Cisco: Implementing Secure Converged Wide Area Networks
By Certification Magazine —
1 | 2 |
The following are questions from MeasureUp Practice Test for the Cisco 642-825: Implementing Secure Converged Wide Area Networks (ISCW) exam . This exam is one of the requirements for the Cisco Certified Network Professional (CCNP) Certification .
The audience for this exam includes individuals who are responsible for extending and securing an enterprise network to support remote sites and workers who telecommute. Experience working with remote access servers and virtual private networks (VPNs) will help you prepare for this exam.
Objective: Implement basic teleworker services.
Sub-objective: Describe xDSL technologies.
Multiple answer, multiple-choice
You are designing an ADSL solution for U.S.-based branch offices.
The Chicago branch office uses 26-gauge wiring and is approximately 7,000 feet from the service provider digital subscriber line access multiplexer (DSLAM).
The Los Angeles branch office uses 26-gauge wiring and is approximately 11,000 feet from the service provider DSLAM.
The New York branch office uses 24-gauge wiring and is approximately 11,000 feet from the service provider DSLAM.
What bandwidth should you expect to receive at each branch office? (Choose three.)
A. 6.1 Mbps downstream bandwidth at the Chicago branch office.
B. 1.5 Mbps downstream bandwidth at the Los Angeles branch office.
C. 1.5 Mbps downstream bandwidth at the Chicago branch office.
D. 6.1 Mbps downstream bandwidth at the Los Angeles branch office.
E. 1.5 Mbps downstream bandwidth at the New York branch office.
F. 6.1 Mbps downstream bandwidth at the New York branch office.
Answer:
A, B, F
Tutorial:
You can expect to receive 6.1 Mbps downstream bandwidth at the Chicago branch office, 1.5 Mbps at the Los Angeles branch office and 6.1 Mbps at the New York branch office.
Several factors affect downstream bandwidth including distance to DSLAM, wire gauge, bridged taps and coupled interference.
The published standards of ADSL specify that 24-gauge wire from 0 to 12,000 feet will receive 6.1 Mbps and at 12,001 to 18,000 feet will receive 1.5 Mbps. 26-gauge wire from 0 to 9,000 feet will receive 6.1 Mbps and at 9,001 to 15,000 feet will receive 1.5 Mbps. Any distance beyond these lengths will require a fiber-based digital loop carrier (DLC).
These are estimates, and the service provider will test your line to determine the bandwidth you can expect to receive.
Reference:
Internetworking Technology Handbook – Digital Subscriber Line
Cisco.com
http://www.cisco.com/en/US/docs/internetworking/technology/handbook/DSL_Dig_Subscr_Ln.html
Objective: Implement a site-to-site IPSec VPN.
Sub-objective: Verify IPSec/GRE Tunnel configurations (i.e., IOS CLI configurations).
Single answer, multiple-choice
You are creating a generic routing encapsulation (GRE) over IP Security (IPSec) VPN between your company headquarters and a branch office. You need to determine which encryption and hash algorithm, authentication method, Diffie-Hellman group and lifetime is defined for Internet Key Exchange (IKE) on your headquarters router. Which command should you execute?
A. show crypto isakmp peer
B. show crypto isakmp sa
C. show crypto isakmp policy
D. show crypto ipsec sa
Answer:
C
Tutorial:
You should execute the show crypto isakmp policy command. This command will list all IKE policies configured on the router. The output will display the encryption and hash algorithm, authentication method, Diffie-Hellman group and lifetime for each IKS policy.
The show crypto isakmp peer command displays the IP address of all Internet Security Association and Key Management Protocol (ISAKMP) peers the router is configured for, but it does not display ISAKMP policy information.
The show crypto isakmp sa command displays the destination, source, state and status of the phase one ISAKMP Security Association (SA), but it does not display ISAKMP policy information.
The show crypto ipsec sa command displays the current state of the IPSec SA. The output displays the crypto map in use, the local and remote identity, the current peer and port used and the number of encrypted and decrypted packets and other packet counters. It does not display ISAKMP policy information.
Reference:
Cisco IOS Security Command Reference, Release 12.3 T – Security Commands: show crypto isakmp key through subject-name
Cisco.com
http://www.cisco.com/en/US/docs/ios/12_3t/secur/command/reference/sec_s2gt.html
Objective: Describe network security strategies.
Sub-objective: Describe and mitigate application-layer attacks (e.g., management protocols).
Multiple answer, multiple-choice
You are creating a security policy for your enterprise. You need to understand application-layer attacks and their mitigation methods. Which statements about Simple Network Management Protocol (SNMP) are true? (Choose four.)
A. Only SNMP version 2 uses a password known as a community string for authentication.
B. An access list should be applied only for read-write (RW) access.
C. SNMP version 2 and 3 send encrypted community strings.
D. SNMP version 1 uses a password known as a community string for authentication.
E. SNMP version 2 uses a password known as a community string for authentication.
F. An access list should be applied for read-only (RO) and read-write (RW) access.
G. SNMP version 3 uses a username for authentication.
Answer:
D, E, F, G
Tutorial:
SNMP is a network management protocol used to retrieve information from a device. SNMP versions 1 and 2 use a password known as a community string. The community string is configured on the managed device. The network management system (NMS) uses this community string to identify itself as a trusted system. If the NMS uses a different community string, it will not be able to collect data from or write data to the managed device.
There are two levels of access using SNMP: read only (RO), which allows the reading of information and read write (RW), which allows configuration of the device. If both access methods are required, they should both have an access list applied that allows access from a trusted NMS. If you are not going to write to the network device, RW access should be disabled.
SNMP versions 1 and 2 send community strings in clear text that can easily be read using a packet sniffer. SNMP version 3 uses a username for authentication. SNMP version 3 is not fully supported on all devices or all NMSs, but it should be enabled where supported.
References:
Cisco Applied Mitigation Bulletin: Identifying and Mitigating Exploitation of the SNMP Version 3 Authentication Vulnerabilities
Cisco.com
http://www.cisco.com/en/US/products/products_applied_mitigation_bulletin09186a00809adfc8.html
