module 13

CCNP 2
Chapter 13

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Which critical functions are provided by VPNs?(Choose three.)

confidentiality of information X
integrity of data X
authorization of users
authentication of users X
WAN management
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Which IPSec element represents a policy contract between two peers or hosts?

AH
SA X
HMAC
ESP
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
A network administrator is defining an IPSec security policy for the network. Phase one consists of determining the IKE policies between IPSec peers. What factors must the administrator consider when developing the policies in this first phase?

number and location of the peers X
routing protocols in use on the peers
crypto maps in use on the peers
peer details such as IPSec transform sets and IPSec modes
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Which statement characterizes the use of confidentiality and authentication of the Encapsulating Security Payload (ESP) in an IPSec packet?

both are required
confidentiality is required and authentication is optional
authentication is required and confidentiality is optional
both are optional but at least one must be selected X
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Which command will show default and any configured IKE policies?

show running-config
show crypto isakmp policy X
show crypto map
show crypto ipsec transform-set
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Which are benefits of IKE? (Choose three.)

eliminates the need for dynamic allocation of peers
eliminates the need to manually specify all IPSec security parameters in crypto maps at both peers X
allows IPSec to provide anti-replay services X
allows the user to manually specify a lifetime for the IPSec SA X
eliminates encryption key changes during a session
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
What are two reasons why transforms esp-md5-hmac and esp-sha-hmac are used more frequently than transforms ah-md5-hmac and ah-sha-hmac? (Choose two.)

They use fewer CPU resources.
They provide more data integrity. X
They are compatible with NAT and PAT. X
They eliminate the need for esp-null.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Which two statements are true about the crypto isakmp identity {address | hostname} command? (Choose two.)

the hostname parameter is used by default
the address parameter is used by default X
the command is entered at the interface level
the command is entered at the global level X
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
What does the command RTA(config-isakmp)#group 1 add to a crypto ISAKMP policy?

DES encryption
sha-1 message integrity algorithm
768 bit key exchange parameter X
1024 bit key exchange parameter
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
In the command crypto isakmp key keystring address peer-address, what are two requirements for the keystring? (Choose two.)

up to 128 bits
up to 128 bytes X
alphanumeric characters only X
alphanumeric and special characters
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Which access list command will block ISAKMP access on an interface that is not used for IPSec to prevent possible denial-of-service attacks?

access-list 102 deny ahp host 172.30.2.2 host 172.30.1.2 eq isakmp
access-list 102 deny esp host 172.30.2.2 host 172.30.1.2 eq isakmp
access-list 102 deny udp host 172.30.2.2 host 172.30.1.2 eq isakmp X
access-list 102 deny tcp host 172.330.2.2 host 172.30.1.2 eq isakmp
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Which technology provides optional anti-replay services?

Internet Key Exchange (IKE)
Internet Security Association and Key Management Protocol (ISAKMP)
Security Association (SA)
Encapsulating Security Payload (ESP) X
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
When are transform sets negotiated?

during quick mode IKE phase two X
during crypto mode IKE phase two
during quick mode IKE phase one
during crypto mode IKE phase one
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Which four encryption methods provide symmetric encryption? (Choose four.)

secret key X
DES X
RSA
3DES X
public key
AES X
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Which security technique is used to ensure that messages can only be read by intended receivers?

encryption X
encoding
modulation
compression
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Which algorithm methods provide asymmetric encryption?(Choose two.)

Secret Key
DES
RSA X
3DES
Public Key X
AES
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Crypto access-lists perform which two functions when protecting data? (Choose two.)

outbound - indicate data flow to be protected X
inbound - indicate data flow to be protected
outbound - select traffic to be sent in clear text
inbound - select traffic to be sent in clear text
outbound - filter and discard traffic that should have been protected
inbound - filter and discard traffic that should have been protected X
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Which statement characterizes IPSec transport mode in the diagram?



HOST A and HR server are using IPSec to encrypt data X
RTA , RTB, HOST A and HR SERVER are using IPSec to encrypt data
HOST A and HR SERVER are using RSA to encrypt data
RTA and RTB are using RSA to encrypt data
RTA and RTB are using IPSec to encrypt data
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
What two components make up a VPN? (Choose two.)

authentication
encryption X
public network
private network
tunneling X
_________________