Cisco CCNP Certification Practice Exam For ISCW Study:
Virtual Private Network Questions (And Answers!)
By Chris Bryant, CCIE #12933
VPNs are an integral part of today's Cisco networks, and a big part of your ISCW exam preparation as well!
To help you prepare for the ISCW exam and for success in working with virtual private networks in production networks, here are 10 Cisco practice exam questions on VPNs and configuring them with Security Device Manager (SDM).
Answers are at the bottom of the page. Enjoy!
 
1. Which of the following is generally considered to be the strongest encryption algorithm?
A. AES
B. DES
C. TDES
D. 4xAES
2. What's the basic operational difference between stream algorithms and block algorithms?
3. You're configuring a VPN with SDM, and you're configuring the Connection Information section. What authentication options will you be presented with?
A. PSK
B. TACACS+
C. AAA
D. Digital Certificates
E. RADIUS
4. Which IPSec modes encrypt both the data and the IP header?
A. Tunnel
B. Transport
C. Both A and B.
D. Neither A nor B.
5. When configuring the IPSec rules in SDM, you define the traffic that will be protected by that VPN. What happens to the other traffic?
A. It's never sent.
B. It's sent, but it's unprotected.
C. It's sent, but protected via DES, which is easily compromised.
D. It's sent, but protected via AES, which is easily compromised.
6. What's the purpose of the Generate Mirror option in SDM when configuring VPNs?
7. What command resulted in the following output?
HQ# ?
interface: FastEthernet0/1
Crypto map tag: SDM_CMAP_1, local addr 10.2.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (172.31.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
current_peer 10.2.1.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 29, #pkts encrypt: 29, #pkts digest: 29
#pkts decaps: 29, #pkts decrypt: 29, #pkts verify: 29
8. Running GRE Over IPSec helps to compensate for weaknesses found in both GRE and IPSec when used as standalone protocols. What are those weaknesses?
9. You're configuring a Cisco router as an Easy VPN Server. What commonly disabled feature must be turned on at the very beginning of the process?
10. When configuring Easy VPN in SDM, you'll be prompted to choose the method by which VPN clients will authenticate to the VPN server. Which of the following are available?
A. PSK
B. Digital certificates
C. Both A and B
D. Neither A nor B
Here are the answers!
1. (A). The Advanced Encryption Standard (AES) is stronger than DES and TDES. There is no "4xAES".
2. Variations of symmetric encryption include stream algorithms, where one bit or byte is encrypted/decrypted at a time, and block algorithms, where blocks of data are encrypted/decrypted as a whole.
3. (A, D). These options are shown in this SDM screen shot:
4. (A). Tunnel mode encrypts the data and the IP header; transport mode encrypts only the data.
5. (B). In the following illustration, SDM reminds us that the "other data" will be send in an unprotected form.
6. The Generate Mirror option creates a mirror copy (an "exact reverse") of the VPN configuration that has been created for the local router.
7. That output is the result of the show crypto ip sec command.
8. By combining GRE and IPSec, each protocol helps to compensate for the other's limitation - GRE has the ability to carry routing protocol traffic, which IPSec does not have, and IPSec has data confidentiality and integrity capabilities that GRE does not.
When you configure GRE over IPSec in Security Device Manager, you're reminded of these limitations:
9. You'll be prompted to enable AAA, as shown here:
10. (C). You can use PSK, Digital Certificates, or a combination of the two.
Look for more CCNP practice exams and tutorials right here at The Bryant Advantage!
To your success,
Chris Bryant
CCIE #12933
chris@thebryantadvantage.com
|
