PrepAway - Latest Free Exam Questions & Answers

Which three statements about these three show outputs are true?

Refer to the exhibit.

Which three statements about these three show outputs are true? (Choose three.)

PrepAway - Latest Free Exam Questions & Answers

A.
Traffic matched by ACL 110 is encrypted.

B.
The IPsec transform set uses SHA for data confidentiality.

C.
The crypto map shown is for an IPsec site-to-site VPN tunnel.

D.
The default ISAKMP policy uses a digital certificate to authenticate the IPsec peer.

E.
The IPsec transform set specifies the use of GRE over IPsec tunnel mode.

F.
The default ISAKMP policy has higher priority than the other two ISAKMP policies with a priority
of 1 and 2

Explanation:

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_s3.html
Show crypto map Field Descriptions
Peer
Possible peers that are configured for this crypto map entry.
Extended IP access list Access list that is used to define the data packets that need to be
encrypted. Packets that are denied by this
access list are forwarded but not encrypted. The “reverse” of this access list is used to check the
inbound return packets, which are also encrypted. Packets that are denied by the “reverse” access
list are dropped because they should have been encrypted but were not.
Extended IP access check
Access lists that are used to more finely control which data packets are allowed into or out of the
IPsec tunnel.
Packets that are allowed by the “Extended IP access list” ACL but denied by the “Extended IP
access list check” ACL are dropped.
Current peer Current peer that is being used for this crypto map entry.
Security association lifetime
Number of bytes that are allowed to be encrypted or decrypted or the age of the security
association before new encryption keys must be negotiated.
PFS
(Perfect Forward Secrecy) If the field is marked as `Yes’, the Internet Security Association and
Key Management Protocol (ISAKMP) SKEYID-d key is renegotiated each time security
association (SA) encryption keys are renegotiated (requires another Diffie-Hillman calculation). If
the field is marked as `No’, the same ISAKMP SKEYID-d key is used when renegotiating SA
encryption keys. ISAKMP keys are renegotiated on a separate schedule, with a default time of 24
hours.
Transform sets
List of transform sets (encryption, authentication, and compression algorithms) that can be used
with this crypto map.
Interfaces using crypto map test Interfaces to which this crypto map is applied. Packets that are
leaving from this interface are subject to the rules of this crypto map for encryption. Encrypted
packets may enter the router on any interface, and they are decrypted. Nonencrypted packets that
are entering the router through this interface are subject to the “reverse” crypto access list check.


Leave a Reply