Ensurepass

 

 

QUESTION 361

Which statement describes the function of rekey messages?

 

A.

They prevent unencrypted traffic from passing through a group member before registration.

B.

They refresh IPsec SAs when the key is about to expire.

C.

They trigger a rekey from the server when configuring the rekey ACL.

D.

They authenticate traffic passing through a particular group member.

 

Correct Answer: B

Explanation:

Rekey messages are used to refresh IPsec SAs. When the IPsec SAs or the rekey SAs are about to expire, one single rekey message for a particular group is generated on the key server. No new IKE sessions are created for the rekey message distribution. The rekey messages are distributed by the key server over an existing IKE SA. Rekeying can use multicast or unicast messages. Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_getvpn/configuration/xe-3s/sec-get-vpn-xe-3s-book/sec-get-vpn.html

 

 

QUESTION 362

Which three statements about GET VPN are true? (Choose three.)

 

A.

It encrypts WAN traffic to increase data security and provide transport authentication.

B.

It provides direct communication between sites, which reduces latency and jitter.

C.

It can secure IP multicast, unicast, and broadcast group traffic.

D.

It uses a centralized key server for membership control.

E.

It enables the router to configure tunnels.

F.

It maintains full-mesh connectivity for IP networks.

 

Correct Answer: ABD

Explanation:

Cisco GET VPN Features and Benefits

Feature

Description and Benefit

Key Services

Key Servers are responsible for ensuring that keys are granted to authenticated and authorized devices only. They maintain the freshness of the key material, pushing re-key messages as well as security policies on a regular basis. The chief characteristics include:

Key Servers can be located centrally, granting easy control over membership.

Key Servers are not in the”;line of fir”; – encrypted application traffic flows directly between VPN end points without a bottleneck or an additional point of failure.

Supports both local and global policies, applicable to all members in a group – such as”;Permit any any”, a policy to encrypt all traffic.

Supports IP Multicast to distribute and manage keys, for improved efficiency; Unicast is also supported where IP Multicast is not possible.

 

Scalability and Throughput

The full mesh nature of the solution allows devices to communicate directly with each other, without requiring transport through a central hub; this minimizes extra encrypts and decrypts at the hub router; it also helps minimize latency and jitter.

Efficient handling of IP Multicast traffic by using the core network for replication can boost effective throughput further

 

Security

Provides data security and transport authentication, helping to meet security compliance and internal regulation by encrypting all WAN traffic

 

Reference: http://www.cisco.com/c/en/us/products/collateral/security/group-encrypted-transport-vpn/product_data_sheet0900aecd80582067.html

 

 

QUESTION 363

Refer to the exhibit. If the traffic flowing from network 192.168.254.0 to 172.16.250.0 is unencrypted, which two actions must you take to enable encryption? (Choose two).

 

clip_image002

 

A.

Configure the transform-set on R2 to match the configuration on R1.

B.

Configure the crypto map on R2 to include the correct subnet.

C.

Configure the ISAKMP policy names to match on R1 and R2.

D.

Configure the crypto map names to match on R1 and R2.

E.

Configure the Diffie-Hellman keys used in the ISAKMP policies to be different on R1 and R2.

 

Correct Answer: AB

Explanation:

A transform set combines an encryption method and an authentication method. During the IPsec security association negotiation with ISAKMP, the peers agree to use a particular transform set to protect a particular data flow. The transform set must be the same for both peers. Also, the crypto map on R2 points to the address name of VPN, which includes 172.16.0.0/16, but it should be the local subnet of 192.168.0.0/16.

 

 

QUESTION 364

DRAG DROP

clip_image004

 

Correct Answer:

clip_image006

 

 

QUESTION 365

Refer to the exhibit. Which statement is true about a valid IPv6 address that can be configured on interface tunnel0?

 

clip_image008

 

A.

There is not enough information to calculate the IPv6 address.

B.

6to4 tunneling allows you to use any IPv6 address.

C.

2001.:7DCB.:5901.::/128 is a valid IPv6 address.

D.

2002: 7DCB. 5901. ::/128 is a valid IPv6 address.

 

Correct Answer: D

Explanation:

Most IPv6 networks use autoconfiguration, which requires the last 64 bits for the host. The first 64 bits are the IPv6 prefix. The first 16 bits of the prefix are always 2002:, the next 32 bits are the IPv4 address, and the last 16 bits of the prefix are available for addressing multiple IPv6 subnets behind the same 6to4 router. Since the IPv6 hosts using autoconfiguration already have determined the unique 64 bit host portion of their address, they must simply wait for a Router Advertisement indicating the first 64 bits of prefix to have a complete IPv6 address. A 6to4 router will know to send an encapsulated packet directly over IPv4 if the first 16 bits are 2002, using the next 32 as the destination, or otherwise send the packet to a well-known relay server, which has access to native IPv6.

Reference: http://en.wikipedia.org/wiki/6to4

 

 

QUESTION 366

Which technology is not necessary to set up a basic MPLS domain?

 

A.

IP addressing

B.

an IGP

C.

LDP or TDP

D.

CEF

E.

a VRF

 

Correct Answer: E

Explanation:

The simplest form of VRF implementation is VRF Lite. In this implementation, each router within the network participates in the virtual routing environment in a peer-based fashion. While simple to deploy and appropriate for small to medium enterprises and shared data centres, VRF Lite does not scale to the size required by global enterprises or large carriers, as there is the need to implement each VRF instance on every router, including intermediate routers. VRFs were initially introduced in combination with MPLS, but VRF proved to be so useful that it eventually evolved to live independent of MPLS. This is the historical explanation of the term VRF LitE. usage of VRFs without MPLS.

Reference: http://en.wikipedia.org/wiki/Virtual_routing_and_forwarding

 

 

QUESTION 367

What is the main component of Unified MPLS?

 

A.

Multiple IGPs in the network are used, where the loopback IP addresses of the PE routers are aggregated on the area border routers.

B.

Confederations are used to provide scalability.

C.

The loopback prefixes from one IGP area are redistributed into BGP without changing the next hop.

D.

The ABR is a BGP route reflector and sets next-hop to self for all reflected routes.

 

Correct Answer: D

Explanation:

Since the core and aggregation parts of the network are integrated and end-to-end LSPs are provided, the Unified MPLS solution is also referred to as “Seamless MPLS.” New technologies or protocols are not used here, only MPLS, Label Distribution Protocol (LDP), IGP, and BGP. Since you do not want to distribute the loopback prefixes of the PE routers from one part of the network into another part, you need to carry the prefixes in BGP. The Internal Border Gateway Protocol (iBGP) is used in one network, so the next hop address of the prefixes is the loopback prefixes of the PE routers, which is not known by the IGP in the other parts of the network. This means that the next hop address cannot be used to recurse to an IGP prefix. The trick is to make the ABR routers Route Reflectors (RR) and set the next hop to self, even for the reflected iBGP prefixes. In order for this to work, a new knob is needed.

Reference: http://www.cisco.com/c/en/us/support/docs/multiprotocol-label-switching-mpls/mpls/116127-configure-technology-00.html

 

 

QUESTION 368

For which feature is the address family “rtfilter” used?

 

A.

Enhanced Route Refresh

B.

MPLS VPN filtering

C.

Route Target Constraint

D.

Unified MPLS

 

Correct Answer: C

Explanation:

With Multiprotocol Label Switching (MPLS) VPN, the internal Border Gateway Protocol (iBGP) peer or Route Reflector (RR) sends all VPN4 and/or VPN6 prefixes to the PE routers. The PE router drops the VPN4/6 prefixes for which there is no importing VPN routing and forwarding (VRF). This is a behavior where the RR sends VPN4/6 prefixes to the PE router, which it does not need. This is a waste of processing power on the RR and the PE and a waste of bandwidth. With Route Target Constraint (RTC), the RR sends only wanted VPN4/6 prefixes to the PE. ‘Wanted’ means that the PE has VRF importing the specific prefixes. RFC 4684 specifies Route Target Constraint (RTC). The support is through a new address family rtfilter for both VPNv4 and VPNv6.

Reference: http://www.cisco.com/c/en/us/support/docs/multiprotocol-label-switching-mpls/mpls/116062-technologies-technote-restraint-00.html

 

 

QUESTION 369

Refer to the exhibit. What does the return code 3 represent in this output?

 

clip_image010

 

A.

The mapping of the replying router for the FEC is different.

B.

The packet is label-switched at stack depth.

C.

The return code is reserved.

D.

The upstream index is unknown.

E.

The replying router was the proper egress for the FEC.

 

Correct Answer: E

Explanation:

Return Codes

The Return Code is set to zero by the sender. The receiver can set it to one of the values listed below. The notation <RSC> refers to the Return Subcode. This field is filled in with the stack-depth for those codes that specify that. For all other codes, the Return Subcode MUST be set to zero.

Value Meaning

—– ——-

0 No return code

1 Malformed echo request received

2 One or more of the TLVs was not understood

3 Replying router is an egress for the FEC at stack- depth <RSC>

4 Replying router has no mapping for the FEC at stack- depth <RSC>

Reference: https://www.ietf.org/rfc/rfc4379.txt

 

 

QUESTION 370

Which two values comprise the VPN ID for an MPLS VPN? (Choose two.)

 

A.

an OUI

B.

a VPN index

C.

a route distinguisher

D.

a 16-bit AS number

E.

a 32-bit IP address

 

Correct Answer: AB

Explanation:

Each MPLS VPN ID defined by RFC 2685 consists of the following elements:

Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mp_l3_vpns/configuration/15-mt/mp-l3-vpns-15-mt-book/mp-assgn-id-vpn.html

 

Free VCE & PDF File for Cisco 400-101 Real Exam

Instant Access to Free VCE Files: CCNA | CCNP | CCIE …
Instant Access to Free PDF Files: CCNA | CCNP | CCIE …

Comments are closed.