Questions MPLS and IPSec

QUESTION 1
The different Enterprise locations are connected via an MPLS network. Which device is responsible for attaching a VPN label to a packet traversing an MPLS network?

A. The customer (C) router
B. The provider (P) router
C. The customer edge (CE) router
D. The provider edge (PE) router
E. None of the above

Answer: D


QUESTION 2
Leading the way in IT testing and certification tools, www.Enterprise.com If enterprise Label Switch Router (LSR) is properly configured, which three combinations are possible? (Select three)
A. An IP destination exists in the IP forwarding table. A received labeled packet is dropped because the label is not found in the LFIB table.
B. A received labeled packet is forwarded based on the label. After the label is swapped, the newly labeled packet is sent.
C. There is an MPLS label-switched path toward the destination. A received IP packet is dropped because the destination is not found in the IP forwarding table.
D. A received IP packet is forwarded based on the IP destination address and the packet is sent as an IP packet.
E. A received labeled IP packet is forwarded based on both the label and the IP address.
F. A received IP packet is forwarded based on the IP destination address and the packet is sent as a labeled packet.
G. None of the above are possible
Answer: BDF


QUESTION 3
Enterprise uses frame-mode MPLS in a portion of its WAN. Which statement is true about the default operation of frame-mode MPLS?
A. LSRs must wait to get the next-hop label from their downstream neighbors before propagating information.
B. LSRs will only propagate label mappings to their neighbors by request.
C. Labels are sequentially generated for neighbors.
D. Interfaces can share the same labels.
E. None of the above
Answer: D

QUESTION 4
Enterprise uses a frame-mode MPLS WAN. Which three statements about frame-mode MPLS are true? (Select three)
Leading the way in IT testing and certification tools, www.Enterprise.com
A. The MPLS data plane takes care of forwarding based on either destination addresses or labels.
B. MPLS has three distinct components consisting of the data plane, the forwarding plane, and the control plane.
C. Whenever a router receives a packet that should be CEF-switched, but the destination is not in the FIB, the packet is dropped.
D. The CEF FIB table contains information about outgoing interfaces and their corresponding Layer 2 header.
E. The control plane is a simple label-based forwarding engine that is independent of the type of routing protocol or label
exchange protocol.
F. To exchange labels, the control plane requires protocols such as Tag Distribution Protocol (TDP) or MPLS Label Distribution Protocol (LDP).
G. None of the above
Answer: ACF
Section: (none)

QUESTION 5
You are responsible for managing and maintaining the Enterprise MPLS network.
What is the function of the MPLS data plane?
A. The data plane exchanges Layer 3 routing information using OSPF, EIGRP, IS-IS, and BGP protocols.
B. The data plane exchanges label using the label exchange protocols TDP, LDP, BGP, and RSVP.
C. The data plane uses the Forwarding Information Base (FIB) to forward packets based on the routing information.
D. The data plane uses Label Forwarding Information Base (LFIB) to forwards packets based on the labels.
Answer: D
Section: (none)

QUESTION 6
While troubleshooting a problem the Enterprise network administrator used a protocol analyzer to capture the contents of an MPLS
label. What are the four fields in an MPLS label? (Select four)
Leading the way in IT testing and certification tools, www.Enterprise.com
A. TTL
B. Version
C. Label
D. Bottom-of-stack indicator
E. Experimental
F. Protocol
Answer: ACDE
Section: (none)

QUESTION 7
Enterprise is an MPLS network provider connecting multiple customer networks. In an MPLS VPN implementation, how are overlapping customer prefixes propagated?
A. A route target is attached to each customer prefix.
B. Because customers have their own interfaces, distributed CEFs keep the forwarding tables separate.
C. Separate BGP sessions are established between each customer edge LSR.
D. A separate instance of the core IGP is used for each customer.
E. Because customers have their own unique LSPs, address space is kept separate.
F. None of the above.
Answer: A
Section: (none)

QUESTION 8
The Enterprise network administrator is trying to optimize the convergence time in their MPLS network. Which statement is true about convergence in an MPLS network?
A. MPLS convergence will take place at the same time as the routing protocol convergence.
B. MPLS convergence will take place after the routing protocol convergence.
C. MPLS must be reconfigured after the routing protocol convergence.
D. MPLS convergence will take place before the routing protocol convergence.
E. None of the above.
Answer: B
Section: (none)

QUESTION 9
Enterprise is an MPLS provider connecting multiple customer VPNs. Which three statements below are correct concerning
MPLS-based VPNs? (Select three)
A. A VPN client is required for client-initiated deployments.
B. An MPLS-based VPN is highly scalable because no site-to-site peering is required.
C. Scalability becomes challenging for a very large, fully meshed deployment.
D. Route Targets (RTs) are attributes attached to a VPNv4 BGP route to indicate its VPN membership.
E. A VPN client is not required for users to interact with the network.
F. Authentication is done using a digital certificate or pre-shared key.
Answer: BDE
Section: (none)

QUESTION 10
All Enterprise remote locations connected via a fully meshed MPLS WAN. Which three statements regarding MPLS are true? (Select
three)
A. Frame-mode MPLS inserts a 32-bit label between the Layer 3 and Layer 4 headers.
B. The control plane is responsible for forwarding packets.
C. The two major components of MPLS include the control plane and the data plane.
D. Cisco Express Forwarding (CEF) must be enabled as a prerequisite to running MPLS on a Cisco router.
E. MPLS is designed for use with frame-based Layer 2 encapsulation protocols such as Frame Relay but is not supported by ATM because of ATM fixed-length cells.
F. OSPF, EIGRP, IS-IS, RIP, and BGP can be used in the control plane.
Answer: CDF
Section: (none)
QUESTION 11
Many Enterprise remote offices use DSL for their connectivity. Which four features are usually required for an 827 ADSL router to support a home ADSL broadband Internet connection with multiple end-user PCs? (Choose four)
A. IPSec
B. Bridging (IRB or RBE)
C. PPPoE client
D. PAT
E. DHCP server
F. Static default route
Answer: CDEF
Section: (none)

QUESTION 12
You need to set up the Cisco VPN client software on a new Enterprise laptop. When configuring the Cisco VPN Client with transparent tunneling, what is true about the IPSec over TCP option?
Leading the way in IT testing and certification tools, www.Enterprise.com
A. The port number is negotiated automatically.
B. Clients will have access to the secured tunnel and local resources.
C. Packets are encapsulated using Protocol 50 (Encapsulating Security Payload, or ESP).
D. The port number must match the configuration on the secure gateway.
Answer: D
Section: (none)

QUESTION 13
Two Enterprise routers are configured as IPSec VPN peers. Which IPsec VPN term describes a policy contract that specifies how two peers will use IPsec security services to protect network traffic?
A. Encapsulation security payload
B. Security Association
C. Transform set
D. Authentication Header
E. None of the above
Answer: B
QUESTION 14
Enterprise uses GRE tunnels over an IPSec VPN. Which three statements are correct about a GRE over IPsec VPN tunnel configuration on Cisco IOS routers? (Select three)
A. Crypto maps must specify the use of IPsec transport mode.
B. A crypto ACL will dictate the GRE traffic to be encrypted between the two IPsec peers.
C. A crypto ACL will dictate the ISAKMP and IPsec traffic to be encrypted between the two IPsec peers.
D. A dynamic routing protocol can be configured to run over the tunnel interface.
E. The crypto map must be applied to the tunnel interface.
F. The crypto map must be applied to the physical interface.
Answer: BDF                                                       
Section: (none)

QUESTION 15
You have been tasked with configuring a new router to be added to te Enterprise IPSec VPN. What are the four main steps in configuring an IPsec site-to-site VPN tunnel on Cisco routers? (Choose four)
A. Create a crypto access list to define which traffic should be sent through the tunnel.
B. Create a crypto map and apply it to the outgoing interface of the VPN device.
C. Define the ISAKMP policy.
D. Define the pre-shared key used in the DH (Diffie-Hellman) exchange.
E. Define the IPsec transform set.
F. Configure dynamic routing over the IPsec tunnel interface.
Answer: ABCE
Section: (none)

QUESTION 16
Enterprise uses IPSec technology throughout their network. Which three benefits do IPsec VPNs provide? (Select three)
A. Data integrity
B. QoS
C. Confidentiality
D. Adaptive threat defense
E. Origin authentication
F. A fully-meshed topology with low overhead
Answer: ACE

QUESTION 17
The branch Enterprise locations are connected via an IPSec VPN. Which three IPsec VPN statements are true? (Select three)
A. The main mode is the method used for the IKE phase two security association negotiations.
B. To establish IKE SA, the main mode utilizes six packets while aggressive mode utilizes only three packets.
C. IKE keepalives are unidirectional and sent every ten seconds.
D. Quick mode is the method used for the IKE phase one security association negotiations.
E. IKE uses the Diffie-Hellman algorithm to generate symmetrical keys to be used by IPsec peers.
F. IPsec uses the Encapsulating Security Protocol (ESP) or the Authentication Header (AH) protocol for exchanging keys.
Answer: BCE
QUESTION 18
Leading the way in IT testing and certification tools, www.Enterprise.com Enterprise uses GRE tunnels over their IPSec VPN. Which three features are benefits of using GRE tunnels in conjunction with IPsec for building site-to-site VPNs? (Select three)
A. It supports multi-protocol (non-IP) traffic over the tunnel
B. It uses Virtual Tunnel Interface (VTI) to simplify the IPsec VPN configuration
C. It allows dynamic routing over the tunnel
D. It reduces IPsec headers overhead since tunnel mode is used
E. It simplifies the ACL used in the crypto map
Answer: ACE

QUESTION 19
Enterprise uses GRE tunnels to pass routing protocol traffic across its IPSec VPN. Which IPsec mode will encrypt a GRE tunnel to provide multiprotocol support and reduced overhead?
A. Transport
B. Tunnel
C. Multipoint GRE
D. 3DES
E. None of the above
Answer: A

QUESTION 20
Two Enterprise IPsec routers use DH to establish a VPN connection. Which feature is an accurate description of the Diffie-Hellman (DH) exchange between two IPsec peers?
A. It allows the two peers to communicate its digital certificate to each other during IKE phase 1
B. It allows the two peers to jointly establish a shared secret key over an insecure communications channel
C. It allows the two peers to negotiate its IPsec transforms during IKE phase 2
D. It allows the two peers to communicate the pre-shared secret key to each other during IKE phase 1
E. It allows the two peers to authenticate each other over an insecure communications channel
F. None of the above
Answer: B
Section: (none)
QUESTION 21
Enterprise uses GRE tunnels over their IPSec VPN to pass routing information. Which statement is true about an IPsec/GRE tunnel?
A. Crypto map ACL is not needed to match which traffic will be protected.
B. GRE encapsulation occurs before the IPsec encryption process.
C. The GRE tunnel source and destination addresses are specified within the IPsec transform set.
D. An IPsec/GRE tunnel must use IPsec tunnel mode.
E. None of the above.
Answer: B
Section: (none)

QUESTION 22
AN IPSec secure tunnel is being built between routers TK1 and TK2. In IPSec, what are the common services provided by
Authentication Header (AH) and Encapsulation Security Payload (ESP)?
A. Data origin authentication, confidentiality, and anti-replay service Leading the way in IT testing and certification tools,
www.Enterprise.com
B. Confidentiality, data integrity, and anti-replay service
C. Data integrity, data origin authentication, and anti-replay service
D. Confidentiality, data integrity, and data origin authentication
E. Confidentiality, data integrity and authorization.
Answer: C
Section: (none)

QUESTION 23
IPSec is being used for the Enterprise VPN. In the IPSec protocol; what are the responsibilities of the Internet Key Exchange (IKE)?
(Choose all that apply)
A. Negotiating protocol parameters
B. Integrity checking user hashes
C. Authenticating both sides of a connection
D. Implementing tunnel mode
E. Exchanging public keys
F. Packet encryption
Answer: ACE
Section: (none)
Explanation/Reference:

QUESTION 24
IPSec is being used for the Enterprise VPN. Which of the IPSEC protocols is capable of negotiating security associations?
Leading the way in IT testing and certification tools, www.Enterprise.com
A. AH
B. ESP
C. IKE
D. SSH
E. MD5
F. None of the above
Answer: C
Section: (none)
QUESTION 25
IPSec is being used for the Enterprise VPN. Which of the phrases below are true about IPSec IKE Phase 2? (Choose all that apply)
A. It determines the key distribution method
B. It identifies IPSec peer details
C. It selects manual or IKE-initiated SAs
D. It determines the authentication method
E. It negotiates ISAKMP policies for peers
Leading the way in IT testing and certification tools, www.Enterprise.com
F. It selects the IPSec algorithms and parameters for optimal security and performance
Answer: CEF

QUESTION 26
IPSec is being used for the Enterprise VPN. What is true about the security protocol ESP (Encapsualtion Security Payload) in IPSec?
(Choose three)
A. IP packet is expanded by transport mode: 37 bytes (3DES) or 63 bytes (AES); tunnel mode: 57bytes (3DES) or 83
bytes (AES).
B. IP packet is expanded by: transport mode 56 bytes: tunnel mode 128 bytes.
C. Authentication is mandatory and the whole packet as well as the header is authenticated.
D. Authentication is optional and the outer header is not authenticated.
E. The ESP security protocol provides data confidentiality.
F. The ESP security protocol provides no data confidentiality.
Answer: ACE

QUESTION 27
What is true about the security protocol AH (Authentication Header) used in a secure IPSec tunnel? (Choose three)
A. Authentication is mandatory.
B. Authentication is optional.
C. The IP packet is expanded by transport mode 37 bytes(3DES( or 63 bytes(AES); tunnel mode 57 bytes(3DES) or 83
bytes(AES).
D. The IP packet is expanded by transport mode 56 bytes; tunnel mode 128 bytes.
E. The IPSec AH security protocol does provide data confidentiality.
F. The IPSec AH security protocol does not provide data confidentiality.
Answer: ACF
Section:

QUESTION 28
Which of the following statements is true about IPSec security associations (SAs)?
A. SAs contain unidirectional specifications only.
B. SAs describe the mechanics if implementing a key exchange protocol.
C. A single SA ca be used for both AH and ESP encapsulation protocols.
D. A single SA is negotiated by peers requesting secure communication.
E. Active SAs are stored in a local database called the IPSec database.
Answer: A
Section: (none)

QUESTION 29
Leading the way in IT testing and certification tools, www.Enterprise.com You need to configure a GRE tunnel on a Enterprise IPSec
router. When you are using the SDM to configure a GRE tunnel over IPsec, which two parameters are required when defining the
tunnel interface information? (Select two)
A. The crypto ACL number
B. The IPSEC mode (tunnel or transport)
C. The GRE tunnel interface IP address
D. The GRE tunnel source interface or IP address, and tunnel destination IP address
E. The MTU size of the GRE tunnel interface
Answer: CD
Section:

QUESTION 30
You want to use dynamic routing protocols over the Enterprise IPSec WAN using GRE tunnels. Which three routing protocols can be
configured when configuring a site-to-site GRE over IPsec tunnel using SDM? (Select three)
A. IGRP
Leading the way in IT testing and certification tools, www.Enterprise.com
B. EIGRP
C. BGP
D. OSPF
E. RIP
F. IS-IS
Answer: BDE
Section: (none)

QUESTION 31
A new Enterprise router must be added to the IPSec VPN. When configuring a site-to-site IPsec VPN tunnel on this router, which configuration must be the exact reverse of the other IPsec peer?
A. The crypto map
B. The crypto ACL
C. The IPsec transform
D. The pre-shared key
E. The ISAKMP policy
F. None of the above
Answer: B
Section: (none)

QUESTION 32
Two Enterprise locations are trying to connect to each other over a VPN, but the connection is failing. Which common problem causes an IPSEC VPN to fail?
A. ACLs configured in the IPSEC traffic path blocking ISAKMP, ESP, and AH traffic.
B. Multiple transform sets configured but only one transform set is specified in the crypto map entry.
C. Crypto ACL configuration errors where permit is used to specify that matching packets must be encrypted.
D. Multiple interfaces sharing the same crypto map set.
E. None of the above
Answer: A
Section: (none)
QUESTION 33
An IPSec tunnel has just been created on the Enterprise network, and you wish to verify it. Which command will display the
configured IKE policies?
A. show crypto isakmp policy
B. show crypto ipsec
C. show crypto isakmp
D. show crypto map
E. None of the above
Answer: A
Section: (

QUESTION 34
EIGRP is being used in the Enterprise IPSev VPN. When configuring an IPsec VPN to backup a WAN connection, what can be configured to influence the EIGRP routing process to select the primary WAN link over the backup IPsec tunnel?
A. Configure the EIGRP variance to 2.
B. Configure a longer delay value on the tunnel interface.
C. Configure the EIGRP variance to 1.
D. Configure a longer EIGRP hello interval on the tunnel interface.
E. Configure a lower clock rate value on the tunnel interface.
F. Configure a higher bandwidth value on the tunnel interface.
G. None of the above
Answer: B

QUESTION 35
In order to increase the uptime of the network, you have been tasked with designing and configuring a fault tolerant IPSec WAN.
What can be configured to provide resiliency when using SDM to configure a site-to-site GRE over IPsec VPN tunnel?
A. A backup GRE over IPsec tunnel
B. Redundant dynamic crypto maps
C. HSRP
D. Load balancing using two GRE over IPsec tunnels
E. Stateful IPsec failover
Leading the way in IT testing and certification tools, www.Enterprise.com
Answer: A
Section: (

QUESTION 36
You need to increase the network availability of the Enterprise IPSec WAN. Which high availability option uses the concept of a
virtual IP address to ensure that the default IP gateway for an IPsec site-to-site tunnel is always reachable?
A. Reverse Route Injection (RRI)
B. Dynamic Crypto Map
C. Backup IPsec peer
D. HSRP
E. GRE over IPsec
F. None of the above
Answer: D
Section: (none)
QUESTION 37
You have been assigned the task of setting up Easy VPN connection in the Enterprise network. During the Easy VPN Remote connection process, which phase involves pushing the IP address, Domain Name System (DNS), and split tunnel attributes to the
client?
A. The VPN client establishment of an ISAKMP SA
B. Mode configuration
C. VPN client initiation of the IKE phase 1 process
D. IPsec quick mode completion of the connection
E. None of the above
Answer: B
Section: (

QUESTION 38
You need to configure Easy VPN on a new Enterprise router using the SDM. Which two statements are true about the use of SDM to
configure the Cisco Easy VPN feature on a router? (Select two)
Leading the way in IT testing and certification tools, www.Enterprise.com
A. The Easy VPN server address must be configured when configuring the SDM Easy VPN Server wizard.
B. An Easy VPN connection is a connection that is configured between two Easy VPN clients.
C. The SDM Easy VPN Server wizard displays a summary of the configuration before applying the VPN configuration.
D. The SDM Easy VPN Server wizard recommends using the Quick setup feature when configuring a dynamic multipoint
VPN.
E. The SDM Easy VPN Server wizard can be used to configure user XAuth authentication locally on the router or
externally with a RADIUS server.
F. The SDM Easy VPN Server wizard can be used to configure a GRE over IPSec site-to-site VPN or a dynamic
multipoint VPN (DMVPN).
Answer: CE
Section: (none)

QUESTION 39
The Enterprise security administrator is concerned about reconnaissance attacks. Which two protocols can be used to prevent a reconnaissance attack? (Select two)
A. IPsec
B. NTP
C. SNMP
D. SSH
E. Telnet
F. FTP
Answer: AD
Section: (none)

QUESTION 40
The Enterprise security administrator wants to increase the security of all the routers within the network. Which three techniques
should be used to secure management protocols in Cisco routers? (Select three)
A. Synchronize the NTP master clock with an Internet atomic clock.
B. Configure SNMP with only read-only community strings.
C. Implement RFC 2827 filtering at the perimeter router when allowing syslog access from devices on the outside of a
firewall.
D. Encrypt TFTP and Syslog traffic in an IPSec tunnel.
E. Use SNMP version 2.
F. Use TFTP version 3 or above because these versions support a cryptographic authentication mechanism between
peers.
Answer: BCD

QUESTION 41
Based on the information provided above, which peer authentication method and which IPSEC mode is used to connect to the branch locations? (Select two)
A. Digital Certificate
B. GRE/IPSEC Transport Mode
C. Transport Mode
D. GRE/IPSEC Tunnel Mode
E. Tunnel Mode
F. Pre-Shared Key
Answer: EF
Section: (none)

QUESTION 42
Based on the information provided above, which IPSec rule is used for the enterprise branch and what does it define? (Select two)
A. IP traffic sourced from 10.10.10.0/24 destined to 10.8.28.0/24 will use the VPN.
B. 127
C. IP traffic sourced from 10.10.10.0/24 destined to 10.5.15.0/24 will use the VPN.
D. IP traffic sourced from 10.10.10.0/24 destined to 10.5.33.0/24 will use the VPN.
E. 102
F. 116
Answer: AF
Section: (none)