Cisco 642-825 Practice Test, Helpful Cisco 642-825 Study Guide Book Covers All Key Points

Welcome to download the newest Examwind JN0-360 dumps: http://www.examwind.com/jn0-360.html

Examwind Cisco 642-825 exam sample questions offered complete in all respects and contains only Cisco 642-825 test with clear and easy to remember answers. Cisco 642-825 exam is a challenging CompTIA certification. Thus it is advisable for you to master all Cisco 642-825 practice questions before Appearing in the actual exam and make your targeted score. Cisco 642-825 exam sample questions provide you with the experience of taking the best materials. Examwind provides the most comprehensive Cisco 642-825 test for our customers; we guarantee your success in the first attempt.

QUESTION 70
IPSec is being used for the Certkiller VPN. What is true about the security protocol ESP (Encapsualtion Security Payload) in IPSec? (Choose three)
A. IP packet is expanded by transport mode: 37 bytes (3DES) or 63 bytes (AES); tunnel mode: 57bytes (3DES) or 83 bytes (AES).
B. IP packet is expanded by: transport mode 56 bytes: tunnel mode 128 bytes.
C. Authentication is mandatory and the whole packet as well as the header is authenticated.
D. Authentication is optional and the outer header is not authenticated.
E. The ESP security protocol provides data confidentiality.
F. The ESP security protocol provides no data confidentiality.

Correct Answer: ACE Section: (none) Explanation
Explanation/Reference:
Explanation: ESP is the Encapsulating Security Payload: A security protocol which provides data privacy services and optional data authentication, and anti-replay services. ESP encapsulates the data to be protected. Both the older RFC 1829 ESP and the updated ESP protocol are implemented. The updated ESP protocol is per the latest version of the “IP Encapsulating Security Payload” Internet Draft (draft-ietf-ipsec-esp-v2-xx.txt). RFC 1829 specifies DES-CBC as the encryption algorithm; it does not provide data authentication or anti-replay services. The updated ESP protocol allows for the use of various cipher algorithms and (optionally) various authentication algorithms. Cisco IOS implements the mandatory 56-bit DES-CBC with Explicit IV as the encryption algorithm, and MD5 or SHA (HMAC variants) as the authentication algorithms. The updated ESP protocol provides anti-replay services. Reference: IPSec Network Security http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113t/113t_3/ipsec.htm
QUESTION 71
What is true about the security protocol AH (Authentication Header) used in a secure IPSec tunnel? (Choose three)
A. Authentication is mandatory.
B. Authentication is optional.
C. The IP packet is expanded by transport mode 37 bytes(3DES( or 63 bytes(AES); tunnel mode 57 bytes (3DES) or 83 bytes(AES).
D. The IP packet is expanded by transport mode 56 bytes; tunnel mode 128 bytes.
E. The IPSec AH security protocol does provide data confidentiality.
F. The IPSec AH security protocol does not provide data confidentiality.

Correct Answer: ACF Section: (none) Explanation
Explanation/Reference:
Explanation: Authentication Header: A security protocol which provides data authentication and optional anti-replay services. AH is embedded in the data to be protected (a full IP datagram). Both the older RFC 1828 AH and the updated AH protocol are implemented. The updated AH protocol is per the latest version of the “IP Authentication Header” Internet Draft (draft-ietf-ipsec-auth-header-xx.txt). RFC 1828 specifies the Keyed MD5 authentication algorithm; it does not provide anti-replay services. The updated AH protocol allows for the use of various authentication algorithms; CiscoIOS has implemented the mandatory MD5 and SHA (HMAC variants) authentication algorithms. The updated AH protocol provides anti-replay services. Reference: IPSec Network Security http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113t/113t_3/ipsec.htm
QUESTION 72
Which of the following statements is true about IPSec security associations (SAs)?
A. SAs contain unidirectional specifications only.
B. SAs describe the mechanics if implementing a key exchange protocol.
C. A single SA ca be used for both AH and ESP encapsulation protocols.
D. A single SA is negotiated by peers requesting secure communication.
E. Active SAs are stored in a local database called the IPSec database.

Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
An SA is a set of security parameters used by a tunnel for authentication and encryption. Key management
tunnels use one SA for both directions of traffic; data management tunnels use at least one SA for each
direction of traffic. Each endpoint assigns a unique identifier, called a security parameter index (SPI), to
each SA. A set of SAs is needed for a protected data pipe, one per direction per protocol. For example, if
you have a pipe that supports Encapsulating Security Protocol (ESP) between peers, one ESP SA is
required for each direction. SAs are uniquely identified by destination (IPSec endpoint) address, security
protocol (AH or ESP), and SPI.
Note the following regarding SAs:
IP Security (IPSec) SAs are unidirectional and are unique in each security protocol. An Internet Key
Exchange (IKE) SA is used by IKE only, and unlike the IPSec SA, it is bidirectional.
IKE negotiates and establishes SAs on behalf of IPSec.
A user can also establish IPSec SAs manually.
Reference:
http://www.cisco.com/en/US/products/sw/cscowork/ps4565/
products_user_guide_chapter09186a008043bd31.h t

QUESTION 73
The network administrator logged into a Certkiller device using SDM as shown below: A site-to-site VPN connection has been configured using the SDM shown above. What option can aid in the configuration of the VPN on the peer router?

A. The VPN Components option on the VPN tab
B. The Generate Mirror option on the VPN Edit tab
C. The Monitor Mode option on the VPN Status tab
D. The IPSec Policies from the VPN Components tab

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
Step1
From the left frame, select VPN.
Step2
Select Site-to-Site VPN. in the VPN tree, and then click the Edit tab.
Step3
Select the VPN connection that you want to use as a template, and click Generate Mirror.
SDM displays the Generate Mirror screen.
Step4
From the Peer Device field, select the IP address of the peer device for which you want to generate a
suggested configuration.
The suggested configuration for the peer device appears on the Generate Mirror screen.

Step5
Click Save to display the Windows Save File dialog box, and save the file.

QUESTION 74
The following exhibit shows the Cisco VPN Wizard:

You need to use the VPN wizard to create an IPSec VPN between two Certkiller devices. When you are using the Quick Setup option of the Site-to-Site VPN wizard on the SDM to configure an IPsec VPN, which three settings can you configure? (Select three)
A. The encapsulation security payload
B. The crypto map
C. The transform set priority
D. The peer identity
E. The source interface and destination IP address
F. The pre-shared key

Correct Answer: DEF Section: (none) Explanation
Explanation/Reference:
Explanation: Abut Cisco SDM -SDM is anembeddedweb-based management tool.
-Providesintelligent wizards to enable quicker and easier deployments,and does not require knowledge of Cisco IOS CLI or security expertise.
-Contains toolsfor more advanced users: ACL editor-VPN crypto map editor-Cisco IOS CLI preview

When you select the quick Setup you need to configure i. The peer identity ii. The source interface and destination IP address iii. The pre-shared key
QUESTION 75
You need to configure a GRE tunnel on a Certkiller IPSec router. When you are using the SDM to configure a GRE tunnel over IPsec, which two parameters are required when defining the tunnel interface information? (Select two)
A. The crypto ACL number
B. The IPSEC mode (tunnel or transport)
C. The GRE tunnel interface IP address
D. The GRE tunnel source interface or IP address, and tunnel destination IP address
E. The MTU size of the GRE tunnel interface

Correct Answer: CD Section: (none) Explanation
Explanation/Reference:
Explanation: The main function of GRE is to provide powerful yet simple tunneling. It supports any OSI Layer 3 protocol as payload, for which it provides virtual point-to-point connectivity. It also allows the usage of routing protocols across the tunnel. The main limitation of GRE is that it lacks strong security functionality. It only provides basic plaintext authentication using the tunnel key, which is not secure, and tunnel source and destination addresses. A reasonably secure VPN requires these characteristics that are not provided by GRE: Cryptographically strong confidentiality (that is, encryption) Data source authentication that is not vulnerable to man-in-the-middle attacks Data integrity assurance that is not vulnerable to man-in-the-middle attacks and spoofing

While configuring the GRE tunnel on SDM you need to specify i. The GRE tunnel interface IP address ii. The GRE tunnel source interface or IP address, and tunnel destination IP address
QUESTION 76
You want to use dynamic routing protocols over the Certkiller IPSec WAN using GRE tunnels. Which three routing protocols can be configured when configuring a site-to-site GRE over IPsec tunnel using SDM? (Select three)
A. IGRP
B. EIGRP
C. BGP
D. OSPF
E. RIP
F. IS-IS

Correct Answer: BDE Section: (none) Explanation
Explanation/Reference:
Explanation:
According to Cisco, while configuring the site-to-site GRE over IPSec tunnel using SDM, it can supports
only RIP, EIGRP, and OSPF. For more details refer to:
http://www.cisco.com/en/US/products/ps6660/products_white_paper0900aecd804f1693.shtml

QUESTION 77
Two Certkiller routers are connected together as shown below: Configuration exhibit #1:

Configuration exhibit #2:

A GRE tunnel has been configured between the Certkiller 1 headquarters router and the Certkiller 2 branch site router. Based on the information shown above, why are users at the branch site unable to access the corporate intranet?
A. The source IP address of the GRE tunnel must be different from the IP address of interface S0/0 on router Certkiller 1.
B. The interface S0/0 on router Certkiller 1 must be enabled with the no shutdown command.
C. The destination IP address of the GRE tunnel must be different from the IP address of the interface S0/1 on router Certkiller 2.
D. The IP address of the interface tunnel1 must be the same as the IP address of the interface S0/0 on router Certkiller 1.
E. The GRE tunnel must be configured with the encapsulation ppp command.
F. None of the above

Correct Answer: B Section: (none) Explanation Explanation/Reference:
Explanation: The Physical status of Serial 0/0 of Certkiller 1 Router is administratively Down. To bring up you need to enter no shutdown command in interface configuration mode.
QUESTION 78
A new Certkiller router must be added to the IPSec VPN. When configuring a site-to-site IPsec VPN tunnel on this router, which configuration must be the exact reverse of the other IPsec peer?
A. The crypto map
B. The crypto ACL
C. The IPsec transform
D. The pre-shared key
E. The ISAKMP policy
F. None of the above

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation: The crypto ACLs identify the traffic flows that will be protected. Extended IP ACLs select IP traffic to encrypt by protocol, IP address, network, subnet, and port. Although the ACL syntax is unchanged from extended IP ACLs, the meanings are slightly different for crypto ACLs. When using crypto ACLs, permit specifies that matching packets must be encrypted and deny specifies that matching packets do not need to be encrypted. Crypto ACLs behave similar to an extended IP ACL applied to the outbound traffic on an interface.
QUESTION 79
When establishing a VPN connection from the Cisco software VPN client of a Certkiller device to the Certkiller Easy VPN server router using pre-shared key authentication, what is entered in the configuration GUI of the Cisco software VPN client to identify the group profile that is associated with this VPN client?
A. The group name
B. The client name
C. The organizational unit
D. The distinguished name
E. None of the above

Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
The Cisco virtual private network (VPN) Client for Windows (or VPN Client) is software that runs on a
Microsoft Windows-based PC. The VPN Client on a remote PC, communicating with a Cisco Easy VPN
Server on an enterprise network or with a service provider, creates a secure connection over the Internet.
This lesson describes the process of setting up a Cisco VPN Client on a laptop to create a secure
connection, called a tunnel, between your computer and a private network.

*
To use VPN Client, you must create at least one connection entry that includes this information:

*
The VPN device (the remote server) to access.

1.
Preshared keys-the IPsec group to which the system administrator assigned you. Your group determines how you access and use the remote network. For example, it specifies access hours, number of simultaneous logins, user authentication method, and the IPsec algorithms that your VPN Client uses.

2.
Certificates-the name of the certificate that you are using for authentication.

3.
Optional parameters that govern VPN Client operation and connection to the remote network.

QUESTION 80
The following output was displayed on a Certkiller router:

Based on what is shown above, which statement is true about the output of the show crypto engine connections active command?
A. The state of “set” indicates that the connection is configured but not connected to a peer.
B. All three interfaces are active and are encrypting and decrypting traffic.
C. No subinterfaces are involved in VPN connections.
D. The device that is shown has not established a VPN connection with a peer.
E. None of the above.

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation: To view the current active encrypted session connections for all crypto engines, use the show crypto engine connections active privileged EXEC command. The following is sample output from the show crypto engine connections active command: Router1# show crypto engine connections active Connection Interface IP-Address State Algorithm Encrypt Decrypt 2 Ethernet0 172.21.114.9 set DES_56_CFB64 41 32 3 Ethernet1 172.29.13.2 set DES_56_CFB64 110 65 4 Serial0 172.17.42.1 set DES_56_CFB64 36 27
Field Description Connection Identifies the connection by its number. Each active encrypted session connection is identified by a positive number from 1 to 299. These connection numbers correspond to the table entry numbers.
Interface Identifies the interface involved in the encrypted session connection. This will display only the actual interface, not a subinterface (even if a subinterface is defined and used for the connection). IP-Address Identifies the IP address of the interface. Note that if a subinterface is used for the connection, this field will display “unassigned.”
State The state “set” indicates an active connection.
Algorithm Identifies the Data Encryption Standard (DES) algorithm used to encrypt/decrypt packets at the interface.
Encrypt Shows the total number of encrypted
outbound IP packets.
Decrypt
Shows the total number of decrypted
inbound IP packets.

QUESTION 81
Two Certkiller routers are connected together as shown below:

Certkiller 1 is condigured as shown below:

Certkiller 2 is condigured as shown below:

Based on the information provided above, what is missing in the configuration of both IPSec peers concerning the IPSec/GRE configuration?
A. DH group configuration under the crypto ipsec transform-set trans2
B. access-list 110 on both peers to encrypt GRE traffic between 172.16.175.75 and 172.17.63.18
C. mode transport under the crypto ipsec transform-set trans2
D. crypto map vpnmap2 on the Ethernet1 interface
E. mode tunnel under the crypto ipsec transform-set trans2
F. access-list 110 on both peers to permit ISAKMP and IPSec traffic between 172.16.175.75 and
172.17.63.18
G. None of the above

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation: Ensure existing access lists (ACLs) on perimeter routers, firewalls, or other routers do not block IPSec traffic. Perimeter routers typically implement a restrictive security policy with ACLs, where only specific traffic is permitted and all other traffic is denied. Such a restrictive policy blocks IPSec traffic. Add specific permit statements to the ACL to allow IPSec traffic. Ensure that the ACLs are configured so that ISAKMP, Encapsulating Security Payload (ESP), and Authentication Header (AH) traffic are not blocked at interfaces used by IPSec. ISAKMP uses UDP port 500, ESP is assigned IP protocol number 50, and AH is assigned IP protocol number 51. In some cases, a statement must be added to router ACLs to explicitly permit this traffic
QUESTION 82
Part of the configuration of an existing Certkiller router is shown below: Based on the information shown above, which three statements describe the steps that are required to configure an IPsec site-to-site VPN using a GRE tunnel? (Select three)

A. The command “access-list 110 permit ip” must be configured to specify which hosts can use the tunnel.
B. The “tunnel source Ethernet1” command must be configured on the Tunnel0 interface.
C. The “tunnel source Tunnel0” command must be configured on the Tunnel0 interface.
D. The command “access-list 110 permit gre” must be configured to specify which traffic will be encrypted.
E. The “tunnel destination 172.17.63.18” command must be configured on the Tunnel0 interface.
F. The “tunnel mode gre” command must be configured on the Tunnel0 interface.

Correct Answer: BEF Section: (none) Explanation
Explanation/Reference:
Explanation: Tunnels provide logical, point-to-point connections across a connectionless IP network. This enables the use of advanced security features. Tunnels for VPN solutions employ encryption to protect data from being viewed by unauthorized entities and to perform multiprotocol encapsulation, if necessary. Encryption is applied to the tunneled connection to make data legible only to authorized senders and receivers

QUESTION 83
The following output was displayed on a Certkiller router:

Based on the output shown above, what command was issued?
A. debug crypto ipsec
B. show crypto map
C. show crypto ipsec sa
D. show crypto ipsec transform-set
E. None of the above

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
show crypto ipsec sa : To display the settings used by current SAs. Non-zero encryption and decryption
statistics can indicate a working set of IPSec SAs.

QUESTION 84
Part of the configuration file of a Certkiller router is shown below:

Given the partial configuration that is shown above, which tunneling encapsulation is used?
A. DVMRP
B. cayman
C. GRE multipoint
D. GRE
E. None of the above

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation: Tunnels provide logical, point-to-point connections across a connectionless IP network. This enables the use of advanced security features. Tunnels for VPN solutions employ encryption to protect data from being viewed by unauthorized entities and to perform multiprotocol encapsulation, if necessary. Encryption is applied to the tunneled connection to make data legible only to authorized senders and receivers

QUESTION 85
Study the exhibit regarding RouterA in the Certkiller network below:

Based on the information shown above, how many IKE policies were administratively defined above?
A. 0
B. 1
C. 2
D. 3
E. 4

Correct Answer: D Section: (none) Explanation Explanation/Reference:
Explanation:
There are three policies in the exhibit (using priority 15, 20 and 110, respectively) which were manually
configured on this router. The default policy is not explicitly defined, and is included as the default IKE
parameters on Cisco IP Sec routers.

QUESTION 86
Two Certkiller locations are trying to connect to each other over a VPN, but the connection is failing. Which common problem causes an IPSEC VPN to fail?
A. ACLs configured in the IPSEC traffic path blocking ISAKMP, ESP, and AH traffic.
B. Multiple transform sets configured but only one transform set is specified in the crypto map entry.
C. Crypto ACL configuration errors where permit is used to specify that matching packets must be encrypted.
D. Multiple interfaces sharing the same crypto map set.
E. None of the above

Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation: By default, IPSec and all packets that traverse the PIX Firewall are subjected to blocking as specified by inbound conduit, outbound list or interface access-list. To enable IPSec packets to traverse the PIX Firewall, ensure that you have statements in conduits, outbound lists or interface access-lists that permit the packets. The same holds true for IPSec routers that have access lists configured. IKE uses UDP port 500. The IPSec ESP and AH protocols use protocol numbers 50 and 51. Ensure your access lists are configured so that protocol 50, 51 and UDP port 500 traffic is not blocked at interfaces used by IPSec. In some cases you may be required to add a statement to your access lists to explicitly permit this traffic.
QUESTION 87
An IPSec tunnel has just been created on the Certkiller network, and you wish to verify it. Which command will display the configured IKE policies?
A. show crypto isakmp policy
B. show crypto ipsec
C. show crypto isakmp
D. show crypto map
E. None of the above

Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation: To display the parameters for each Internet Key Exchange (IKE) policy, use the show crypto isakmp policy command in EXEC mode. The following is sample output from the show crypto isakmp policy command after two IKE policies have been configured (with priorities 15 and 20, respectively): CK1 # show crypto isakmp policy Protection suite priority 15 encryption algorithm: DES – Data Encryption Standard (56 bit keys) hash algorithm: Message Digest 5 authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman Group: #2 (1024 bit) lifetime: 5000 seconds, no volume limit Protection suite priority 20 encryption algorithm: DES – Data Encryption Standard (56 bit keys) hash algorithm: Secure Hash Standard authentication method: preshared Key Diffie-Hellman Group: #1 (768 bit) lifetime: 10000 seconds, no volume limit Default protection suite encryption algorithm: DES – Data Encryption Standard (56 bit keys) hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman Group: #1 (768 bit) lifetime: 86400 seconds, no volume limit
QUESTION 88
While troubleshooting an IPSec VPN, the following was seen on router R1:

Refer to the graphic. Which configuration statements match the debug output shown above?
A. crypto isakmp policy 100 encr aes authentication rsa-encr group 5
B. crypto isakmp policy 100 encr 3des authentication pre-share group 2
C. crypto isakmp policy 100 hash md5 authentication rsa-sig
D. crypto isakmp policu 100 encr des lifetime 7200
E. crypto isakmp policy 100 hash md5 group 1 lifetime 7200

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
The answer lies near the bottom of the output, where it states “found peer pre-shared key matching
10.1.1.1” and “local preshared key found.” Choice B is the only choice that is configured for using pre-shared key authentication.

QUESTION 89
The Certkiller network is shown in the following exhibit:

Refer to the exhibit above. A network administrator is verifying a site-to-site IPSec VPN configuration. Based on the output shown, what must be true about CK1 and CK2 ?
A. CK1 and CK2 have not completed IKE Phase 1.
B. CK1 and CK2 have not completed IKE Phase 2.
C. CK1 and CK2 are authenticated IKE peers.
D. CK1 and CK2 maintain unidirectional IPSec SAs with each other.
E. CK1 and CK2 have timed out their IPSec SAs.

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation: The QM idle is the normal operating state of the secrurity association (SA). The following is sample output from the show crypto isakmp sa command after IKE negotiations have been successfully completed between two peers: Router# show crypto isakmp saf_vrf/i_vrf dst src state conn-id slot /vpn2 172.21.114.123 10.1.1.1 QM_IDLE 13 0Table29 through Table32 show the various states that may be displayed in the output of the show crypto isakmp sa command. When an Internet Security Association and Key Management Protocol (ISAKMP) SA exists, it will most likely be in its quiescent state (QM_IDLE). For long exchanges, some of the MM_xxx states may be observed.

Reference: http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/ products_command_reference_chapter09186a00801
QUESTION 90
EIGRP is being used in the Certkiller IPSev VPN. When configuring an IPsec VPN to backup a WAN connection, what can be configured to influence the EIGRP routing process to select the primary WAN link over the backup IPsec tunnel?
A. Configure the EIGRP variance to 2.
B. Configure a longer delay value on the tunnel interface.
C. Configure the EIGRP variance to 1.
D. Configure a longer EIGRP hello interval on the tunnel interface.
E. Configure a lower clock rate value on the tunnel interface.
F. Configure a higher bandwidth value on the tunnel interface.
G. None of the above

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
By default, EIGRP uses bandwidth and delay to determine the metrics for choosing the best path. Setting a
longer delay value for the tunnel interface will influence EIGRP so that it will only choose the link as a
backup.
Incorrect Answeres:
A, C: By changing the variance you will most likely cause the links to be load balanced, not set up as
primary/secondary.
D, E: EIGRP does not use the hello interval or clock rates to determine the best path.

F: This will cause the tunnel interface to be preferred over the primary path.
QUESTION 91
In order to increase the uptime of the network, you have been tasked with designing and configuring a fault tolerant IPSec WAN. What can be configured to provide resiliency when using SDM to configure a site-to-site GRE over IPsec VPN tunnel?
A. A backup GRE over IPsec tunnel
B. Redundant dynamic crypto maps
C. HSRP
D. Load balancing using two GRE over IPsec tunnels
E. Stateful IPsec failover

Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
Optionally, you can create a second GRE tunnel that will be used in case the primary tunnel fails:
Step 1 Check Create a backup secure GRE tunnel for resilience.
Step 2 Define the IP address of the backup VPN peer.
Step 3 Define the inner IP address and the subnet mask for the logical tunnel interface. Step 4 Click the
Next button to proceed to the next task.

QUESTION 92
You need to increase the network availability of the Certkiller IPSec WAN. Which high availability option uses the concept of a virtual IP address to ensure that the default IP gateway for an IPsec site-to-site tunnel is always reachable?
A. Reverse Route Injection (RRI)
B. Dynamic Crypto Map
C. Backup IPsec peer
D. HSRP
E. GRE over IPsec
F. None of the above

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation: IPsec VPNs can experience any one of a number of different typesof failures: -Access link failure -Remote peer failure -Device failure IPsec should be designed and implemented with redundancy and high-availability mechanisms to mitigate these failures. IPsec-based VPNs provide connectivity between distant sites using an untrusted transport network. Network connectivity consists of links, devices, or sometimes just paths across networks whose topology is not known. Any of these components can fail, making the VPN inoperable. IPsec VPNs requiring high availability should be designed and implemented with redundancy in order to survive failures. HSRP can be used at: -Head end: Two head-end IPsec devices appear as one to remote peers
-Remote site: Two IPsec gateways appear as one to local devices Active HSRP device uses a virtual IP and MAC address. Standby HSRP device takes over virtual IP and MAC address when active HSRP device goes down. HSRP Operation A large class of legacy hosts that do not support dynamic router discovery are typically configured with a default gateway (router). Running a dynamic router discovery mechanism on every host may not be feasible for a number of reasons, including administrative overhead, processing overhead, security issues, or lack of a protocol implementation for some platforms. HSRP provides failover services to these hosts. Using HSRP, a set of routers works in concert to present the illusion of a single virtual router to the hosts on the LAN. This set of routers is known as an HSRP group or a standby group. A single router elected from the group is responsible for forwarding the packets that hosts send to the virtual router. This router is known as the active router. Another router is elected as the standby router. In the event that the active router fails, the standby router assumes the packet-forwarding duties of the active router. Although an arbitrary number of routers may run HSRP, only the active router forwards the packets sent to the virtual router. To minimize network traffic, only the active and standby routers send periodic HSRP messages after the protocol has completed the election process. If the active router fails, the standby router takes over as the active router. If the standby router fails or becomes the active router, another router is elected as the standby router. On a particular LAN, multiple hot standby groups may coexist and overlap. Each standby group emulates a single virtual router. The individual routers may participate in multiple groups. In this case, the router maintains separate state and timers for each group. Each standby group has a single, well-known MAC address as well as an IP address.
QUESTION 93
You have been assigned the task of setting up Easy VPN connection in the Certkiller network. During the Easy VPN Remote connection process, which phase involves pushing the IP address, Domain Name System (DNS), and split tunnel attributes to the client?
A. The VPN client establishment of an ISAKMP SA
B. Mode configuration
C. VPN client initiation of the IKE phase 1 process
D. IPsec quick mode completion of the connection
E. None of the above

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
1.

If the Easy VPN Server indicates successful authentication, the VPN client requests the remaining
configuration parameters from the Easy VPN Server:

2.
Mode configuration starts.

3.
The remaining system parameters (IP address, DNS, split tunneling information, and so on) are
downloaded to the VPN client.

4.
Remember that the IP address is the only required parameter in agroup profile; all other parameters are
optional.
The remaining system parameters (IP address, Domain Name System [DNS], split tunnel attributes, and
so on) are pushed to the VPN client at this time using mode configuration. The IP address is the only
required parameter in a group profile; all other parameters are optional.

QUESTION 94
You need to configure a new Certkiller remote location to connect to corporate using Easy VPN. Which two statements about Cisco Easy VPN are true? (Select two)
A. Easy VPN is only appropriate for smaller deployments.
B. Easy VPN tunnel endpoint addresses can be the virtual IP address of an HSRP configuration.
C. Easy VPN does not support split tunnels.
D. An IOS router, a PIX firewall or a VPN client can operate as an Easy VPN terminal point.
E. A VPN client can also be configured to operate as an Easy VPN server.

Correct Answer: BD Section: (none) Explanation
Explanation/Reference:
Explanation: Cisco Easy VPN has two main functions: -Simplify client configuration -Centralize client configuration and dynamically push the configuration to clients How are these two goals achieved ? -IKE Mode Config functionality is used to download some configuration parameters to clients. -Clients are preconfigured with a set of IKE policies and IPsec transform sets. Cable modems, xDSL routers, and other forms of broadband access provide high-performance connections to the Internet, but many applications also require the security of VPN connections that perform a high level of authentication and that encrypt the data between two particular endpoints. However, establishing a VPN connection between two routers can be complicated and typically requires tedious coordination between network administrators to configure the VPN parameters of the two routers. The Cisco Easy VPN Remote feature eliminates much of this tedious work by implementing the Cisco Unity Client protocol, which allows most VPN parameters to be defined at a Cisco IOS Easy VPN Server. This server can be a dedicated VPN device, such as a Cisco VPN 3000 Concentrator, a Cisco PIX Firewall, or a Cisco IOS router that supports the Cisco Unity Client protocol. After the Cisco Easy VPN Server has been configured, a VPN connection can be created with minimal configuration on an Easy VPN Remote client, such as a Cisco 800 Series router or a Cisco 1700 Series router. When the Easy VPN Remote initiates the VPN tunnel connection, the Cisco Easy VPN Server pushes the IPsec policies to the Easy VPN Remote client and creates the corresponding VPN tunnel connection.
QUESTION 95
The Certkiller network administrator is setting up Easy VPN as shown below:

Based on the exhibit above, which two statements are true about the Easy VPN Server configuration that is shown? (Select two)
A. Split tunneling is disabled because no protected subnets have been defined.
B. To connect, the remote VPN client will use a groupname of “test.”
C. Digital Certificate is used to authenticate the remote VPN client.
D. The remote VPN client will be assigned an internal IP address from the SDM_POOL_1 IP address pool.
E. Split tunneling is enabled where traffic that matches ACL 100 will not be encrypted.

Correct Answer: BD Section: (none)
Explanation
Explanation/Reference:
Explanation:
Use the General tab to configure the minimum required parameters for a functional group policy:
Step 1 Define a name of the group.
Step 2 Enter the preshared secret for the group.
Step 3 Specify an IP address pool from which addresses will be taken and assigned to clients. You have
these two options:
A) Create a new pool
B) Select from an existing pool

1.2. Select the DNS/WINS tab to configure the DNS and WINS servers:
Step 1 You should specify any internal DNS servers that may be required by clients in order to be able to
resolve hostnames that are only reachable inside the VPN.
Step 2 The same applies to WINS servers.

You should keep split tunneling disabled (default) to prevent any compromised client PC from becoming a
proxy between the Internet and the VPN. If, however, split tunneling is required, you should complete one
of the following two configuration options on the Split Tunneling tab:
Step 1 Check the Enable Split Tunneling check box.
Step 2 Click the Enter the protected subnets radio button.
Step 3 Click Add to add a network.
Step 4 In the Add a Network window, define protected networks (all other destinations will be reachable by
bypassing the tunnel).
Step 5 Click OK.
Alternatively, click the Select the Split tunneling ACL radio button to use an existing ACL or create a new
ACL to configure split tunneling.

QUESTION 96
The Certkiller network administrator used SDM to configure a new router as shown below:

Which statement is true about the configuration of split tunnels using SDM?
A. Any protected subnets that are entered represent subnets at the VPN server site that will be accessed without going through the encrypted tunnel.
B. Any protected subnets that are entered represent subnets at the VPN server site that will be accessed through the encrypted tunnel.
C. Any protected subnets that are entered represent subnets at the end user’s site that will be accessed through the encrypted tunnel.
D. Any protected subnets that are entered represent subnets at the end user’s site that will be accessed without going through the encrypted tunnel.

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
You should keep split tunneling disabled (default) to prevent any compromised client PC from becoming a
proxy between the Internet and the VPN. If, however, split tunneling is required, you should complete one
of the following two configuration options on the Split Tunneling tab:
Step 1 Check the Enable Split Tunneling check box.
Step 2 Click the Enter the protected subnets radio button.
Step 3 Click Add to add a network.
Step 4 In the Add a Network window, define protected networks (all other destinations will be reachable by
bypassing the tunnel).
Step 5 Click OK.
Alternatively, click the Select the Split tunneling ACL radio button to use an existing ACL or create a new
ACL to configure split tunneling.

QUESTION 97
DRAG DROP
You need to explain the Easy VPN connection process steps to a junior Certkiller network administrator.
Drag each Cisco Easy VPN connection process on the left to its step on the right.

B.
C.
D.

Correct Answer: Section: (none) Explanation
Explanation/Reference:

Cisco 642-825 exam only advanced and equipped with much more features,it is also not internet dependent,once installed.It enables you to see Interconnecting Cisco Networking Devices in a simulated Cisco 642-825 exam environment.Working with Cisco 642-825 exam Interactive Testing Engine is like passing an actual Cisco 642-825 exam.

Welcome to download the newest Examwind JN0-360 dumps: http://www.examwind.com/jn0-360.html

Cisco 642-825 Practice Test, Helpful Cisco 642-825 Study Guide Book Covers All Key Points

In642-825, Cisco 642-825

How to Pass MB-910 Microsoft Dynamics 365 Fundamentals Exam 2024

New DP-420 Dumps with New Exam Questions Answers

[July 2023 update] Latest CyberOps Associate 200-201 dumps exam questions

How To Prep and Pass | Use The Latest Cissp Dumps

Really Useful SAA-C03 Dumps Questions For Free

Simple Tips And Tricks For Candidates To Thrive On The PL-300 Exam

AZ-900 Dumps Updated | Find New Skills And A Better Life

200-201 Dumps Learning Material Update – Effective Question

XK0-004 Dumps [Updated] Pass Your CompTIA XK0-004 Exam Easy 2022