CCNA Security v2.0 Chapter 8 Exam Answers 2017 (100%)

CCNA Security Chapter 8 Exam Answers

1. Which three statements describe the IPsec protocol framework? (Choose three.)

   • AH provides integrity and authentication.*
   • ESP provides encryption, authentication, and integrity.*
   • AH uses IP protocol 51.*
   • AH provides encryption and integrity.
   • ESP uses UDP protocol 50.
   • ESP requires both authentication and encryption.

2. Which statement accurately describes a characteristic of IPsec?

   • IPsec works at the application layer and protects all application data.
   • IPsec is a framework of standards developed by Cisco that relies on OSI algorithms.
   • IPsec is a framework of proprietary standards that depend on Cisco specific algorithms.
   • IPsec works at the transport layer and protects data at the network layer.
   • IPsec is a framework of open standards that relies on existing algorithms.*

3. Consider the following configuration on a Cisco ASA:
   crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
   What is the purpose of this command?

   • to define the ISAKMP parameters that are used to establish the tunnel
   • to define the encryption and integrity algorithms that are used to build the IPsec tunnel*
   • to define what traffic is allowed through and protected by the tunnel
   • to define only the allowed encryption algorithms

4. Which transform set provides the best protection?

   • crypto ipsec transform-set ESP-DES-SHA esp-aes-256 esp-sha-hmac*
   • crypto ipsec transform-set ESP-DES-SHA esp-3des esp-sha-hmac
   • crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
   • crypto ipsec transform-set ESP-DES-SHA esp-aes esp-des esp-sha-hmac

5. Which three ports must be open to verify that an IPsec VPN tunnel is operating properly? (Choose three.)

   • 168
   • 50*
   • 169
   • 501
   • 500*
   • 51*

6. Refer to the exhibit. How will traffic that does not match that defined by access list 101 be treated by the router?

   

   CCNA Security Chapter 8 Exam Answer v2 001

   • It will be sent unencrypted.*
   • It will be sent encrypted.
   • It will be blocked.
   • It will be discarded.

7. Which statement describes the effect of key length in deterring an attacker from hacking through an encryption key?

   • The length of a key does not affect the degree of security.
   • The shorter the key, the harder it is to break.
   • The length of a key will not vary between encryption algorithms.
   • The longer the key, the more key possibilities exist.*

8. What is the purpose of configuring multiple crypto ACLs when building a VPN connection between remote sites?

   • By applying the ACL on a public interface, multiple crypto ACLs can be built to prevent public users from connecting to the VPN-enabled router.
   • Multiple crypto ACLs can define multiple remote peers for connecting with a VPN-enabled router across the Internet or network.
   • Multiple crypto ACLs can be configured to deny specific network traffic from crossing a VPN.
   • When multiple combinations of IPsec protection are being chosen, multiple crypto ACLs can define different traffic types.*

9. What three protocols must be permitted through the company firewall for establishment of IPsec site-to-site VPNs? (Choose three.)

   • HTTPS
   • SSH
   • AH*
   • ISAKMP*
   • NTP
   • ESP*

10. When is a security association (SA) created if an IPsec VPN tunnel is used to connect between two sites?

    • after the tunnel is created, but before traffic is sent
    • only during Phase 2
    • only during Phase 1
    • during both Phase 1 and 2*

11. In which situation would the Cisco Discovery Protocol be disabled?

    • when a Cisco VoIP phone attaches to a Cisco switch
    • when a Cisco switch connects to another Cisco switch
    • when a Cisco switch connects to a Cisco router
    • when a PC with Cisco IP Communicator installed connects to a Cisco switch*

12. Which two statements accurately describe characteristics of IPsec? (Choose two.)

    • IPsec works at the transport layer and protects data at the network layer.
    • IPsec is a framework of proprietary standards that depend on Cisco specific algorithms.
    • IPsec is a framework of standards developed by Cisco that relies on OSI algorithms.
    • IPsec is a framework of open standards that relies on existing algorithms.*
    • IPsec works at the network layer and operates over all Layer 2 protocols.*
    • IPsec works at the application layer and protects all application data.

13. Which action do IPsec peers take during the IKE Phase 2 exchange?

    • exchange of DH keys
    • negotiation of IPsec policy*
    • negotiation of IKE policy sets
    • verification of peer identity

14. Which two IPsec protocols are used to provide data integrity?

    • SHA*
    • AES
    • DH
    • MD5*
    • RSA

15. What is the function of the Diffie-Hellman algorithm within the IPsec framework?

    • provides authentication
    • allows peers to exchange shared keys*
    • guarantees message integrity
    • provides strong data encryption

16. Refer to the exhibit. What HMAC algorithm is being used to provide data integrity?

    

    CCNA Security Chapter 8 Exam Answer v2 002

    • MD5
    • AES
    • SHA*
    • DH

17. What is needed to define interesting traffic in the creation of an IPsec tunnel?

    • security associations
    • hashing algorithm
    • access list*
    • transform set

18. Refer to the exhibit. What algorithm will be used for providing confidentiality?

    

    CCNA Security Chapter 8 Exam Answer v2 003

    • RSA
    • Diffie-Hellman
    • DES
    • AES*

19. Which technique is necessary to ensure a private transfer of data using a VPN?

    • encryption*
    • authorization
    • virtualization
    • scalability

20. Which statement describes a VPN?

    • VPNs use open source virtualization software to create the tunnel through the Internet.
    • VPNs use virtual connections to create a private network through a public network.*
    • VPNs use dedicated physical connections to transfer data between remote users.
    • VPNs use logical connections to create public networks through the Internet.

21. Which protocol provides authentication, integrity, and confidentiality services and is a type of VPN?

    • ESP
    • IPsec*
    • MD5
    • AES

22. What is the purpose of NAT-T?

    • enables NAT for PC-based VPN clients
    • permits VPN to work when NAT is being used on one or both ends of the VPN*
    • upgrades NAT for IPv4
    • allows NAT to be used for IPv6 addresses

23. Which term describes a situation where VPN traffic that is is received by an interface is routed back out that same interface?

    • GRE
    • split tunneling
    • MPLS
    • hairpinning*

24. What is an important characteristic of remote-access VPNs?

    • The VPN configuration is identical between the remote devices.
    • Internal hosts have no knowledge of the VPN.
    • Information required to establish the VPN must remain static.
    • The VPN connection is initiated by the remote user.*

25. Which type of site-to-site VPN uses trusted group members to eliminate point-to-point IPsec tunnels between the members of a group?

    • DMVPN
    • GRE
    • GETVPN*
    • MPLS

26. Refer to the exhibit. Which pair of crypto isakmp key commands would correctly configure PSK on the two routers?

    

    CCNA Security Chapter 8 Exam Answer v2 004

    • R1(config)# crypto isakmp key cisco123 address 209.165.200.227
      R2(config)# crypto isakmp key cisco123 address 209.165.200.226*
    • R1(config)# crypto isakmp key cisco123 address 209.165.200.226
      R2(config)# crypto isakmp key cisco123 address 209.165.200.227
    • R1(config)# crypto isakmp key cisco123 hostname R1
      R2(config)# crypto isakmp key cisco123 hostname R2
    • R1(config)# crypto isakmp key cisco123 address 209.165.200.226
      R2(config)# crypto isakmp key secure address 209.165.200.227