Cisco CCNP Security 300-730 Questions & Answers

• Question 181:

  Which two parameters help to map a VPN session to a tunnel group without using the tunnel-group list? (Choose two.)

  A. group-alias

  B. certificate map

  C. optimal gateway selection

  D. group-url

  E. AnyConnect client version

  Correct Answer: BD

• Question 182:

  Which two changes must be made in order to migrate from DMVPN Phase 2 to Phase 3 when EIGRP is configured? (Choose two.)

  A. Add NHRP shortcuts on the hub.

  B. Add NHRP redirects on the spoke.

  C. Disable EIGRP next-hop-self on the hub.

  D. Enable EIGRP next-hop-self on the hub.

  E. Add NHRP redirects on the hub.

  Correct Answer: DE

  DMVPN disables the EIRGP next-hop-self with "no ip next-hop-self eigrp xxx" in DMVPN phase 2, and to go from Phase 2 to 3 you need use the NHRP protocol, and again enable EIRGP next-hop-self with "ip next-hop-self eigrp 134" under the tunnel interface https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dmvpn/configuration/15-mt/sec-conn-dmvpn-15-mt-book/sec-conn-dmvpn-dmvpn.html#GUID-BF561439-BCC0-4AAF-80D9-1F7876CB7B81

• Question 183:

  Which statement about GETVPN is true?

  A. The configuration that defines which traffic to encrypt originates from the key server.

  B. TEK rekeys can be load-balanced between two key servers operating in COOP.

  C. The pseudotime that is used for replay checking is synchronized via NTP.

  D. Group members must acknowledge all KEK and TEK rekeys, regardless of configuration.

  Correct Answer: A

• Question 184:

  Refer to the exhibit.

  

  Which two tunnel types produce the show crypto ipsec sa output seen in the exhibit? (Choose two.)

  A. crypto map

  B. DMVPN

  C. GRE

  D. FlexVPN

  E. VTI

  Correct Answer: BE

  for whoever tested it in the lab, For flexvpn the output of show crypto ipsec sa, starts with the following: CSR1#show crypto ipsec sa interface: Virtual-Access // not interface: Tunnel0

• Question 185:

  Refer to the exhibit.

  

  The DMVPN tunnel is dropping randomly and no tunnel protection is configured. Which spoke configuration mitigates tunnel drops?

  

  A. Option A

  B. Option B

  C. Option C

  D. Option D

  Correct Answer: C

• Question 186:

  On a FlexVPN hub-and-spoke topology where spoke-to-spoke tunnels are not allowed, which command is needed for the hub to be able to terminate FlexVPN tunnels?

  A. interface virtual-access

  B. ip nhrp redirect

  C. interface tunnel

  D. interface virtual-template

  Correct Answer: D

  A: has no sense

  B: spoke to spoke is not allowed and this command is used for spoke to spoke

  c: makes no sense

  D: most right answer as this command is needed on the hub for hub and spoke communication.

• Question 187:

  A second set of traffic selectors is negotiated between two peers using IKEv2. Which IKEv2 packet will contain details of the exchange?

  A. IKEv2 IKE_SA_INIT

  B. IKEv2 INFORMATIONAL

  C. IKEv2 CREATE_CHILD_SA

  D. IKEv2 IKE_AUTH

  Correct Answer: C

  The IKEv2 CREATE_CHILD_SA packet is used to establish a new security association (SA) between two peers. This packet contains the details of the exchange, including the traffic selectors, the cryptographic algorithms and keys to be used, and any other relevant information.

• Question 188:

  DRAG DROP

  Drag and drop the correct commands from the night onto the blanks within the code on the left to implement a design that allow for dynamic spoke-to-spoke communication. Not all comments are used.

  Select and Place:

  

  Correct Answer:

  

  Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dmvpn/configuration/xe-16/sec-conn-dmvpn-xe-16-book/sec-conn-dmvpn-summ-maps.html

• Question 189:

  An engineer must investigate a connectivity issue and decides to use the packet capture feature on Cisco FTD. The goal is to see the real packet going through the Cisco FTD device and see Snort detection actions as a part of the output. After the capture-traffic command is issued, only the packets are displayed. Which action resolves this issue?

  A. Specify the trace using the -T option after the capture-traffic command

  B. Perform the trace within the Cisco FMC GUI instead of the Cisco FMC CLI

  C. Use the verbose option as a part of the capture-traffic command

  D. Use the capture command and specify the trace option to get the required information

  Correct Answer: A

  The correct answer is A. Specify the trace using the -T option after the capture-traffic command. According to the document Use Firepower Threat Defense Captures and Packet Tracer, the capture-traffic command allows you to capture packets on the Snort engine domain of the FTD device. However, by default, it only shows the packet headers and does not include the Snort detection actions. To see the Snort detection actions, you need to use the -T option, which enables tracing. For example: capture-traffic -T This will show the packet headers along with the Snort verdicts, such as allow, block, or replace. You can also use other options to filter or save the capture output1.

  B. Performing the trace within the Cisco FMC GUI instead of the Cisco FMC CLI is not a valid option, because the FMC GUI does not support packet capture or tracing on the FTD device. You can only use the FMC GUI to view and export captures that are taken on the FTD CLI1.

  C. Using the verbose option as a part of the capture-traffic command is not a valid option, because there is no verbose option for this command. The verbose option is only available for the capture command, which is used to capture packets on the LINA engine domain of the FTD device1.

  D. Using the capture command and specifying the trace option to get the required information is not a valid option, because the capture command does not have a trace option. The capture command allows you to capture packets on the LINA engine domain of the FTD device, but it does not show the Snort detection actions. The trace option is only available for the packet-tracer command, which is used to simulate a packet going through the FTD device and show its processing steps1.

• Question 190:

  A network administrator is deploying a Cisco IPS appliance and needs it to operate initially without affecting traffic flows. It must also collect data to provide a baseline of unwanted traffic before being reconfigured to drop it. Which Cisco IPS mode meets these requirements?

  A. failsafe

  B. inline tap

  C. promiscuous

  D. bypass

  Correct Answer: C

  The correct answer is C. promiscuous mode. In promiscuous mode, the Cisco IPS appliance operates as a passive device that monitors a copy of the network traffic and analyzes it for malicious activity. The appliance does not affect the traffic flow, but it can generate alerts, logs, and reports based on the configured security policy. Promiscuous mode is useful for initial deployment and baseline analysis, as well as for monitoring lowrisk segments of the network12.

  A. failsafe mode is a feature that determines how the appliance behaves when a hardware or software failure occurs. It does not affect the normal traffic flow or analysis3. B. inline tap mode is a variation of inline mode that allows the

  appliance to pass traffic without inspection in case of a power failure or a software crash. It does not allow the appliance to collect data without affecting traffic4. D. bypass mode is a feature that enables the appliance to bypass traffic without

  inspection when it is overloaded or under maintenance.

  It does not allow the appliance to analyze traffic and generate alerts.

  1: How the Sensor Functions

  2: Cisco ASA IPS Module Quick Start Guide

  3: Failsafe Mode

  4: Inline Tap Mode : Bypass Mode