Cisco CCNP Security 300-730 Questions & Answers

• Question 71:

  An engineer is implementing the FlexVPN solution on a Cisco IOS router. The router must only terminate VPN requests and must not initiate them. Additionally, the interface must support VPNs from other routers and Cisco AnyConnect connections. Which interface type must be configured to meet these requirements?

  A. point-to-point GRE tunnel interface

  B. multipoint GRE tunnel interface

  C. static virtual tunnel interface

  D. virtual template interface

  Correct Answer: D

• Question 72:

  An engineer is requesting an SSL certificate for a VPN load-balancing cluster in which two Cisco ASAs provide clientless SSLVPN access. The FQDN that users will enter to access the clientless VPN is asa.example.com, and users will be redirected to either asa1.example.com or asa2.example.com. The cluster FQDN and individual Cisco ASAs FQDNs resolve to IP addresses 192.168.0.1, 192.168.0.2, and 192.168.0.3 respectively. The issued certificate must be able to be used to validate the identity of either ASA in the cluster without returning any certificate validation errors. Which fields must be included in the certificate to meet these requirements?

  A. CN=*.example.com, SAN=asa.example.com

  B. CN=192.168.0.1, SAN=asa1.example.com, asa2.example.com

  C. CN=asa.example.com, SAN=asa.example.com, asa1.example.com, asa2.example.com

  D. CN=192.168.0.1, SAN=192.168.0.1, 192.168.0.2, 192.168.0.3

  Correct Answer: C

• Question 73:

  A network administrator deployed IKEv2 Cisco AnyConnect on a Cisco ASA. The current configuration tunnels all traffic through the VPN. Users report poor performance with cloud-based applications, but no issues have been reported about connections to on-premises servers. Packet analysis on Cisco Webex traffic shows very few duplicate ACKs, high RTT, and no IP fragments. Which action improves Webex performance for VPN users?

  A. Configure QoS on the outside interface of the ASA.

  B. Configure Cisco AnyConnect to use DTLS.

  C. Configure a dynamic split tunnel exclusion.

  D. Reduce the Cisco AnyConnect tunnel MTU.

  Correct Answer: C

• Question 74:

  A network administrator is troubleshooting a FlexVPN tunnel. The hub router is unable to ping the spoke router's tunnel interface IP address of 192.168.1.2, even though the tunnel is showing up. The output of the debug ip packet CLI command on the hub router shows the following entry.

  IP: tableid=0123456789 s=192.168.1.1 (local), d=192.168.1.2 (loopback2), routed via FIB.

  What must be configured to fix this issue?

  A. A matching IKEv2 pre-shared key on the hub and spoke routers in the crypto keyring configuration.

  B. An outbound ACL on the dynamic VTI of the hub router that allows ICMP traffic to 192.168.1.2.

  C. An IKEv2 authorization policy must be configured on the spoke router to advertise the interface route.

  D. A route map must be configured on hub router to set the next hop for 192.168.1.2 to the dynamic VTI.

  Correct Answer: C

• Question 75:

  Refer to the exhibit.

  

  Based on the output of the show run command, which remote access VPN technology is configured?

  A. PPTP

  B. SSLVPN Full Tunnel

  C. FlexVPN

  D. clientless SSLVPN

  Correct Answer: C

• Question 76:

  Refer to the exhibit.

  

  Which component must be configured on routers for a GETVPN deployment work properly?

  A. PE3: Key Server ?Customer 2 CEs: Group Members

  B. Customer 1 CE1: Key Server ?R1 and Customer 1 CE2: Group Members

  C. R1: Key Server ?Customer 1 CEs: Group Members

  D. PE3: Key Server ?all CEs: Group Members

  Correct Answer: A

• Question 77:

  Which VPN technology minimizes the impact on VPN performance when encrypting multicast traffic on a Private WAN?

  A. DMVPN

  B. IPsec VPN

  C. FlexVPN

  D. GETVPN

  Correct Answer: D

• Question 78:

  What are two differences between ECC and RSA? (Choose two.)

  A. Key generation in ECC is slower and more CPU intensive than RSA.

  B. ECC can have the same security as RSA but with a shorter key size.

  C. ECC cannot have the same security as RSA, even with an increased key size.

  D. Key generation in ECC is faster and less CPU intensive than RSA.

  E. ECC lags in performance when compared with RSA.

  Correct Answer: BD

• Question 79:

  A network engineer is implementing a FlexVPN tunnel between two Cisco IOS routers. The FlexVPN tunnels will terminate on encrypted traffic on an interface configured with an IP MTU of 1500, and the company has a security policy to drop fragmented traffic coming into or leaving the network. The tunnel will be used to transfer TFTP data between users and internal servers. When the TFTP traffic is not traversing a VPN, it can have a maximum IP packet size of 1500. Assuming the encrypted payload will add 90 bytes, which configuration allows TFTP traffic to traverse the FlexVPN tunnel without being dropped?

  A. Set the tunnel IP MTU to 1500.

  B. Set the tunnel tcp adjust-mss to 1460.

  C. Set the tunnel IP MTU to 1400.

  D. Set the tunnel tcp adjust-mss to 1360.

  Correct Answer: C

  tcp adjust-mss is for tcp traffic only. TFTP is UDP. The only answer can be C.

• Question 80:

  A router is being configured for IKEv2 AnyConnect using AnyConnect-EAP. How would the administrator separate profiles for administrators and employees so that authorization differs when they connect?

  A. Define group aliases on the headend and have the user pick the appropriate alias when they connect

  B. Define group-urls on the headend and create two XML profiles to match the administrator and user group urls

  C. Create a certificate map and match on the appropriate certificate fields

  D. Define key-ids on the headend and create two XML profiles to match the administrator and user key-ids.

  Correct Answer: D