1. C. Mesh-to-spoke doesn’t make sense and isn’t an official architecture. Full mesh, hub-and-spoke, and spoke-to-spoke networks are all deployment models for a site-to-site VPN architecture.
2. C. A Cisco Integrated Services Router device can offer both site-to-site VPN capabilities and remote access VPN capabilities, depending on the model, licenses, and how it is configured.
3. A. VAM is not a VPN protocol. In the Cisco VPN world, VAM is short for the VPN Acceleration Module.
4. B. IKEv2 is a VPN encryption protocol, not a VPN option.
5. A and D. EasyVPN and IPsec VPN are tunnel-based VPN options.
6. A. Cisco SecureX is a centralized place for investigating event data, performing case management, and launching orchestration. Cisco SecureX does not provide VPN configuration management.
7. A. DART is a wizard that bundles all client logs and configuration and diagnostic information for analyzing and troubleshooting the AnyConnect client connection.
8. B and D. DMVPN, GETVPN, and Static IPsec don’t have software clients because they don’t apply to these VPN types.
9. B. L2TP is a tunneling protocol that doesn’t have any encryption. It is typically paired with IPsec for security.
10. C and D. With a client-based VPN, many host-based security capabilities are needed. Clients allow for additional features such as posture. Answer B is incorrect because the level of security is irrelevant; instead, the type of encryption used is important. SSL runs over standard HTTPs ports and uses a web browser.
1. B, C. Authentication Header (AH) provides authentication, and ESP provides data encryption and authentication.
2. A. The correct configuration command is crypto ikev1 policy 1.
3. B. IPsec SA exchange occurs during phase 2 of an IKE key exchange.
4. C. IKEv2 supports NAT by default. Answer A is not correct because that is a characteristic of IKEv2. IKEv2 authenticates with pre-shared keys or digital signatures. Answer B is not correct because IKEv2 can have peers using different authentication. Multi-hosting is supported using multiple IDs on a single IP address or port pair.
5. A, B, C. Public and private keys have nothing to do with authentication. They are used for encryption.
6. A, C, D. There isn’t an initiation protocol.
7. B. False. With IKEv1, both peers use the same authentication. IKEv2 can have both peers use the same authentication option or different authentication options.
8. A, B. Answer C is incorrect because digital certificates are for authentication, not for authorization. Answer D is somewhat correct, but a digital certificate can be used for more than just authenticating systems.
9. B. Option B is the least important question. Best of breed is an objective statement and doesn’t consider your organization’s specific requirements.
10. A. A hot standby is essentially another system that is live in a standby mode, making it an active/standby option.
1. A and C. GETVPN provides instant IP communication with IPsec encryption between routers, and any group member can communicate with any other member without additional configuration.
2. A and D. Because the IP header on the original packet is not changed, GETVPN cannot be used in a NAT solution such as the public Internet.
3. D. Internet Security Association and Key Management Protocol (ISAKMP) provides protection for control plan communication in GETVPN.
4. A, C, and D. The three key components of GETVPN are the GDOI protocol, the key server, and the group member.
5. C. The key server is responsible for registering group members and sending out the keys to them so they are all synchronized.
6. D. The key encryption key (KEK) is responsible for sending out new keys, whereas the traffic encryption key (TEK) is responsible for payload encryption between group members.
7. C. The key server is the most critical component, and if it fails, the SA rekey process could also fail.
8. B. Only the key server would require the generation of an RSA private key.
9. B. The key server pushes the transform set parameters to the group members. The transform set dictates the SA encryption policy.
10. D. The group identity configuration is done in the crypto map statement.
1. A, C, and D. DMVPN technology enables support for multicast traffic, dynamic routing protocols, and QoS for bandwidth optimization.
2. B. Remote sites can have DHCP addresses and participate in a DMVPN solution; legacy site-to-site VPN solutions cannot.
3. A and C. DMVPN can scale better than a crypto map–based VPN, and the configuration overhead on the hub site is much lower.
4. A, C, E, and F. Four components of a DMVPN solution are IPsec, mGRE, NHRP, and routing protocols.
5. B. Next Hop Resolution Protocol (NHRP) is responsible for mapping hub-and-spoke routers’ internal and external IP addresses for address resolution.
6. D. Generic Routing Encapsulation in an IPsec tunnel enables the use of dynamic routing protocols.
7. B and D. EIGRP and RIP are routing protocols that face a split-horizon issue that needs to be addressed.
8. A. A VPN link is not a traditional broadcast link, and, as a link-state routing protocol, OSPF needs to be configured to solve this issue.
9. B and D. You need to consider the number of remote sites as well as the need for QoS in applications.
10. D. Phase 3 has smaller routing tables because it can summarize routes.
11. B. The dynamic keyword in the NHRP command ip nhrp map multicast dynamic enables spokes to attach.
12. D. The command no ip next-hop-self prevents the hub router from rewriting the next hop IP address on the route advertisement.
13. C. The command to see whether a spoke was registered with the NHS is show ip nhrp nhs detail.
1. B. FlexVPN includes predefined defaults for multiple components of the FlexVPN configuration, such as IKEv2 proposal and IKEv2 policy.
2. A, B. FlexVPN supports multiple types of VPNs: site-to-site, hub-and-spoke, and remote access. In addition, it offers backward compatibility.
3. B, D. FlexVPN supports the IKEv2 enhancements NSA Suite B and EAP support.
4. B, C. FlexVPN provides a default IPsec profile and IKEv2 policy.
5. A, B, C. FlexVPN provides support for configuration push, per-peer configuration, and full AAA management.
6. C. The IKEv2 authorization block provides the AAA, IP pool, and ACL information download.
7. D. The transform set is one of the smart defaults included to speed up configuration.
8. D. The aaa authorization command is responsible for connecting the IKEv2 authorization policy with the local aaa authentication information.
9. B. Spoke-to-spoke communication requires NHRP as well as a virtual template interface to copy the tunnel interface configuration to the virtual template. This makes it possible to establish a shortcut switching tunnel with another spoke.
10. A, D. On the spoke routers, a new entry in the keyring is required for authorization, and NHRP is needed for mapping the tunnel address to the remote public addresses.
11. C. The show crypto ikev2 sa command shows whether the IKEv2 process has completed.
12. A. The command show ip route nhrp shows what routes were installed in the table as a result of the NHRP resolution process.
13. D. FlexVPN does not support IKEv1. A design consideration would be making sure IKEv2 is supported.
1. C. A network access server is needed to provide the VPN, and client-side software is needed to connect to the NAS.
2. A. ASDM is a centralized configuration management tool. By itself, it does not provide VPN services.
3. E. SHA256 is a hash function, not a VPN protocol.
4. B. Although you can download AnyConnect, if you do, it won’t have any profile information regarding your specific VPN setup.
5. A. Both clientless mode and thin client mode provide secure access. However, clientless mode does not enable remote access TCP-based applications. You need thin client mode for that. Neither mode provides a full tunnel.
6. C. If an outage occurs, users do not disconnect because the ASAs are standalone and running. With a cluster, one ASA would be in standby mode and would not be active until the failure. This would force users to have to reconnect.
7. D. There isn’t a specific step for selecting the encryption type.
8. A. BGP is a routing protocol that doesn’t require a SEC-K9 bundle.
9. D. With a SEC-K9 bundled installed, nothing else is needed to enable SSLVPN.
10. B. Some Cisco routers do not support FlexVPN.
11. D. Meraki uses the L2TP tunneling protocol.
12. A. Cisco Firepower Threat Defense can support multiple AAA servers beyond three.
13. A. Answer a shows the correct way to create a tunnel group.
1. B. A clientless SSLVPN uses TLS. SSL has been deprecated. Both IKEv2 and IPsec are used with AnyConnect VPNs.
2. B. AnyConnect Plus does not support clientless SSLVPNs. AnyConnect Base is not an AnyConnect license type. Both AnyConnect Apex and AnyConnect VPN support only clientless SSLVPNs.
3. C. The industry standard set by the Certification Authority/Browser (CA/B) Forum requires that certificates that expire after December 31, 2013, must have a key length of at least 2048 bits. Key lengths shorter than 2048 are considered insecure.
4. D. By default, DfltGrpPolicy allows clientless SSLVPN, IPsec/IKEv2, and L2TP/IPsec connections. DfltGrpPolicy does not allow SSLVPN client connections by default.
5. B. When configuring a connection profile, a domain name must be configured for the configuration to be accepted. Tunnel group is another name for connection profile. DNS server and aliases can optionally be configured in a connection profile but are not required.
6. A. Attributes applied via a dynamic access policy (DAP) always override attributes from any other source, including user attributes, group policy attributes, and connection profile default group policy attributes.
7. B. Only port forwarding requires Java to function. Clientless SSLVPN, smart tunnel, and AnyConnect SSLVPN can all function in the absence of Java.
8. B. When configuring bookmarks, CIFS and HTTP bookmarks are supported by Cisco ASA by default. You can enable RDP bookmarks by installing the appropriate client/server plug-in. DNS is not a supported type of bookmark.
9. D. When configuring a smart tunnel, the application ID, operating system, and process name are all required. Only the hash is an optional configuration parameter.
10. C. Client/server plug-ins are available for RDP, VNC, and SSH. CIFS is supported without a client/server plug-in.
1. B. DTLS typically provides better performance than TLS. IKEv2 is incorrect as it uses IPsec for transport. L2TP and PPTP are also incorrect as AnyConnect does not support these protocols.
2. A. Installing AnyConnect initially requires administrative privileges. To upgrade AnyConnect or install additional modules using web deploy (from ASA/ISE/Umbrella cloud with Downloader), you do not need administrative privileges. Connecting and disconnecting do not require administrative privileges.
3. A. Before configuring AnyConnect VPN access, an AnyConnect image must be loaded onto the ASA using the command anyconnect image.
4. C. Only Group URL maps an AnyConnect connection to a connection profile based on the URL. Connection Alias allows a user to select the connection profile during login, and Certificate Mapping allows for the automatic selection of the connection profile, based on the certificate. Group URL Alias does not exist.
5. B. DTLS uses UDP 443 by default. TLS uses TCP 443, IKEv2 uses UDP 500, and IKEv2 with NAT-T uses UDP 4500 by default.
6. C. The ASA supports the RADIUS, TACACS+, SDI (RSA), NT, Kerberos, and LDAP protocols when configuring a AAA server group.
7. D. AnyConnect clients may not be assigned IP addresses manually. IP addresses must be assigned via a local address pool, RADIUS server, or DHCP server.
8. A. The option Tunnel Network List Below in ASDM splits tunnel traffic by IP address and only tunnels the traffic specified by the ACL. In contrast, the option Exclude Network Below tunnels all traffic by the traffic specified by the ACL, and the option Dynamic Split Tunneling is used to split tunnel traffic by domain. The option Manual Split Tunneling does not exist.
9. B. When configuring a server list in the AnyConnect profile editor, only IKE Identity is optional. FQDN or IP address, User Group, and Primary Protocol are all required.
10. A. The default identity sent by AnyConnect is *$AnyConnectClient$*.
11. C. On IOS, local user authentication with EAP is not supported with self-signed certificates. EAP requires a proper certificate chain consisting of a server certificate signed by a separate CA certificate. If that is not in place, the EAP exchange fails.
1. B. If the local address pool is exhausted, no more IP addresses will be available, and hence no more VPN users can be added. You can verify whether this is the issue by using the command show ip local pool [pool-name].
2. A. Java or ActiveX must be supported by the browser for smart tunnel functionality to work.
3. B. If a bookmark is grayed out, the ASA can no longer reach it, which likely points to a DNS resolution problem.
4. A. When using an XML profile, the connection profile must match the user group.
5. D. Using split-tunnel-all-dns enable sends all DNS traffic through the SSLVPN tunnel.
6. D. The show crypto ikev2 sa detail command contains all this information.
7. B. The show ipsec crypto sa command does not show details about the status of the WebVPN service.
8. D. DfltGropPolicy does not allow SSLVPN client connections by default.
9. C. The command show webvpn anyconnect is not available on a Cisco router.
10. A. The show vpn-sessiondb detail anyconnect command provides the most detail about the VPN session.