests sent
to other hosts?
Answer:No ip proxy-arp
www.CareerCert.info
http://www.careercert.info/http://www.careercert.info/ -
8/9/2019 Open-ended questionsun.pdf
9/38
10
36.What Port Security violation mode does not send an SNMP trap when
a violation occurs?
Answer:protect
37.When troubleshooting 802.1x, what command provides you with
information about all AAA
events associated with the protocol?
Answer:Debug dot1x aaa
38.What is the privilege level that is used for user mode Cisco router?
Answer:level one
39.You are considering the implementation of private VLANs in your ISP
infrastructure. What type of port would you typically configure for
interfaces that connect to systems that need to communicate with each
other?
Answer:Community ports
40.What uRPF mode you would use with asymmetric routing?
Answer:loose mode
www.CareerCert.info
http://www.careercert.info/http://www.careercert.info/ -
8/9/2019 Open-ended questionsun.pdf
10/38
11
41.What is the minimum allowed value of the BGP keeapalive timer in
Cisco IOS (in seconds):
Answer:one
42.What interface-level command would you use to prevent the Cisco
switch from disabling its
uplinks due to "Loopback" cause?
Answer:No keeplive
43.How will a user be authenticated if the RADIUS servers fail to respond
with this conf
aaa authentication enable default group radius enable
Answer:using Enable password to authenticate
44.SNMPv3 protects management information confidentiality by
using....\
Answer:Encryption
45.In order to reduce excessive flooding in RSTP topology due to link
flaps, what feature would
you configure?
Answer:Port fast
www.CareerCert.info
http://www.careercert.info/http://www.careercert.info/ -
8/9/2019 Open-ended questionsun.pdf
11/38
12
46.What technology will allow a router to monitor itself and avoid a
series of ongoing SNMP GET
requests?
Answer:Remote network monitoring
47.The BGP MD5 Authentication hash is carried within which field?
Answer:Tcp option
48.What check allows a router to see if a packet received arrives on the
best return path to the
source address of the packet?
Answer:Unicast reverse path forwarding
49.What is the name of the technique in which one host answers address
resolution requests
intended for another machine?
Answer:Proxy arp
50. The BPDU that contains information about a root bridge with worse
parameters than the one
know to the switch is called:
www.CareerCert.info
http://www.careercert.info/http://www.careercert.info/ -
8/9/2019 Open-ended questionsun.pdf
12/38
13
Answer:Inferior bpdu
51 What technology allows a router to respond to a Layer 2 name
resolution request of a host as
if it were the destination host itself?
Answer:Proxy arp
52 What keyword can ensure that DTP frames are not sent on an
unconditional trunk link?
Answer:Nonegotiate
53 What feature should you configure if network instabilities impose
high load on router CPU due
to perpetual RPF re
Answer:Rpf backoff
54 Provide at least two examples of RFC 1700 addresses?
Answer:127.0.0.1 and 0.0.0.0
55 You are configuring SNMP Version 3 on your Cisco router. What
keyword will allow you to
permit a user to have read access to all MIB variables on the device and
www.CareerCert.info
http://www.careercert.info/http://www.careercert.info/ -
8/9/2019 Open-ended questionsun.pdf
13/38
14
what SNMP mechanism
is used for this?
Answer:The keyword that should be used is INTERNET. This effectively
includes all MIB variables in the
view since the Internet portion of the MIB tree is so high up. When
configuring SNMP v3, you
create a view, then a group to use this view, and then a user in the group.
56 What is the function of the command shown in the exhibit?
Aaa new-model
Answer:This command changes the security method used by the device.
It enables the use of
Authentication, Authorization, and Accounting.
57 What is the purpose of the keyword local in the following command?
aaa authentication login default group radius local
Answer:This keyword provides a "backdoor" for access in the event the
RADIUS servers are unavailable.
58 Examine the configuration shown. What happens when the RADIUS
servers do not have an account information for the attempting to log in?
The user will be denied access to the network
www.CareerCert.info
http://www.careercert.info/http://www.careercert.info/ -
8/9/2019 Open-ended questionsun.pdf
14/38
15
59 What type of routing is supported with security contexts?
Answer:STATIC
60 Outline the core idea of the threat detection process in the ASA
firewall.
Answer:The threat detection engine monitors various system counters,
such as packet drops, policy
violations, the number of connections exceeding thresholds, etc. Based
on the rate of the various
drop events, the firewall may generate an attack event.
61 Loop-Guard will mark the port inconsistent if the port stop
receiving ...
Answer:Bridge protocol data units(BPDU)
62 What is the protocol supported by the ASA firewall for scalable
multicast routing?
Answer:PIM SPARE-MODE
63 What happens if a standby unit does not receive a response on the
failover link, but receives a
www.CareerCert.info
http://www.careercert.info/http://www.careercert.info/ -
8/9/2019 Open-ended questionsun.pdf
15/38
16
response on any other interface?
Answer:The standby unit does not perform failover, but the failover link
is marked as non-functional. A
manual intervention is required to fix the problem.
64 Name a type of IP addressing that is not supported by failover mode.
Answer:DHCP PPPOE IPV6
65 What is the implication of enabling outside dynamic NAT?
Answer:You have to configure a static NAT mapping for every outside IP
that you need to access from the
inside.
66 How many packets constitute IKE Aggressive Mode exchange?
Answer:3
67 With IKE Main Mode, pre-shared keys authentication, and hostnames
used for endpoints
identity, what is used to look up a pre-shared key for the peer?
Answer:Ip address
68 Describe the main benefits of using Virtual Tunnel Interfaces with
www.CareerCert.info
http://www.careercert.info/http://www.careercert.info/ -
8/9/2019 Open-ended questionsun.pdf
16/38
-
8/9/2019 Open-ended questionsun.pdf
17/38
18
72 With ezVPN Remote Client Mode, what ezVPN feature prevents the
use of the device NAT
configuration?
Answer:Split-tunneling
74 What is the default MAC address-table aging time in Cisco switches, in
seconds?
Answer:Three hundred seconds
75 Which Ethernet Switching feature is used stop the propagation of
unnecessary broadcast and
unknown unicast frames across trunk links?
Answer:Vtp pruning
76 Which SNMP version 3 security level features authentication based on
the MD5 or SHA
algorithms but does not provide encryption?
Answer:Authnopriv
77 What version of SNMP includes built-in support for both encryption
and authentication?
www.CareerCert.info
http://www.careercert.info/http://www.careercert.info/ -
8/9/2019 Open-ended questionsun.pdf
18/38
19
Answer:Version three
78 You want to protect against Layer 2 loops in the event of a
unidirectional link failure. You want
to ensure you are also protected against a problem caused by software
on the router. What
mechanism should you use?
Answer:Spanning tree protocol, loopguard
79 What feature helps to mitigate problems that are caused by
malformed or forged IP source
addresses that are passing through a router?
Answer:Unicast reverse path forwarding(uRPF)
81 Name one type of encryption key used with GET VPN?
Answer:KEK or TEK
82.Description what is methods can detection and control on router ?
Answer:IOS firewall; for example Stateful Packet
Inspection(SPI),CBAC,ZFW ,and so on
83.Your IPS sensor has failed to detect a malicious packet that entered
www.CareerCert.info
http://www.careercert.info/http://www.careercert.info/ -
8/9/2019 Open-ended questionsun.pdf
19/38
20
the network and caused
damage. What is this termed by Cisco in security terminology?
Answer:False negative
84.What RFC outlines important special-use ipv4 addresses?
Answer:RFC1918
85.What RFC provides information about defeating Denial of Service
attacks through the use of
network ingress filtering?
Answer:RFC2827
86.the following in the ASA ,config request of Failover, whether is
correct?
1 Same hardware model
2 Same software version
3 Same numbers of interface and interface type
4 Same flash
5 Same DRAM
6 Same operating mode
Answer:NO
www.CareerCert.info
http://www.careercert.info/http://www.careercert.info/ -
8/9/2019 Open-ended questionsun.pdf
20/38
21
87.In easy vpn mode config,need give client an ip address as loopback of
client,which solutions
can be successfully
Answer:Client connect mode is client.
88.please give fourth method about IPS Configuration
Answer:
Two layer 2 devices ( no trunk)
Two layer 2 devices (802.1q trunked)
Two layer 3 devices
Bridging two VLANS
89 What name would you use with the IOS EzVPN server to lock the user
EZVPN within a group
GROUP?
Answer:EZVPN@ GROUP
90 What IOS feature is used to request XAUTH credentials in
http-intercept mode?
Answer:Auth-proxy
www.CareerCert.info
http://www.careercert.info/http://www.careercert.info/ -
8/9/2019 Open-ended questionsun.pdf
21/38
22
91 What IOS feature would you use to secure the router from
port-scanning attacks?
Answer:Control plane protection
92 What command would you enter to prevent the router from
generating ICMP Administratively
Prohibited messages when dropping packets denied by an ACL?
Answer:No ip unreachables
93 In addition to permitting TCP Option 19, what other feature do you
need to enable in order to
permit BGP connections across the firewall?
Answer:No random sequencing
94 What is the password that the Cisco IOS router uses to download the
ezVPN group policy from
the RADIUS server?
Answer:cisco
95 What TACACS+ shell (exec) attribute do you need to modify in order
to change the user's
privilege level?
www.CareerCert.info
http://www.careercert.info/http://www.careercert.info/ -
8/9/2019 Open-ended questionsun.pdf
22/38
23
Answer:Priv-lvl
96 What type of private-VLAN allows communicating only with the
promiscuous port?
Answer:lsolated VLAN
97 What IOS feature allows communication on the same subnet among
protected switch ports by
means of intermediate devices?
Answer:Local proxy
98 What Spanning Tree feature would you use to prevent a false root
bridge injection?
Answer:Root Guard
99 What other ICMP message type, in addition to unreachable, do you
need to permit in order to
make the UNIX traceroute command successfully work across the
firewall?
Answer:Time-exceeded
100 What is the important step to do before loading IOS IPS v5.x
www.CareerCert.info
http://www.careercert.info/http://www.careercert.info/ -
8/9/2019 Open-ended questionsun.pdf
23/38
24
signatures packages in the
router in order to prevent memory starvation?
Answer:Retire all signatures and unretire only the needed ones. The full
amount of all v5.x signatures
could not be compiled due to the router's limited memory. Retired
signatures are not being
compiled and don't consume memory.
101 What IPS feature allows for detection of new Internet worms?
Answer:Anomaly detection
102 What security feature would you use to prevent Man-in-the-Middle
ARP based attacks?
Answer:Arp inspection
103 What happens by default when two interfaces of the same security
level attempt to pass
packets on the ASA?
Answer:The packets are dropped
104 What command allows you to use your management 0/0 interface
www.CareerCert.info
http://www.careercert.info/http://www.careercert.info/ -
8/9/2019 Open-ended questionsun.pdf
24/38
25
for data traffic on an ASA?
Answer:No management-only
105 What type of access-list is used on the ASA in a configuration that
supports filtering for
clientless SSL VPN?
Answer:webtype
106 What object-group type would you use to identify DNS (TCP/UDP),
LDAP (TCP), and RADIUS
(UDP) traffic?
Answer:object-group Service
107 When would you prefer to use DMVPN over GET VPN for Unicast
traffic protection?
Answer:Due to its header preservation nature, GET VPN is best deployed
within large corporate networks,
such as company sites connected via MPLS VPNs, or corporate WANs.
DMVPN hides the internal
packet's IP addresses and thus is suitable for deployments over Internet
and public networks.
www.CareerCert.info
http://www.careercert.info/http://www.careercert.info/ -
8/9/2019 Open-ended questionsun.pdf
25/38
26
108 What is the order of operations for "NAT" and "access-group"
features when packets leave a
router out of the "IP NAT outside" interface?
Answer:The NAT features are first, followed by the access-group
features.
109 What is the feature that you would use to block packets based on
certain payload pattern?
Answer:Flexible Packet Matching
110 What is the main difference between the legacy TCP Intercept and
CBAC TCP Intercept?
Answer:CBAC TCP Intercept actually works for both TCP and UDP
sessions. CBAC interception is always
on when you apply a CBAC rule to the interface, and you cannot specify
the inspection scope.
Lastly, CBAC allows enforcing per-host connection limits, which is not
possible with legacy TCP
intercept.
111 Describe limitations regarding vsO on a Cisco IPS appliance.
www.CareerCert.info
http://www.careercert.info/http://www.careercert.info/ -
8/9/2019 Open-ended questionsun.pdf
26/38
27
Answer:The default virtual sensor is vsO. You cannot delete the default
virtual sensor. The interface list,
the AD operational mode, the inline TCP session tracking mode, and the
virtual sensor
description are the only configuration features you can change for the
default virtual sensor. You
cannot change the signature definition, event action rules, or anomaly
detection policies.
112 Name three potential negative issues regarding Intrusion Prevention
as opposed to Intrusion
Detection approaches to
Answer:
1)Traffic slowed on the network as a result of the Intrusion Prevention
process. This is especially
problematic for latency sensitive apps.
2) False positives prevent traffic from entering thenetwork.
3) Overrunning the sensor is a possibility and it can have a very
detrimental effect.
113 What is the primary detection technology used by Cisco IPS?
Answer:Signature-based
www.CareerCert.info
http://www.careercert.info/http://www.careercert.info/ -
8/9/2019 Open-ended questionsun.pdf
27/38
28
114 What is the IPS evasive technique that disguises the attack to
conceal it using special
characters or representations?
Answer:Obfuscation
115 What is the mode that an IDS/IPS appliance uses for IDS operation?
Answer:Promiscuous
116 What is the mode that an IDS/IPS appliance uses for IPS operation?
Answer:lnline
117 You want to ensure that when there is a failure on your ASA, there is
no disruption of client
connections. What must you configure?
Answer:Stateful Failover Link
118 Your adaptive security appliance is to function as the PIM RP. What
address of the ASA
should you use as the RP address?
Answer:The untranslated outside address
www.CareerCert.info
http://www.careercert.info/http://www.careercert.info/ -
8/9/2019 Open-ended questionsun.pdf
28/38
29
119 What transport protocol does RADIUS use in its operation?
Answer:User datagram protocol(UDP)
120 In the RADIUS packet exchange between a client and server, what is
an A-V Pair?
Answer:Attribute value
121 What message is in response to an Access Request message from a
RADIUS client if the
username and password is correct?
Answer:Access
122 What command is used on a Cisco router in order to switch to the
AAA security
methodology?
Answer:Aaa new-model
123 What is the transport protocol and port used by TACACS+? Answer in
the format Protocol
Port#.
Answer:Tcp 49
www.CareerCert.info
http://www.careercert.info/http://www.careercert.info/ -
8/9/2019 Open-ended questionsun.pdf
29/38
30
124 What is unique about the way TACACS+ handles the AAA functions in
comparison to RADIUS?
Answer:TACACS+ separates each of the three mechanisms of
authentication, authorization, and
accounting.
125 Which AAA protocol supports per user access control lists?
Answer:TACACS+
126 Describe the difference in the approach to the encryption of packets
between RADIUS and
TACACS+ messages?
Answer:TACACS+ encrypts the entire body of its messages. RADIUS only
encrypts the password in the
Access-Request message.
127 How does RADIUS treat the functions of AAA?
Answer:RADIUS combines the authentication and authorization
functions in its operation.
128 What hash algorithm features greater security than MD5 and
features the use of a 160-bit
www.CareerCert.info
http://www.careercert.info/http://www.careercert.info/ -
8/9/2019 Open-ended questionsun.pdf
30/38
31
hash output?
Answer:sha
129 What key security function do hashing algorithms provide? Answer
in the format of a single word.
Answer:Integrity
130 What hashing algorithm takes a message of arbitrary length and
produces an output of a 128
bit "fingerprint"?
Answer:MD5
131 What technology inserts a shared secret into a hash algorithm in
order to eliminate the man
in the middle attacks possible with hashing?
Answer:Hash Message Authentication Code(HMAC)
132 What type of encryption technology uses two specially created
mathematical keys in order to
perform encryption and decryption? Use a single word response.
Answer:symmetric
www.CareerCert.info
http://www.careercert.info/http://www.careercert.info/ -
8/9/2019 Open-ended questionsun.pdf
31/38
32
133 What type of security cipher technology operates on one digit at a
time? Use a single word
response.
Answer:stream
134 What is often considered the main disadvantage of the use of
asymmetric encryption
algorithms?
Answer:They are slower than symmetric.
135 What is the purpose of the Diffie-Hellman algorithm in a secured
infrastructure?
Answer:The Diffie-Hellman algorithm is used to obtain a shared secret
key agreement between two
devices over an insecure medium like the Internet.
136 What field can you use to distinguish between L2F and L2TP packets
in the network? Use a
single word response.
Answer:version
137 IPSec tunnels data through IP using one of two different protocols.
www.CareerCert.info
http://www.careercert.info/http://www.careercert.info/ -
8/9/2019 Open-ended questionsun.pdf
32/38
33
Which of these two
protocols does not provide for payload encryption?
Answer:Authentication Header(AH)
138 What IPSec mode features the encapsulation of the original Layer 3
header and payload
inside of an IPSec packet? Use a single word answer.
Answer:Tunnel
139 What type of public key cryptography does SSH rely upon?
Answer:Rsa
140 What command enables a router as an SSH server by creating the
public key?
Answer:crypto key generate rsa
141 What protocol do most VPDNs rely upon to encapsulate data in
transit across a common
network infrastructure?
Answer:Point to point protocol(PPP)
142 What VPDN protocol was invented by Cisco systems as a method for
www.CareerCert.info
http://www.careercert.info/http://www.careercert.info/ -
8/9/2019 Open-ended questionsun.pdf
33/38
34
tunneling private IP
addressed systems over PPP or SLIP using a home gateway as the
concentrator?
Answer:Layer 2 Forwarding Protocol(L2F protocol)
143 What VPDN protocol was invented by Microsoft and provides a
seamless integration of
remote PPP capable devices into the enterprise network?
Answer:Point-to-point Tunneling Protocol(PPTP)
144 What type of tunnel is created when a PPP client directly negotiates
a PPTP tunnel with the
PPTP network server?
Answer:voluntary tunnel
145 PPTP tunnels can be encrypted through the use of what Microsoft
technology?
Answer:Microsoft Point-to-Point Encryption(MPPE)
146 You must configure your ASA device to permit PPTP traffic. What
protocol and port should
you permit? Answer in the form protocol acronym:port#
www.CareerCert.info
http://www.careercert.info/http://www.careercert.info/ -
8/9/2019 Open-ended questionsun.pdf
34/38
35
Answer:Tcp:1723
147 The header used in the PPTP encapsulation process is similar to
what other header?
Answer:GRE
148 What PPTP tunnel type supports end-to-end confidentiality?
Answer:Voluntary Tunnel
149 What standards based VPDN protocol was a collaborative effort
between Cisco, Microsoft
and others?
Answer:L2tp
150 What device represents the client side of the L2TP network and
typically exits on the switch infrastructure between remote dial up nodes
and the access server that terminated inbound PPP
sessions?
Answer:L2TP Access Concentrator
151 A typical L2TP session resembles what type of PPTP tunnel?
Answer:Compulsory
www.CareerCert.info
http://www.careercert.info/http://www.careercert.info/ -
8/9/2019 Open-ended questionsun.pdf
35/38
36
152 L2TP uses what protocol to maintain control data and tunnel data
simultaneously?
Answer:Udp
153 What field is used to distinguish L2F from L2TP?
Answer:The version field
154 What device resides on the server side of the L2TP VPDN?
Answer:L2tp network server
155 PE routers in an MPLS VPN typically use what protocol to carry
VPNv4 addresses?
Answer:Mp-bgp
156 What is typically used in order to provide confidentiality in an MPLS
VPN?
Answer:Ipsec
157 SSLVPNs are created at what layer of the OSI Model?
Answer:Transport layer
www.CareerCert.info
http://www.careercert.info/http://www.careercert.info/ -
8/9/2019 Open-ended questionsun.pdf
36/38
37
158 What is the name of the 8-Byte unique identifier used to identify a
VPN in an MPLS VPN?
Answer:RD
159 In an IPSEC VPN, security parameters, including keys used for
symmetric encryption, are
communicated securely using what protocol?
Answer:Ike
160 In an SSL VPN, what type of encryption is typically used for initial
client/server
authentication?
Answer:Public Key Encryption
161 In addition to Multiport GRE (mGRE), what other major technology
is used to facilitate
spoke-to spoke DMVPN connections?
Answer:Nhrp
162 The IKE protocol is used within what framework?
Answer:ISAKMP
www.CareerCert.info
http://www.careercert.info/http://www.careercert.info/ -
8/9/2019 Open-ended questionsun.pdf
37/38
38
163 A goal of IPSEC is to provide confidentiality, authentication,
nonrepudiation, and what else?
Answer:Integrity
164 access-list 102 permit tcp any host 192.168.1.1
class-map conn
match access-group 102
policy-map conn
class-map conn
set connent eb 1
service-policy conn in interface outside
what technology the same effect with the ASA MPF technology in ASA?
Answer:TCP intercept
165 proxy authentiate use TACACS+ or RADIUS to authenticate.what two
name of protocol support proxy authenticate?
Answer:http and telnet
166 ASA object group?
Answer:
Object group can group like-objects together.
You can use the object group in an ACE instead of having to enter an ACE
www.CareerCert.info
http://www.careercert.info/http://www.careercert.info/ -
8/9/2019 Open-ended questionsun.pdf
38/38
for each object separately .You can create the following types of object
groups:
protocol
network
service
ICMP type
www.CareerCert.info
http://www.careercert.info/http://www.careercert.info/