Exam Prep Questions

Question 1

When using concentrator redundancy, which of the following are true? (Choose all that apply.)

  • A. LAN-to-LAN tunnels are automatically reconnected when the master concentrator fails.

  • B. Remote access client sessions are automatically reconnected when the master concentrator fails.

  • C. It uses VRRP to determine whether the master is down.

  • D. It uses VCA to determine a master concentrator failure.

A1:

A and C are correct. Using VRRP, the concentrator can determine whether the master concentrator fails. When a failure occurs, LAN-to-LAN sessions are automatically saved. Remote access clients need to reconnect. Answer B is incorrect because only LAN-to-LAN tunnels are reconnected. Answer D is incorrect because VCA is used for concentrator load balancing, not for concentrator redundancy.

Question 2

The CEO of the company is complaining that too many users are using too much bandwidth on the VPN Internet link. What can you do to remedy this? (Choose two.)

  • A. Change the bandwidth on the concentrator to reflect the Ethernet link speed.

  • B. Create a bandwidth policy that assigns the CEO's group a reserved amount of bandwidth.

  • C. Create a bandwidth policy that polices the rest of the users on the interface.

  • D. Have the CEO connect to the external interface instead of the public interface.

A2:

Answers B and C are correct. If you define bandwidth policies to reserve traffic and limit others, the CEO receives a dedicated amount of bandwidth. Answer A is incorrect because the link speed should reflect the Internet link speed rather than the Ethernet's bandwidth. Answer D is incorrect because the CEO would be connecting through the public interface, which is attached to the Internet.

Question 3

What routing options are available for the VPN Concentrator? (Choose three.)

  • A. RIP

  • B. OSPF

  • C. EIGRP

  • D. ISIS

  • E. BGP

  • F. Static routes

A3:

Answers A, B, and F are correct. The VPN Concentrator supports RIPv1 and RIPv2, OSPF, and static routes. Answers C, D, and E are incorrect because the VPN 3000 Concentrator does not support those particular routing protocols.

Question 4

What NAT transparency feature is a ratified implementation of encapsulating IPSec into UDP encapsulations?

  • A. RRI

  • B. TCP NAT Transparency

  • C. NAT-T

  • D. NAT-UDP

A4:

Answer C is correct. NAT Traversal is a ratified implementation of encapsulating IPSec in UDPusing port 4500. Answer A is incorrect because RRI is not a form of NAT transparency. Answers B and D are incorrect because they are not actual NAT transparency features.

Question 5

What is a requirement for LAN-to-LAN Autodiscovery to work?

  • a. OSPF on both interfaces

  • b. Static routes

  • c. Concentrator version 2.5

  • d. RIP on both private interfaces

A5:

Answer D is the correct answer. For LAN-to-LAN to work correctly, RIP must be enabled on both private interfaces of the VPN Concentrators. Answers A and B are incorrect because Network Autodiscovery relies on RIP, not OSPF or static routes. Answer C is incorrect because Network Autodiscovery was not available in VPN 3000 Concentrator release 2.5.

Question 6

Which are true regarding filters? (Choose two.)

  • A. They can be applied to authentication servers.

  • B. Filters are added to rules.

  • C. Rules are added to filters.

  • D. Filters can be applied to LAN-to-LAN tunnels.

A6:

Answers C and D are correct. Rules are created or modified and then applied to filters. These filters can be assigned to LAN-to-LAN tunnels, internal groups, and interfaces. Answer A is incorrect because filters cannot be applied to authentication servers. Answer B is incorrect because the reverse is true: rules are applied to filters.

Question 7

Which of the following are true regarding NAT Transparency? (Choose all that apply.)

  • A. NAT-T encapsulates IPSec and IKE in UDP using port 4500.

  • B. When a clients connects to the concentrator, the connection will use IPSec over TCP before using NAT-T.

  • C. NAT-T is applied system-wide in the concentrator's configuration.

  • D. IPSec over UDP is applied on a group-by-group basis.

A7:

Answers A, B, C, and D are correct. NAT Transparency can take the form of one of the following: IPSec over TCP, IPSec over UDP, or the ratified implementation of IPSec over UDP known as NAT-T. NAT-T uses UDP port 4500 and is applied system-wide, along with IPSec over TCP. IPSec over UDP uses port 10,000 by default and is configured on a group-by-group basis on the Client Config tab in the User Management configuration pages. When a client attempts to connect to the concentrator by using a form of NAT Transparency, the concentrator prefers IPSec over TCP first, followed by NAT-T, and lastly IPSec over UDP.

Question 8

When presented with an overlapping network across a LAN-to-LAN session, where must LAN-to-LAN NAT occur?

  • A. On both concentrators on each side of the LAN-to-LAN tunnel.

  • B. Only on the central concentrator.

  • C. Only on the remote concentrator.

  • D. LAN-to-LAN NAT will not solve this problem and one of the private networks needs to be renumbered.

A8:

Answer A is correct. LAN-to-LAN NAT is required on both endpoints on each side of the LAN-to-LAN tunnel. For example, if both networks contain the 10.2.2.0/24 private networks, when traffic is originated from one of the 10.2.2.0 networks, the recipient of that traffic assumes that the sending device is located on its private network and does not return the traffic to the concentrator to be encrypted. Answers B and C are incorrect because the recipient of the data cannot distinguish between the sender and the receiver's network when translation occurs on only one of the endpoints. Answer D in incorrect because LAN-to-LAN NAT solves this problem, which does not mandate any renumbering of the actual workstations.

Question 9

If your current network design is already using concentrator load balancing, how can you achieve LAN-to-LAN session redundancy?

  • A. Because concentrator load balancing is enabled, you cannot achieve any redundancy for any sessions.

  • B. You can define backup LAN-to-LAN peers in the LAN-to-LAN configuration.

  • C. Enabling VRRP allows automatic redundancy for LAN-to-LAN tunnels.

  • D. You can define backup LAN-to-LAN peers in the group configuration.

A9:

Answer B is correct. LAN-to-LAN redundancy can occur in software release 4.0 and up when you configure backup LAN-to-LAN peers and you specify the Connection Type as Answer-Only if you are a redundant concentrator or Originate-Only if you are a remote concentrator initiating the LAN-to-LAN tunnels in the LAN-to-LAN configuration page. Answer A is incorrect because you can achieve LAN-to-LAN redundancy with backup LAN-to-LAN tunnels. Answer C is incorrect because VRRP cannot be running while VPN Concentrator load balancing is enabled. Answer D is incorrect because the configuration for backup LAN-to-LAN tunnels occurs in the LAN-to-LAN configuration page, not the group configuration pages.

Question 10

Which three parameters are added after you create a LAN-to-LAN session? (Choose three.)

  • A. IPSec SA

  • B. IKE proposal

  • C. Internal group

  • D. L2L rules

  • E. L2L filter

A10:

Answers A, C, and D are correct. After creating a LAN-to-LAN session, the VPN Concentrator automatically creates an internal group named after the IP address of the LAN-to-LAN peer. Additionally, an L3L IPSec SA is created to encompass the configuration for LAN-to-LAN connectivity. Finally, a set of L2L rules are added to the public interface filter to apply IPSec to the source and destination networks designated in the configuration of the LAN-to-LAN tunnel. Answer B is incorrect because an IKE proposal is not created. Answer E is incorrect because L2L rules are created and applied to the public interface filter. An actual L2L filter is not created.




CSVPN Exam Cram 2 (Exam 642-511)
CCSP CSVPN Exam Cram 2 (Exam Cram 642-511)
ISBN: 078973026X
EAN: 2147483647
Year: 2002
Pages: 185

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net