350-401 VPN Technologies • Complete Question Bank
Complete 350-401 VPN Technologies question bank — all 0 questions with answers and detailed explanations.
A network engineer runs the following command on Router R1:
R1# show crypto isakmp sa
dst src state conn-id slot
10.1.1.2 10.1.1.1 MM_NO_STATE 1 0
Based on this output, what can be concluded?
A network engineer runs the following command on Router R2:
R2# show crypto ipsec sa peer 10.2.2.2
interface: Tunnel0
Crypto map tag: CMAP, local addr 10.1.1.2protected vrf: (none) local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0) current_peer 10.2.2.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 1500, #pkts encrypt: 1500, #pkts digest: 1500 #pkts decaps: 1200, #pkts decrypt: 1200, #pkts verify: 1200 #pkts compressed: 0, #pkts decompress: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0
Based on this output, what can be concluded?
A network engineer runs the following command on Router R3:
R3# show dmvpn
Legend: Attrb -> S: Static, D: Dynamic, I: Incomplete N: NATed, L: Local, X: No Socket
# Ent -> Number of NHRP entries with same NBMA peer
NHS Status: E => Expecting Replies, R => Responding, W => Waiting UpDn Time -> Up or Down Time for a Tunnel ==========================================================================
Interface: Tunnel0, IPv4 NHRP Details
Type:Hub, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- ----- 1 192.168.1.1 10.0.0.1 UP 00:12:34 D 1 192.168.1.2 10.0.0.2 UP 00:10:20 D
Based on this output, what can be concluded?
A network engineer runs the following command on Router R4:
R4# show mpls ldp neighbor
Peer LDP Ident: 10.0.0.2:0; Local LDP Ident 10.0.0.1:0 TCP connection: 10.0.0.2.646 - 10.0.0.1.54567 State: Oper; Msgs sent/rcvd: 100/95; Downstream Up time: 00:15:30 LDP discovery sources: GigabitEthernet0/0, Src IP addr: 10.0.0.2 Addresses bound to peer LDP Ident:
10.0.0.2 192.168.1.1
Based on this output, what can be concluded?
A network engineer runs the following command on Router R5:
R5# show ip route vrf CUSTOMER-A
Routing Table: CUSTOMER-A Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route
Gateway of last resort is 10.1.1.1 to network 0.0.0.0
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 10.1.1.0/24 is directly connected, GigabitEthernet0/0 B 10.2.2.0/24 [20/0] via 10.1.1.1, 00:10:20
Based on this output, what can be concluded?
A network engineer runs the following command on Router R6:
R6# show ip bgp vpnv4 all summary
BGP router identifier 10.0.0.6, local AS number 65000 BGP table version is 10, main routing table version 10 10 network entries using 1440 bytes of memory 10 path entries using 800 bytes of memory 4/3 BGP path/bestpath attribute entries using 576 bytes of memory 2 BGP AS-PATH entries using 48 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory Bitfield cache entries: current 1 (at peak 2) using 32 bytes of memory BGP using 2896 total bytes of memory BGP activity 20/10 prefixes, 20/10 paths, scan interval 60 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 10.0.0.7 4 65001 1000 1000 10 0 0 00:20:00 5 10.0.0.8 4 65002 500 500 10 0 0 00:10:00 3
Based on this output, what can be concluded?
A network engineer runs the following command on Router R7:
R7# show crypto ikev2 sa detail
IKEv2 SAs:
Session-id:1, Status:UP-ACTIVE, IKE count:1, Child count:1
Tunnel-id Local Remote Status Role 1 10.1.1.1/4500 10.2.2.2/4500 READY INITIATOR Encr: AES-CBC 256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK Life/Active Time: 86400/3600 sec
Child SA: Local selector 10.1.1.0/0 - 10.1.1.255/65535 Remote selector 10.2.2.0/0 - 10.2.2.255/65535 ESP spi in/out: 0x12345678/0x87654321
Based on this output, what can be concluded?
A network engineer runs the following command on Router R8:
R8# show ip nhrp 10.0.0.1/32 via 10.0.0.1
Tunnel0 created 00:10:00, expire 01:50:00 Type: dynamic, Flags: unique registered NBMA address: 192.168.1.1
10.0.0.2/32 via 10.0.0.2
Tunnel0 created 00:05:00, expire 01:55:00 Type: dynamic, Flags: unique registered NBMA address: 192.168.1.2
Based on this output, what can be concluded?
A network engineer runs the following command on Router R9:
R9# show ip interface tunnel 0
Tunnel0 is up, line protocol is up Internet address is 10.0.0.9/24 Broadcast address is 255.255.255.255 Address determined by non-volatile memory MTU is 1400 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is not set Proxy ARP is disabled Local Proxy ARP is disabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent
IP fast switching is enabled IP CEF switching is enabled IP CEF switching turbo vector IP Null turbo vector IP multicast fast switching is enabled IP multicast distributed fast switching is disabled IP route-cache flags are Fast, CEF Router Discovery is disabled IP output packet accounting is disabled IP access violation accounting is disabled
TCP/IP header compression is disabled RTP/IP header compression is disabled Probe proxy name replies are disabled Policy routing is disabled Network address translation is disabled WCCP Redirect outbound is disabled WCCP Redirect inbound is disabled WCCP Redirect exclude is disabled BGP Policy Mapping is disabled
Based on this output, what can be concluded?
Given the following configuration on a Cisco IOS-XE router:
interface Tunnel100 ip address 10.0.0.1 255.255.255.252
tunnel source GigabitEthernet0/0/0 tunnel destination 192.168.1.1 tunnel mode ipsec ipv4 tunnel protection ipsec profile MYPROFILE
What is the effect of this configuration?
Examine the following IPsec configuration snippet:
crypto ikev2 proposal IKEV2_PROP
encryption aes-cbc-256 integrity sha256 group 14 !
crypto ikev2 policy IKEV2_POL
proposal IKEV2_PROP !
crypto ipsec transform-set TSET esp-aes 256 esp-sha256-hmac
mode tunnel !
crypto ipsec profile IPSEC_PROF
set transform-set TSET set ikev2-profile IKEV2_POL
Which statement about this configuration is true?
Consider the following DMVPN configuration on a hub router:
interface Tunnel0 ip address 10.0.0.1 255.255.255.0 no ip redirects ip nhrp map multicast dynamic ip nhrp network-id 100
tunnel source GigabitEthernet0/0/0 tunnel mode gre multipoint
What is the effect of the command 'ip nhrp map multicast dynamic'?
Given this configuration on a Cisco IOS-XE router:
crypto ikev2 keyring KEYRING
peer SPOKE1 address 192.168.2.1 pre-shared-key cisco123 !
crypto ikev2 profile IKEV2_PROF
match identity remote address 192.168.2.1 255.255.255.255 authentication remote pre-share authentication local pre-share keyring KEYRING !
What is missing from this configuration for a successful IKEv2 tunnel to the peer at 192.168.2.1?
Examine this configuration for a site-to-site VPN on a Cisco router:
crypto isakmp policy 10
encryption aes 256 hash sha256 authentication pre-share group 14 lifetime 86400 !
crypto ipsec transform-set TSET esp-aes 256 esp-sha256-hmac
mode tunnel !
crypto map CMAP 10 ipsec-isakmp
set peer 192.168.1.1 set transform-set TSET match address 101 !
interface GigabitEthernet0/0/0 ip address 10.0.0.1 255.255.255.0 crypto map CMAP
!
access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
Which statement about this configuration is true?
Consider the following configuration for a FlexVPN spoke router:
interface Tunnel0 ip address 10.0.0.2 255.255.255.0
tunnel source GigabitEthernet0/0/0 tunnel mode gre ip tunnel protection ipsec profile FLEXPROF
ip nhrp network-id 100 ip nhrp nhs 10.0.0.1 ip nhrp map 10.0.0.1 192.168.1.1
What is the purpose of the 'ip nhrp map 10.0.0.1 192.168.1.1' command?