CCNA Security Chapter 8 - 2014

1. Refer to the exhibit. Based on the CCP screen that is shown, which two conclusions can be drawn about the IKE policy that is being configured? (Choose two.)
		It will use digital certificates for authentication.
	>>	It will use a predefined key for authentication.
	>>	It will use a very strong encryption algorithm.
		It will be the default policy with the highest priority.
		It is being created using the CCP VPN Quick Setup Wizard.
2. A network administrator is planning to implement centralized management of Cisco VPN devices to simplify VPN deployment for remote offices and teleworkers. Which Cisco IOS feature would provide this solution?
	>>	Cisco Easy VPN
		Cisco VPN Client
		Cisco IOS SSL VPN
		Dynamic Multipoint VPN
3. Which statement describes an important characteristic of a site-to-site VPN?
	>>	It must be statically set up.
		It is ideally suited for use by mobile workers.
		It requires using a VPN client on the host PC.
		It is commonly implemented over dialup and cable modem networks.
		After the initial connection is established, it can dynamically change connection information.
4. With the Cisco Easy VPN feature, which process ensures that a static route is created on the Cisco Easy VPN Server for the internal IP address of each VPN client?
		Cisco Express Forwarding
		Network Access Control
		On-Demand Routing
		Reverse Path Forwarding
	>>	Reverse Route Injection
5. Which two authentication methods can be configured when using the CCP Site-to-Site VPN wizard? (Choose two.)
		MD5
		SHA
	>>	pre-shared keys
		encrypted nonces
	>>	digital certificates
6. Which UDP port must be permitted on any IP interface used to exchange IKE information between security gateways?
		400
	>>	500
		600
		700
7. When verifying IPsec configurations, which show command displays the encryption algorithm, hash algorithm, authentication method, and Diffie-Hellman group configured, as well as default settings?
		show crypto map
		show crypto ipsec sa
	>>	show crypto isakmp policy
		show crypto ipsec transform-set
8. Refer to the exhibit. A site-to-site VPN is required from R1 to R3. The administrator is using the CCP Site-to-Site VPN wizard on R1. Which IP address should the administrator enter in the highlighted field?
		10.1.1.1
		10.1.1.2
		10.2.2.1
	>>	10.2.2.2
		192.168.1.1
		192.168.3.1
9. A user launches Cisco VPN Client software to connect remotely to a VPN service. What does the user select before entering the username and password?
		the SSL connection type
		the IKE negotiation process
	>>	the desired preconfigured VPN server site
		the Cisco Encryption Technology to be applied
10. What is the default IKE policy value for encryption?
		128-bit AES
		192-bit AES
		256-bit AES
		3DES
	>>	DES
11. Refer to the exhibit. Which two IPsec framework components are valid options when configuring an IPsec VPN on a Cisco ISR router? (Choose two.)
		Integrity options include MD5 and RSA.
		IPsec protocol options include GRE and AH.
	>>	Confidentiality options include DES, 3DES, and AES.
		Authentication options include pre-shared key and SHA.
	>>	Diffie-Hellman options include DH1, DH2, and DH5.
12. Refer to the exhibit. Based on the CCP settings that are shown, which Easy VPN Server component is being configured?
	>>	group policy
		transform set
		IKE proposal
		user authentication
13. Which action do IPsec peers take during the IKE Phase 2 exchange?
		exchange of DH keys
	>>	negotiation of IPsec policy
		verification of peer identity
		negotiation of IKE policy sets
14. When configuring an IPsec VPN, what is used to define the traffic that is sent through the IPsec tunnel and protected by the IPsec process?
		crypto map
	>>	crypto ACL
		ISAKMP policy
		IPsec transform set
15. What is required for a host to use an SSL VPN to connect to a remote network device?
		VPN client software must be installed.
		A site-to-site VPN must be preconfigured.
	>>	A web browser must be installed on the host.
		The host must be connected to a wired network.
16. What are two benefits of an SSL VPN? (Choose two.)
		It supports all client/server applications.
		It supports the same level of cryptographic security as an IPsec VPN.
	>>	It has the option of only requiring an SSL-enabled web browser.
		The thin client mode functions without requiring any downloads or software.
	>>	It is compatible with DMVPNs, Cisco IOS Firewall, IPsec, IPS, Cisco Easy VPN, and NAT.
17. When using ESP tunnel mode, which portion of the packet is not authenticated?
		ESP header
		ESP trailer
	>>	new IP header
		original IP header
18. How many bytes of overhead are added to each IP packet while it is transported through a GRE tunnel?
		8
		16
	>>	24
		32
19. Which two statements accurately describe characteristics of IPsec? (Choose two.)
		IPsec works at the application layer and protects all application data.
		IPsec works at the transport layer and protects data at the network layer.
	>>	IPsec works at the network layer and operates over all Layer 2 protocols.
		IPsec is a framework of proprietary standards that depend on Cisco specific algorithms.
		IPsec is a framework of standards developed by Cisco that relies on OSI algorithms.
	>>	IPsec is a framework of open standards that relies on existing algorithms.
20. Refer to the exhibit. A network administrator is troubleshooting a GRE VPN tunnel between R1 and R2. Assuming the R2 GRE configuration is correct and based on the running configuration of R1, what must the administrator do to fix the problem?
		Change the tunnel source interface to Fa0/0.
		Change the tunnel destination to 192.168.5.1.
		Change the tunnel IP address to 192.168.3.1.
	>>	Change the tunnel destination to 209.165.200.225.
		Change the tunnel IP address to 209.165.201.1.

Tags: CCNA Security Exam Answer CCNA Security Chapter Answer CCNA Security Answer CISCO Security Answer CISCO CCNA Security Security Chapter Answer CCNA Security Chapter 8 Exam Answer CCNA Security Chapter 8 Test Answer

<< CCNA Security Chapter 7 Answers

CCNA Security Chapter 8 Answers

CCNA Security Chapter 9 Answers >>