300-410 Practice Questions
30 questions from this objective
A network engineer runs the following command on Router R1:
R1# show crypto isakmp sa
dst src state conn-id slot status
10.1.1.2 10.1.1.1 MM_NO_STATE 1 0 ACTIVE
Based on this output, what is the problem?
A network engineer runs the following command on Router R1:
R1# show crypto ipsec sa
interface: Tunnel0
Crypto map tag: VPN-MAP, local addr 10.1.1.1protected vrf: (none) local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) current_peer 10.1.1.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #send errors 0, #recv errors 0
Based on this output, what is the problem?
A network engineer runs the following command on Router R1:
R1# show crypto isakmp sa
dst src state conn-id slot status
10.1.1.2 10.1.1.1 QM_IDLE 1 0 ACTIVE
Based on this output, which statement is correct?
A network engineer runs the following command on Router R1:
R1# show crypto ipsec sa peer 10.1.1.2
interface: Tunnel0
Crypto map tag: VPN-MAP, local addr 10.1.1.1protected vrf: (none) local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) current_peer 10.1.1.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 100, #pkts encrypt: 100, #pkts digest: 100 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #send errors 0, #recv errors 0
Based on this output, what is the problem?
A network engineer runs the following command on Router R1:
R1# show crypto isakmp policy
Global IKE policy Protection suite of priority 10 encryption algorithm: AES - Advanced Encryption Standard (256 bit keys). hash algorithm: Secure Hash Standard 2 (SHA256) authentication method: Pre-Shared Key Diffie-Hellman group: #14 (2048 bit) lifetime: 86400 seconds, no volume limit
Protection suite of priority 20 encryption algorithm: AES - Advanced Encryption Standard (128 bit keys). hash algorithm: Secure Hash Standard 2 (SHA256) authentication method: Pre-Shared Key Diffie-Hellman group: #14 (2048 bit) lifetime: 86400 seconds, no volume limit
Based on this output, which statement is correct?
A network engineer runs the following command on Router R1:
R1# show crypto ipsec transform-set
Transform set ESP-AES256-SHA: { esp-256-aes esp-sha256-hmac } will negotiate = { Tunnel, },
Transform set ESP-AES128-SHA: { esp-aes esp-sha256-hmac } will negotiate = { Tunnel, },
Based on this output, which statement is correct?
A network engineer runs the following command on Router R1:
R1# show crypto map Crypto Map "VPN-MAP" 10 ipsec-isakmp
Peer = 10.1.1.2 Extended IP access list 100
access-list 100 permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
Current peer: 10.1.1.2 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ESP-AES256-SHA,}
Interfaces using crypto map VPN-MAP:
Tunnel0
Based on this output, which statement is correct?
A network engineer runs the following command on Router R1:
R1# show crypto ipsec sa | include pkts
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
Based on this output, what is the problem?
A network engineer runs the following command on Router R1:
R1# show crypto isakmp sa detail
Codes: C - IKEv1, I - IKEv2
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap 1 10.1.1.1 10.1.1.2 ACTIVE aes sha psk 14 23:59:59
Based on this output, which statement is correct?
Given the following partial configuration on router R1:
crypto isakmp policy 10
encryption aes 256 authentication pre-share group 14 lifetime 86400 !
crypto isakmp key cisco123 address 192.168.1.2
!
crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac
mode tunnel !
crypto map CMAP 10 ipsec-isakmp
set peer 192.168.1.2 set transform-set TSET match address 101 !
interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0 crypto map CMAP
!
access-list 101 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255
What is the effect of this configuration?
Consider the following configuration on router R2:
crypto isakmp policy 10
encryption aes 256 authentication pre-share group 14 lifetime 3600 !
crypto isakmp key secretkey address 192.168.1.1
!
crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac
mode tunnel !
crypto map CMAP 10 ipsec-isakmp
set peer 192.168.1.1 set transform-set TSET match address 101 !
interface GigabitEthernet0/1 ip address 192.168.1.2 255.255.255.0 crypto map CMAP
!
access-list 101 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
Which statement is true?
Given the partial configuration:
crypto isakmp policy 10
encryption aes 256 authentication pre-share group 14 !
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac
mode tunnel !
crypto map CMAP 10 ipsec-isakmp
set peer 192.168.1.2 set transform-set TSET match address 101 !
interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0 crypto map CMAP
!
access-list 101 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255
What is the effect of the 'crypto isakmp key' command with address 0.0.0.0 0.0.0.0?
Examine this configuration on router R1:
crypto isakmp policy 10
encryption aes 256 authentication pre-share group 14 lifetime 86400 !
crypto isakmp key cisco123 address 192.168.1.2
!
crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac
mode tunnel !
crypto map CMAP 10 ipsec-isakmp
set peer 192.168.1.2 set transform-set TSET match address 101 !
interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0 crypto map CMAP
!
access-list 101 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255
What is missing from this configuration to ensure the tunnel works correctly?
Given this configuration on router R1:
crypto isakmp policy 10
encryption aes 256 authentication pre-share group 14 lifetime 86400 !
crypto isakmp key cisco123 address 192.168.1.2
!
crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac
mode tunnel !
crypto map CMAP 10 ipsec-isakmp
set peer 192.168.1.2 set transform-set TSET match address 101 !
interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0
!
access-list 101 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255
What will happen when traffic from 10.1.1.0/24 to 10.2.2.0/24 is generated?
Consider the following configuration on router R1:
crypto isakmp policy 10
encryption aes 256 authentication pre-share group 14 lifetime 86400 !
crypto isakmp key cisco123 address 192.168.1.2
!
crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac
mode tunnel !
crypto map CMAP 10 ipsec-isakmp
set peer 192.168.1.2 set transform-set TSET match address 101 !
interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0 crypto map CMAP
!
access-list 101 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255
If the remote peer has an ISAKMP policy with encryption 3des, what will happen?
More IPsec Site-to-Site VPN questions available in the full practice test.
Continue Practising →