DUMPS BASE
EXAM DUMPS
CISCO 300-209
28% OFF Automatically For You Implementing Cisco Secure Mobility Solutions
1.Which encryption algorithm does Cisco recommend that you avoid? A. HMAC-SHA1 B. AES-CBC C. DES D. HMAC-MD5 Answer: C
2.What are two benefits of using DTLS when implementing a Cisco AnyConnect SSI VPN on a Cisco ASA or router? (Choose two.) A. provides latency avoidance B. has enhanced dead peer detection C. uses TLS Only for the tunnel D. provides greater security and integrity of the tunnel E. establishes two simultaneous tunnels Answer: A,B
3.An engineer is troubleshooting an IPsec site-to-site tunnel and verifies that the tunnel status is MM_WAIT_MSG6. What can be determined from this message? A. The PSK has not been confirmed by the responder. B. The encryption policy has not been confirmed by the initiator. C. The encryption policy has not been confirmed by the responder. D. The PSk has not been confirmed by the initiator Answer: B
4.Which cryptographic algorithm is used for data integrity? A. SHA-256 B. ECDH-384 C. ECDSA-256 D. RSA-3072 Answer: A
5.An engineer is configuring a site-t-site VPM tunnel. Which two IKV1 parameter must match on both peers? (Choose two. A. encryption algorithm B. access lists C. encryption domains D. QoS E. hashing method
Answer: A,E
6.A network engineer is troubleshooting a VPN configured on an ASA and has found Phase 1 is not completing. Which configured parameter must match for the IKE Phase 1 tunnel to get successfully negotiated/ A. SA lifetime B. idle timeout C. transform-set D. DH group Answer: D
7.An engineer must set up a site-to-site VPN implementation with an any-to-any topology that provides secures routing across the router backbone. Which VPN technology allows a shared IPsec SA to be used? A. FilexVPN B. IPsec VPN C. GET VPN D. DMVPN Answer: C
8.An engineer must configure HET VPN transverse over the network between corporate offices. Which two options are key advantages to choosing GET VPN EssaVPN? (Choose two.) A. GET VPN has unique session keys for improved security. B. GET VPN supports multicast. C. GET VPN supports a hub and-spoke topology. D. GET VPN QoS support. E. GET VPN is highly scalable any to an mesh topology Answer: B,D
9.What does DAK l stand for? A. Device and Report Tool B. Diagnostic AnyConnect Reporting Tool C. Diagnostics and Reporting Tool D. Delivery and Reporting Tool Answer: C
10.When you confrere an access list on the external interface of a FlexVPN hub. which step is optional? A. allowing IP protocol 50 B. allowing ICMP protocol C. allowing UDP port 500 D. allowing UDP port 4500 Answer: B
11.Within a PKI system, which option is a trusted entity? A. registration authority B. root certificate C. certificate authority D. RSA authentication server Answer: C
12.What are two features of Cisco GET VPN? (Choose two.) A. allows for optimal routing B. uses public Internet C. provides encryption for MP_S D. provides point-to-point IPsec SA E. uses MGRE Answer: A,C
13.A company's remote locations connect to data centers via MPLS. A new request requires that unicast traffic that exist the remote location be encrypted. Which no tunneled technology can be used to satisfy this requirement? A. SSL B. GET VPN C. DMVPN D. EzVPN Answer: B
14.Why must a network engineer avoid usage of the default X509 certificate when implementing clientless SSLVPN on an ASA? A. The certificate is too weak to provide adequate security. B. The certificate is regenerated at each reboot. C. The certificate must be managed by the local CA. D. The default X.509 certificate is not supported for SSLVPN.
Answer: C
15.A customer requires site-to-site VPNs to connect third-party business partners and has purchased two ASAs. The customer requests an active/active configuration. Which model is needed to support an active/active solution? A. NAT context B. single context C. multiple context D. PAT context. Answer: C
16.From the CLI of a Cisco ASA 5520, which command shows specific information about current clientless and Cisco Anyconnect SSL VPN users only? A. show crypto ikve1 sa detail B. show vpn-sessiondb remote C. show vpn-sessiondb D. show von-sessiondb detail Answer: D
17.Which option is one of the difference between FlexVPN and DMVPN? A. flexvpn uses ikev2 and dmvpn can use ikev1 or ikev2 B. dmvpn can use ikev1 and ikev2 where flexvpn only uses ikev1 C. flexvpn can use ikev1 and ikev2 where dmvpn uses only ikev2 D. dmvp uses ikev1 and flexvpn use ikev3 Answer: A
18.Which two attributes can be matched from the identity of the remote peer when using IKEv2 Name Manager? (Choose two.) A. fqdn B. hostname C. IP address D. kerberos Answer: A,B
19.Which command will allow a referenced ASA interface to become accessible across a site-to-site VPN? A. access-list 101 extended permit ICMP any any B. crypto map vpn 10 match address 101
C. crypto map vpn interface inside D. management-access <interface name> Answer: B
20.An engineer is configuring SSL VPN to provide access to a corporate network for remote users. Traffic destined to the enterprise IP range should go over the tunnel and all other traffic should go directly to the internet. Which feature should be configured? A. dual-horning B. hairpinning C. split-tunnel D. U-turning Answer: C
21.Which option is the main difference between GET VPN and DMVPN? A. AES encryption support B. dynamic spoke-to-spoke tunnel communications C. Next Hop Resolution Protocol D. Group Domain of Interpretation protocol Answer: B
22.An engineer is configuring IPsec VPN and wants to choose an authentication protocol that is reliable supports ACK and sequence. Which protocol accomplishes this goal? A. ESP B. AES-192 C. IKEv1 D. AES-256 Answer: A
23.While attempting to establish a site-to-site VPN, the engineer notices that phase 1 of the VPN tunnel fails. The engineer wants to run a capture to confirm that the outside interface is receiving phase 1information from the thirdparty peer address. Which command must be run on the ASA to verify this information? A. capture capin interface outride match ipsec any any B. capture capin interface outride match gre any any C. capture capin interface outside match ah any any D. capture capin interface outside match udp any eq 500 any eq 500
E. capture capin interface outside match Udp any eq 123 any eq 121 Answer: D
24.An engineer notices that while an employee is connected remotely, all traffic is being routed to the corporate network. Which split-tunnel policy allows remote client to use their local provider for Internet access when working from home? A. No policy allows that type of configuration B. tunnelspecified C. excludespecified D. tunnelall Answer: B
25.Mobile work force client are using Cisco Encryption for AnyConnect for remote access to the corporate network. In a attempt to save bandwidth on the internet circuit, those working remotely are permitted use to their local connectivity for internet use white still connect to the corporate network. Which feature allows distinct destination to be encryption on the remote client? A. DART B. Split Tuning C. NAT Exempt D. Kerberos Answer: B
26.What is the name of the transform set being used on the ISR? A. Default B. ESP-AESESP-SHA-HMAC C. SP-AES-256-MD5-TRANS D. TSET Answer: B
27.Which two components are required a Cisco IOS-based PKI solution? A. preshared key B. NTP C. RADIUS server D. certificate authority E. FT/HTTP server Answer: A,D
28.An engineer is configuring high availability for crypto-map-based site-to-site VPNs on Cisco devices. Which protocol must be used? A. VRRP B. BFD C. ESP D. HSRP Answer: D
29.A customer has two ASAs configured in high availability and is experiencing connection drops that require re-establishment each time failover occurs. Which type of failover has been implemented? A. Stateless B. routed C. transparent D. stateful Answer: D
30.In a new DMVPN deployment, phase 1 completes successfully. However, phase2 experiences issues. Which troubleshooting step is valid in this situation? A. Temporarily remove encryption to check if the GRE tunnel is working. B. Verify IP routing between the external IPs of the two peers is correct. C. Remove NHRP configuration and reset the tunnels. D. Ensure that the nodes use the same authentication method. Answer: A
31.An engineer is configuring clientless SSL VPN. The finance department has a database server that only they should access, but the sales department can currently access it. The finance and the sales departments are configured as separate grouppolicies. Which option must be added to the configuration to make sure the users in the sales department cannot access the finance department server? A. Web type ACL B. Port forwarding C. Tunnel group lock D. VPN filter ACL Answer: A
32.Refer to the Exhibit:
Which result of this command is true? A. It displays the RSA public keys of the rooter B. Makes the router generate a certificate signing request C. It Specifies self-signed enrollment for a trust point D. Generates an RSA key called TRIAL FOUR Answer: C
33.Refer to the Exhibit:
Users at each end of this VPN tunnel cannot communicate with each other. Which cause of this behavior is true? A. The Diffie-Hellman groups configured are different. B. The pre shared key does not match. C. Phase 1 is not completed and troubleshooting is required. D. The issue occurs in phase 2 of the tunnel. Answer: C
34.An engineer is defining ECC variables and has set the input_mode set to B. Which statement is true? A. DTMF voice is accepted B. Get Digits are written to the CED C. Mixed mode input is not accepted
D. An ASR is not being used Answer: C
35.Refer to the Exhibit:
An engineer must implement DMVPN phase 2 and two conclusions can be made from the configuration? (Choose two.) A. Spoke-to-spoke communication is allowed. B. Next-hop-self is required. C. EIGRP neighbor adjacency will fail. D. EIGRP route redistribution is not allowed E. EIGRP used as the dynamic routing protocol. Answer: A,E
36.An engineer wants to ensure that Diffie-Helman keys are re-generated upon a pahse-2 rekey. What option can be configured to allow this? A. Aggressive mode B. Dead-peer detection C. Main mode D. Perfect-forward secrecy Answer: D
37.Which two options are features of Cisco GET VPN? (Choose two.) A. Allows for optimal routing B. provides point to point IPsec SA C. Provides encryption for MPLS D. uses public Internet E. uses MORE Answer: A,C
38.Refer to the exhibit:
Which statement about this output is true? A. Identity between endpoints is verified using a certificate authority B. The tunnel is not functional because NAT-T is not configured. C. This router has sent the first packet to establish the Flex VPN tunnel D. The remote device encrypts IKEv2 packets using key â&#x20AC;&#x153;282FE"0B3B5C99A2Bâ&#x20AC;?. Answer: C
39.Refer to the Exhibit:
A network security engineer is troubleshooting intermittent connectivity issues across a tunnel. Based on the output from the show crypto ipsec sa command, which cause is most likely? A. ISAKMP and/or IP sec may be bouncing up and down. B. The security association lifetimes are set to default values. C. Return traffic is not coming back from the other end of the tunnel. D. Traffic may flow in only one direction across this tunnel. Answer: B
40.Refer to the exhibit.
Which statement is accurate based on this configuration?
A. Spoke 1 fails the authentication because the authentication methods are incorrect. B. Spoke 2 passes the authentication to the hub and successfully proceeds to phase 2. C. Spoke 1 passes the authentication to the hub and successfully proceeds to phase 2. D. Spoke 2 fails the authentication because the remote authentication method is incorrect. Answer: C
41.A customer requests a VPN solution to support multicast traffic and connectivity with non-Cisco devices. What VPN solution would meet the customer requirements? A. GET VPN B. EZ VPN C. Flex VPN D. L2L VPN Answer: C
42.Refer to the exhibit:
Which description of the status of this VPN tunnel is true? A. The pre shared key in phase 1 is mismatched between tunnel endpoints B. The phase 1 is complete, phase 2 status is unknown C. The integrity algorithm does not match between the two endpoints. D. The tunnel is up and waiting for traffic to flow across it Answer: A
43.Which two option, are benefits of AES compared to 3DES? (Choose two.) A. switches encryption keys every 32 GB of data transfer B. faster encryption C. shorter encryption keys D. longer encryption block length
E. repeating encryption keys Answer: B,D
44.A client has asked an engineer to assist in installing and upgrading to the latest version of Cisco Any Connect Secure and upgrading to the latest version of Cisco Any Connect Secure Mobility Client. Which type of deployment method requires the updated version of the client to be loaded only on the headend device such as an ASA or ISE device? A. Web-deploy B. Cloud-deploy C. Cloud-update D. Web-update Answer: A
45.A customer requires site-to-site VPNs to connect to third party business partners and has purchased two ASAs. The customer requests an active/active configuration. Winch mode is needed to support and active/active solution? A. single context B. NAT context C. PAT context D. multiple context Answer: D
46.An engineer is troubleshooting VPN connectivity issues between a PC and ASA using Cisco AnyConnect IPsec IKEv2. Which requirement must be satisfied for proper functioning? A. PC certificate must contain the server-auth EKU. B. The connection must use EAP-AnyConnect. C. The SAN must be used as the CN for the ASA-side certificates. D. profile and binary updates must be downloading over IPSec Answer: B
47.An engineer is configuring an IP VPN with IKEv2. Which two components are part of the IKEv2 proposal for this implementation? (Choose two.) A. Key ring B. Encryption C. Tunnel mode D. Peer name
E. integrity Answer: B,E
48.An engineer is using DMVPN to provide secure connectivity between a data center and remote sites. Which two routing protocols are recommended for use between the routers? (Choose two.) A. EIGRP B. IS-IS C. RIPv2 D. BGP E. OSPF Answer: A,D
49.DRAG DROP Drag and drop the debug messages on the left onto the associated function during trouble shooting on the right.
Answer:
50.In a FlexVPN deployment, the spokes are successfully connecting to the hub. However, spoke-tospoke tunnels do not form. Which trouble shooting step is valid for this issue? A. Verify the spoke configuration to check if the NHRP redirect is enabled. B. Verify the hub configuration to check if the NHRP shortcut is enabled. C. Verify the tunnel interface is contained within a VRF. D. Verify the spoke receives redirect messages and send resolution requests Answer: B
51.An engineer is troubleshooting network issues and wants to check the Layer 2 connectivity between routers. Which command must be run? A. show ip eigrp neighbors B. show cdp neighbor C. show crypto isakmp sa. D. show crypto issec sa. Answer: B
52.Witch option is an advantage of using elliptic curve cryptography? A. Efficiency of operation B. Ease of implementation C. symmetrical key exchange
D. resistance to quantum attacks. Answer: A
53.A company has acquired a competitor whose network infrastructure uses only IPv6. An engineer must configure VPN access sourced from the new company. Which remote access VPN solution must be used? A. GET VPN B. Any Connect C. EzVPN D. DMVPN Answer: C
54.Which way to send OSPF routing updates over a site-to-site IPsec tunnel is true? A. Set the network type for the inside interface to nonbroadcast mode, and add the remote end as an OSPF neighbor. B. Set the network type for the outside interface to broadcast mode, and add the headend device as an OSPF neighbor. C. Set the network type for the DMZ interface to nonbroadcast mode, add the headend as an OSPF neighbor. D. Set the network type for the outside interface to nonbroadcast mode, and add the remote end as an OSPF neighbor. Answer: D
55.Which access lists are used in a typical IPsec VPN configuration? A. ACL to NAT traffic across the VPN tunnel B. ACL to define policy based routing C. ACL to define what traffic to exempt from NAT D. ACL for routing neighbors across the tunnel Answer: C
56.Which two parameters are specified in the isakmp (IKEv1) policy? (Choose two.) A. the peer B. the hashing algorithm C. the session key D. the authentication method E. the transform-set Answer: A,D
57.An engineer is assisting in the continued implementation of a VPN solution and discovers an NHRP server configuration. Which type of VPN solution has been implemented? A. DM VPN B. IPsec VPN C. SSL VPN D. GET VPN Answer: A
58.Which two options are purposes of the key server in Cisco IOS GETVPN? (Choose two.) A. to distributed static routing information B. to authenticate group members C. to define and distribute security policies D. to distribute dynamic routing information E. to encrypt transit data traffic. Answer: B,E
59.Refer to the Exhibit:
Why is the tunnel not establishing? A. Lifetimes are misconfigured. B. SAKMP packets are blocked.
C. NAT statements are missing. D. GRE is not working correctly. Answer: B
60.An engineer is configuring SSL VPN for remote access. A real-time application that is sensitive to packet delays will be used. Which feature should the engineer confirm is enabled to avoid latency and bandwidth problems associated with SSL connections? A. DTLS B. DPD C. SVC D. IKEv2 Answer: A
61.Which two operational advantages does Get VPN offer over site-to-site IPsec tunnel in a private MPLS-based core network? (Choose two.) A. Packets carry original source and destination IP addresses, which allows (or optimal routing of encrypted traffic. B. Group Domain of Interpretation protocol allows for homomorphic encryption, which allows group members to operate on messages without decrypting them. C. NETVPN is tunnel-less, which allows any group member to perform decryption and routing around network failures. D. Key servers perform encryption and decryption of all the data in the network, which allows for tight security policies E. Traffic uses one VRF to encrypt data and a different one to decrypt data, which allows for multicast traffic isolation Answer: A,C
62.Which must be configured for a Cisco Anyconnect client to determine the trustworthiness of a wireless network? A. Trusted network detection B. allow local proxy connections C. start before login D. allow VPN disconnect Answer: A
63.An engineer is troubleshooting DMVPN and wants to check if traffic flows in only one direction. Which command accomplishes this task?
A. show crypto ipsec sa B. show crypto lkev2 sa C. show crypto isakmp as D. show crypto angina accelerator statistics Answer: A
64.A network administrator has deployed Cisco, AnyConnect Secure Mobility Client to each member of the sales force. Which option is the verification method for tins deployment? A. RADIUS server B. AAA authentication C. NT domain D. RSA SDI Answer: A
65.Refer to the Exhibit:
All internal clients behind the ASA are port address translated to the public outside interface, which has an IP address of 3.3.3.3. Client 1 and Client 2 have established successful SSL VPN connections to the ASA. However, when either client performs a browser search on their IP address, it shows up as 3.3.3.3. Why is the happening when both clients have a direct connection to the local internet service provider? A. Same-security-traffic permit inter-interface has not been configured. B. Tunnel All Networks is configured under Group Policy. C. Exclude Network List Below is configured under Group Policy. D. Tunnel Network List Below is configured under Group Policy. Answer: B
66.Which command does a network engineer type on both spoke routers to check for unidirectional traffic within the VPN tunnel? A. Show eigrp neighbors B. Show crypto ipsec summary C. Show crypto isakmp sa detail D. Show crypto ipsec sa peer <ip-address> Answer: C
67.An engineer is configuring an IKEv1 VPN tunnel. Which two Diffie-Hellman group values are valid for this implementation? (Choose two.) A. 2 B. 5 C. 10 D. 14 E. 19 Answer: A,B
68.Which two statements about Internet Key Exchange version 1 are true? (Choose two.) A. Aggressive mode negotiates faster than main mode. B. When using aggressive mode, perfect forward secrecy is required. C. When using aggressive mode, the initiator and responder identities are passed in clear text. D. Main mode negotiates faster than aggressive mode. E. When using main mode, the initiator and responder identities are passed in clear text. Answer: A,C
69.Which option must be enabled to allow an SSL VPN which is configured for DTLS to fall back to TLS? A. Svc rekey method ssl B. Svc dpd-interval C. Svc dtls enable D. Svc profiles value Answer: B
70.Which two are characteristics of GETVPN? (Choose two.) A. The IP header of the encrypted packet is preserved B. A key server is elected among all configured Group Members C. Unique encryption keys are computed for each Group Member D. The same key encryption and traffic encryption keys are distributed to all Group Members Answer: A,D
71.A company has decided to migrate an existing IKEv1 VPN tunnel to IKEv2. Which two are valid configuration constructs on a Cisco IOS router? (Choose two.) A. crypto ikev2 keyring keyring-name peer peer1 address 209.165.201.1 255.255.255.255 pre-shared-key local key1 pre-shared-key remote key2 B. crypto ikev2 transform-set transform-set-name esp-3des esp-md5-hmac esp-aes esp-shahmac C. crypto ikev2 map crypto-map-name set crypto ikev2 tunnel-group tunnel-groupname set crypto ikev2 transform-set transform-set-name D. crypto ikev2 tunnel-group tunnel-group-name match identity remote address 209.165.201.1 authentication local pre-share authentication remote pre-share E. crypto ikev2 profile profile-name match identity remote address 209.165.201.1 authentication local pre-share authentication remote pre-share Answer: A,E
72.Which four activities does the Key Server perform in a GETVPN deployment? (Choose four.) A. authenticates group members B. manages security policy C. creates group keys D. distributes policy/keys E. encrypts endpoint traffic F. receives policy/keys G. defines group members Answer: A,B,C,D
73.Where is split-tunneling defined for remote access clients on an ASA? A. Group-policy B. Tunnel-group C. Crypto-map D. Web-VPN Portal E. ISAKMP client Answer: A
74.Which of the following could be used to configure remote access VPN Host-scan and pre-login policies? A. ASDM B. Connection-profile CLI command C. Host-scan CLI command under the VPN group policy D. Pre-login-check CLI command Answer: A
75.In FlexVPN, what command can an administrator use to create a virtual template interface that can be configured and applied dynamically to create virtual access interfaces? A. interface virtual-template number type template B. interface virtual-template number type tunnel C. interface template number type virtual D. interface tunnel-template number Answer: B Explanation: Here is a reference an explanation that can be included with this test. http://www.cisc o.com/en/US/docs/ios-xml/ios/sec_conn_ike2vpn/configuration/15-2mt/sec-flexspoke.html#GUID-4A10927D-4C6A-4202-B01C-DA7E462F5D8A Configuring the Virtual Tunnel Interface on FlexVPN Spoke SUMMARY STEPS 76. enable 77. configure terminal 78. interface virtual-template number type tunnel 79. ip unnumbered tunnel number 80. ip nhrp network-id number 81. ip nhrp shortcut virtual-template-number 82. ip nhrp redirect [timeout seconds] 83. exit
84.In FlexVPN, what is the role of a NHRP resolution request? A. It allows these entities to directly communicate without requiring traffic to use an intermediate hop B. It dynamically assigns VPN users to a group C. It blocks these entities from to directly communicating with each other D. It makes sure that each VPN spoke directly communicates with the hub Answer: A
85.What are three benefits of deploying a GET VPN? (Choose three.) A. It provides highly scalable point-to-point topologies. B. It allows replication of packets after encryption. C. It is suited for enterprises running over a DMVPN network. D. It preserves original source and destination IP address information. E. It simplifies encryption management through use of group keying. F. It supports non-IP protocols. Answer: B,D,E
86.What is the default topology type for a GET VPN? A. point-to-point B. hub-and-spoke C. full mesh D. on-demand spoke-to-spoke Answer: C
87.Which two GDOI encryption keys are used within a GET VPN network? (Choose two.) A. key encryption key B. group encryption key C. user encryption key D. traffic encryption key Answer: A,D
88.What are the three primary components of a GET VPN network? (Choose three.) A. Group Domain of Interpretation protocol B. Simple Network Management Protocol C. server load balancer D. accounting server E. group member F. key server
Answer: A,E,F
89.Which two IKEv1 policy options must match on each peer when you configure an IPsec site-to-site VPN? (Choose two.) A. priority number B. hash algorithm C. encryption algorithm D. session lifetime E. PRF algorithm Answer: B,C
90.Which two parameters are configured within an IKEv2 proposal on an IOS router? (Choose two.) A. authentication B. encryption C. integrity D. lifetime Answer: B,C
91.In a spoke-to-spoke DMVPN topology, which type of interface does a branch router require? A. Virtual tunnel interface B. Multipoint GRE interface C. Point-to-point GRE interface D. Loopback interface Answer: B
92.Refer to the exhibit.
After the configuration is performed, which combination of devices can connect? A. a device with an identity type of IPv4 address of 209.165.200.225 or 209.165.202.155 or a certificate with subject name of "cisco.com" B. a device with an identity type of IPv4 address of both 209.165.200.225 and 209.165.202.155 or a certificate with subject name containing "cisco.com" C. a device with an identity type of IPv4 address of both 209.165.200.225 and 209.165.202.155 and a certificate with subject name containing "cisco.com" D. a device with an identity type of IPv4 address of 209.165.200.225 or 209.165.202.155 or a certificate with subject name containing "cisco.com" Answer: D
93.Which three settings are required for crypto map configuration? (Choose three.) A. match address B. set peer C. set transform-set D. set security-association lifetime E. set security-association level per-host F. set pfs Answer: A,B,C
94.A network is configured to allow clientless access to resources inside the network. Which feature must be enabled and configured to allow SSH applications to respond on the specified port 8889? A. auto applet download B. port forwarding C. web-type ACL D. HTTP proxy Answer: B
95.Consider this scenario. When users attempt to connect via a Cisco AnyConnect VPN session, the certificate has changed and the connection fails. What is a possible cause of the connection failure? A. An invalid modulus was used to generate the initial key. B. The VPN is using an expired certificate. C. The Cisco ASA appliance was reloaded. D. The Trusted Root Store is configured incorrectly. Answer: C
GET FULL VERSION OF 300-209 DUMPS
Powered by TCPDF (www.tcpdf.org)