CCNA Security - Chapter 8 Exam Answers Page 1 of 16

Home Exams Cisco Smartphone Tablet Contacts

CCNA CCNA Security - Chapter 8 CHERCHER

CCNA Exploration
Exam Answers DANS LE SITE

v4 search...
CCNA Security
Cisco CCNA Security, chapter 8 SEARCH
Exam.
Questions and answers 100% correct. CCIE Security Bootcamp UK
WEBMESTRE
Khawar Butt, famous quadruple
Joomla! 1. What are two benefits of an SSL VPN? (Choose two.) CCIE Produced 300 CCIEs. Pass
Guaranteed
It supports all client/server applications. [Link]
[Link]
It supports the same level of cryptographic security
Extensions
as an IPsec VPN. Instant UK VPN £3.99pm
Une vidéo de Low cost, fast VPN. Access UK
It has the option of only requiring an SSL-enabled media anywhere. Bypass web
Joomla! web browser. filters.
[Link]
Navigateurs The thin client mode functions without requiring any
Wordpress downloads or software.
It is compatible with DMVPNs, Cisco IOS Firewall,
IPsec, IPS, Cisco Easy VPN, and NAT.
LOGIN
FORMATION DU
CEGEP 2. When verifying IPsec configurations, which show
command displays the encryption algorithm, hash Username
Cisco CCNA
algorithm, authentication method, and Diffie-Hellman
Java group configured, as well as default settings? Password
Microsoft SQL show crypto map

Novell Netware show crypto ipsec sa Remember Me

Recherche show crypto isakmp policy

d'emplois show crypto ipsec transform-set LOGIN

Linux Ubuntu
3. When configuring a site-to-site IPsec VPN using the Forgot your
[Link]
CLI, the authentication pre-share command is password?
configured in the ISAKMP policy. Which additional peer Forgot your
authentication configuration is required?
WEB username?
Configure the message encryption algorithm with
Create an
Hébergement the encryptiontype ISAKMP policy configuration
account
[Link] command.
Configure the DH group identifier with the
Hébergement 1&1
groupnumber ISAKMP policy configuration
command.

[Link] 01/02/2011
CCNA Security - Chapter 8 Exam Answers Page 2 of 16

Configure a hostname with the crypto isakmp

SONDAGE
identity hostname global configuration
command. Quel type de
Configure a PSK with the crypto isakmp key téléphone intelligent
global configuration command. possédez-vous?

Android
4. Which action do IPsec peers take during the IKE Phase
BlackBerry
2 exchange?
iPhone
exchange of DH keys
negotiation of IPsec policy Palm

verification of peer identity Nokia/Symbian

negotiation of IKE policy sets
Windows
Mobile
5. A network administrator is planning to implement
Je n'ai pas
centralized management of Cisco VPN devices to
téléphone
simplify VPN deployment for remote offices and
intelligent.
teleworkers. Which Cisco IOS feature would provide
this solution? VOTE RESULTS

Cisco Easy VPN

Cisco VPN Client
Cisco IOS SSL VPN
Dynamic Multipoint VPN

6. Which two statements accurately describe

characteristics of IPsec? (Choose two.)
IPsec works at the application layer and protects all
application data.
IPsec works at the transport layer and protects data
at the network layer.
IPsec works at the network layer and operates over
all Layer 2 protocols.
IPsec is a framework of proprietary standards that
depend on Cisco specific algorithms.
IPsec is a framework of standards developed by
Cisco that relies on OSI algorithms.
IPsec is a framework of open standards that relies
on existing algorithms.

[Link] 01/02/2011
CCNA Security - Chapter 8 Exam Answers Page 3 of 16

7.

Refer to the exhibit. Which two IPsec framework

components are valid options when configuring an
IPsec VPN on a Cisco ISR router? (Choose two.)
Integrity options include MD5 and RSA.
IPsec protocol options include GRE and
AH.
Confidentiality options include DES, 3DES,
and AES.
Authentication options include pre-shared
key and SHA.
Diffie-Hellman options include DH1, DH2,
and DH5.

8. With the Cisco Easy VPN feature, which process

ensures that a static route is created on the Cisco Easy
VPN Server for the internal IP address of each VPN
client?
Cisco Express Forwarding
Network Access Control
On-Demand Routing
Reverse Path Forwarding
Reverse Route Injection

[Link] 01/02/2011
CCNA Security - Chapter 8 Exam Answers Page 4 of 16

9.

Refer to the exhibit. A site-to-site VPN is required from R1 to R3. The administrator is using the SDM
Site VPN Wizard on R1. Which IP address should the administrator enter in the highlighted
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]

10. What is required for a host to use an SSL VPN?

VPN client software must be installed.
A site-to-site VPN must be preconfigured.
The host must be in a stationary location.
A web browser must be installed on the host.

11. What are two authentication methods that can be

configured using the SDM Site-to-Site VPN Wizard?
(Choose two.)
MD5
SHA
pre-shared keys
encrypted nonces
digital certificates

[Link] 01/02/2011
CCNA Security - Chapter 8 Exam Answers Page 5 of 16

12. Which UDP port must be permitted on any IP interface

used to exchange IKE information between security
gateways?
400
500
600
700

13. Which requirement necessitates using the Step-by-

Step option of the SDM Site-to-Site VPN wizard
instead of the Quick Setup option?
AES encryption is required.
3DES encryption is required.
Pre-shared keys are to be used.
The remote peer is a Cisco router.
The remote peer IP address is unknown.

14. Which IPsec protocol should be selected when

confidentiality is required?
tunnel mode
transport mode
authentication header
encapsulating security payload
generic routing encapsulation

15. Which statement describes an important characteristic

of a site-to-site VPN?
It must be statically set up.
It is ideally suited for use by mobile workers.
It requires using a VPN client on the host PC.
It is commonly implemented over dialup and cable
modem networks.
After the initial connection is established, it can
dynamically change connection information.

[Link] 01/02/2011
CCNA Security - Chapter 8 Exam Answers Page 6 of 16

16.

Refer to the exhibit. Based on the SDM screen, which Easy VPN Server component is
group policy
transform set
IKE proposal
user authentication

17. A user launches Cisco VPN Client software to connect

remotely to a VPN service. What does the user select
before entering the username and password?
the SSL connection type
the IKE negotiation process
the desired preconfigured VPN server site
the Cisco Encryption Technology to be
applied

18. What is the default IKE policy value for authentication?

MD5
SHA
RSA signatures
pre-shared keys
RSA encrypted sconces

19. When using ESP tunnel mode, which portion of the

packet is not authenticated?
ESP header
ESP trailer
new IP header
original IP header

[Link] 01/02/2011
CCNA Security - Chapter 8 Exam Answers Page 7 of 16

20.

Refer to the exhibit. Under the ACL Editor, which option is used to specify the traffic to be encrypte
connection?
Access Rules
IPsec Rules
Firewall Rules
SDM Default Rules

[Link] 01/02/2011
CCNA Security - Chapter 8 Exam Answers Page 8 of 16

21.

Refer to the exhibit. A network administrator is troubleshooting a GRE VPN tunnel between R1 and
the R2 GRE configuration is correct and based on the running configuration of R1, what must the a
fix the problem?
change the tunnel source interface to Fa0/0
change the tunnel destination to [Link]
change the tunnel IP address to [Link]
change the tunnel destination to [Link]
change the tunnel IP address to [Link]

22. How many bytes of overhead are added to each IP

packet while it is transported through a GRE tunnel?
8
16
24
32

Cisco CCNA Security, chapter 8

Exam.
Questions and answers 100% correct.

1. What are two benefits of an SSL VPN? (Choose two.)

It supports all client/server applications.
It supports the same level of cryptographic security
as an IPsec VPN.
It has the option of only requiring an SSL-enabled
web browser.

[Link] 01/02/2011
CCNA Security - Chapter 8 Exam Answers Page 9 of 16

The thin client mode functions without requiring any

downloads or software.
It is compatible with DMVPNs, Cisco IOS Firewall,
IPsec, IPS, Cisco Easy VPN, and NAT.

2. When verifying IPsec configurations, which show

command displays the encryption algorithm, hash
algorithm, authentication method, and Diffie-Hellman
group configured, as well as default settings?
show crypto map
show crypto ipsec sa
show crypto isakmp policy
show crypto ipsec transform-set

3. When configuring a site-to-site IPsec VPN using the

CLI, the authentication pre-share command is
configured in the ISAKMP policy. Which additional peer
authentication configuration is required?
Configure the message encryption algorithm with
the encryptiontype ISAKMP policy configuration
command.
Configure the DH group identifier with the
groupnumber ISAKMP policy configuration
command.
Configure a hostname with the crypto isakmp
identity hostname global configuration command.
Configure a PSK with the crypto isakmp key
global configuration command.

4. Which action do IPsec peers take during the IKE Phase

2 exchange?
exchange of DH keys
negotiation of IPsec policy
verification of peer identity
negotiation of IKE policy sets

5. A network administrator is planning to implement

centralized management of Cisco VPN devices to
simplify VPN deployment for remote offices and
teleworkers. Which Cisco IOS feature would provide
this solution?
Cisco Easy VPN
Cisco VPN Client
Cisco IOS SSL VPN
Dynamic Multipoint VPN

[Link] 01/02/2011
CCNA Security - Chapter 8 Exam Answers Page 10 of 16

6. Which two statements accurately describe

characteristics of IPsec? (Choose two.)
IPsec works at the application layer and protects all
application data.
IPsec works at the transport layer and protects data
at the network layer.
IPsec works at the network layer and operates over
all Layer 2 protocols.
IPsec is a framework of proprietary standards that
depend on Cisco specific algorithms.
IPsec is a framework of standards developed by
Cisco that relies on OSI algorithms.
IPsec is a framework of open standards that relies
on existing algorithms.

7.

Refer to the exhibit. Which two IPsec framework

components are valid options when configuring an
IPsec VPN on a Cisco ISR router? (Choose two.)
Integrity options include MD5 and RSA.
IPsec protocol options include GRE and
AH.
Confidentiality options include DES, 3DES,
and AES.
Authentication options include pre-shared
key and SHA.

[Link] 01/02/2011
CCNA Security - Chapter 8 Exam Answers Page 11 of 16

Diffie-Hellman options include DH1, DH2,

and DH5.

8. With the Cisco Easy VPN feature, which process

ensures that a static route is created on the Cisco Easy
VPN Server for the internal IP address of each VPN
client?
Cisco Express Forwarding
Network Access Control
On-Demand Routing
Reverse Path Forwarding
Reverse Route Injection

9.

Refer to the exhibit. A site-to-site VPN is required from R1 to R3. The administrator is using the SDM
Site VPN Wizard on R1. Which IP address should the administrator enter in the highlighted
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]

10. What is required for a host to use an SSL VPN?

VPN client software must be installed.
A site-to-site VPN must be preconfigured.
The host must be in a stationary location.

[Link] 01/02/2011
CCNA Security - Chapter 8 Exam Answers Page 12 of 16

A web browser must be installed on the host.

11. What are two authentication methods that can be

configured using the SDM Site-to-Site VPN Wizard?
(Choose two.)
MD5
SHA
pre-shared keys
encrypted nonces
digital certificates

12. Which UDP port must be permitted on any IP interface

used to exchange IKE information between security
gateways?
400
500
600
700

13. Which requirement necessitates using the Step-by-

Step option of the SDM Site-to-Site VPN wizard
instead of the Quick Setup option?
AES encryption is required.
3DES encryption is required.
Pre-shared keys are to be used.
The remote peer is a Cisco router.
The remote peer IP address is unknown.

14. Which IPsec protocol should be selected when

confidentiality is required?
tunnel mode
transport mode
authentication header
encapsulating security payload
generic routing encapsulation

15. Which statement describes an important characteristic

of a site-to-site VPN?
It must be statically set up.
It is ideally suited for use by mobile workers.
It requires using a VPN client on the host PC.
It is commonly implemented over dialup and cable
modem networks.
After the initial connection is established, it can
dynamically change connection information.

[Link] 01/02/2011
CCNA Security - Chapter 8 Exam Answers Page 13 of 16

16.

Refer to the exhibit. Based on the SDM screen, which Easy VPN Server component is
group policy
transform set
IKE proposal
user authentication

17. A user launches Cisco VPN Client software to connect

remotely to a VPN service. What does the user select
before entering the username and password?
the SSL connection type
the IKE negotiation process
the desired preconfigured VPN server site
the Cisco Encryption Technology to be
applied

18. What is the default IKE policy value for authentication?

MD5
SHA
RSA signatures
pre-shared keys
RSA encrypted sconces

19. When using ESP tunnel mode, which portion of the

packet is not authenticated?
ESP header
ESP trailer
new IP header
original IP header

[Link] 01/02/2011
CCNA Security - Chapter 8 Exam Answers Page 14 of 16

20.

Refer to the exhibit. Under the ACL Editor, which option is used to specify the traffic to be encrypte
connection?
Access Rules
IPsec Rules
Firewall Rules
SDM Default Rules

[Link] 01/02/2011
CCNA Security - Chapter 8 Exam Answers Page 15 of 16

21.

Refer to the exhibit. A network administrator is troubleshooting a GRE VPN tunnel between R1 and
the R2 GRE configuration is correct and based on the running configuration of R1, what must the a
fix the problem?
change the tunnel source interface to Fa0/0
change the tunnel destination to [Link]
change the tunnel IP address to [Link]
change the tunnel destination to [Link]
change the tunnel IP address to [Link]

22. How many bytes of overhead are added to each IP

packet while it is transported through a GRE tunnel?
8
16
24
32

[Link] Ads by Google

[Link] 01/02/2011
CCNA Security - Chapter 8 Exam Answers Page 16 of 16

[Link] 01/02/2011