210-260.exam Number : 210-260 Passing Score : 800 Time Limit : 120 min File Version : 1.0 http://www.gratisexam.com/ Cisco 210-260 Implementing Cisco Network Security Version 1.0 http://www.gratisexam.com/ Exam A QUESTION 1 The Serial 0/0 interfaces on Router1 and Router2 are directly connected on the 192.168.51.48/30 network. You issue the following commands on Router1: interface serial 0/0 ip ospf messagedigestkey 1 md5 b0s0n router ospf 1routerid 1.1.1.1 network 10.10.10.0 0.0.0.255 area 1 network 192.168.51.48 0.0.0.3 area 0 area 0 authentication You issue the following commands on Router2: interface serial 0/0 ip ospf authenticationkey b0s0n router ospf 2routerid 2.2.2.2 network 10.10.20.0 0.0.0.255 area 2 network 192.168.51.48 0.0.0.3 area 0 area 0 authentication Router1 and Router2 do not form an OSPF adjacency. Which of the following is most likely the problem? (Select the best answer.) A. an OSPF area mismatch B. an OSPF authentication mismatch C. an OSPF process ID mismatch D. an OSPF router ID mismatch Correct Answer: B Section: (none) Explanation Explanation/Reference: Explanation: Of the available choices, a mismatched authentication type is most likely to be the cause of the problem in this scenario. A mismatched authentication key or a mismatched authentication type could cause two Open Shortest Path First (OSPF) routers to not form an adjacency. In this scenario, the Serial 0/0 interface on Router1 is configured to use a Message Digest 5 (MD5) authentication key of b0s0n. The Serial 0/0 interface on Router2, on the other hand, is configured to use a plaintext authentication key of b0s0n. If the correct authentication type were configured between the Serial 0/0 interfaces on the routers, OSPF authentication would succeed and an adjacency would be formed. A mismatched process ID will not prevent an OSPF router from establishing an adjacency with a neighbor. An OSPF process ID is used to identify the OSPF http://www.gratisexam.com/ process only to the local router. In this scenario, the router ospf 1 command has been issued on Router1, which configures Router1 with an OSPF process ID of 1. The router ospf 2 command has been issued on Router2, which configures Router2 with an OSPF process ID of 2. An OSPF area mismatch is not the reason that Router1 and Router2 do not form an adjacency in this scenario. In order to establish an adjacency, OSPF routers must be configured with the same area ID, Hello timer value, Dead timer value, and authentication password. In this scenario, the Serial 0/0 interface on Router1 has been configured to operate in area 0, which is also known as the backbone area. Similarly, the Serial 0/0 interface on Router2 has been configured to operate in area 0. OSPF router IDs should never match between routers. A router ID is a unique 32bit identifier that resembles an IP address. A router ID conflict could cause routers to not form an adjacency. If you do not manually configure a router ID on an OSPF router, then the router ID is the highest IP address configured among loopback interfaces on the router, even if a physical interface is configured with a higher IP address. Cisco recommends using a loopback interface instead of a physical interface for the router ID? a loopback interface is never in the down state, thus OSPF is considered to be more stable when the router ID is configured from the IP address of a loopback interface. In this scenario, the router IDs on Router1 and Router2 have been manually configured by using the routerid ipaddresscommand. Reference: Cisco: Sample Configuration for Authentication in OSPF: Configurations for Plain Text Authentication QUESTION 2 In which of the following authentication protocols is support for TLS 1.2 specifically required? (Select the best answer.) http://www.gratisexam.com/ A. EAPFASTv1 B. EAPFASTv2 C. EAPMD5 D. EAPTLS E. EAPPEAP Correct Answer: B Section: (none) Explanation Explanation/Reference: Explanation: Of the available choices, only Extensible Authentication ProtocolFlexible Authentication via Secure Tunneling Version 2 (EAPFASTv2) is specifically required to support Transport Layer Security (TLS) 1.2. EAPFAST is an authentication protocol that can be used for pointtopoint connections and for both wired and wireless links. EAPFAST Version 1 (EAPFASTv1) supported TLS 1.0 and higher. However, EAPFASTv2 made support of TLS 1.2 a requirement, thereby providing EAPFASTv2 with a stronger encryption algorithm than EAPFASTv1. EAPTransport Layer Security (EAPTLS) does not specifically require support for TLS 1.2, although EAPTLS is designed to support TLS 1.0 and higher. EAPTLS is an Internet Engineering Task Force (IETF) standard that is defined in Request for Comments (RFC) 5216. Protected EAP (PEAP) does not specifically require support for TLS 1.2. PEAP is an open standard developed by Cisco, Microsoft, and RSA. PEAP and other later http://www.gratisexam.com/ variants of EAP, such as EAPTLS, and EAPTunneled TLS (EAPTTLS), are replacing Lightweight EAP (LEAP). PEAP supports TLS 1.0 and higher. EAP Message Digest 5 (EAPMD5) does not specifically require support for TLS 1.2. EAPMD5 uses an MD5 hash function to provide security and is therefore considered weak when compared to later methods. EAP is an IETF standard that was originally defined in RFC 2284. It does not support TLS at all. Reference: IETF: Flexible Authentication via Secure Tunnel Extension Authentication Protocol (EAPFAST) Version 2: 1.2. Major Differences from Version 1 QUESTION 3 Router2 is configured to obtain time from three different NTP servers. You want to determine from which of the three servers Router2 is currently synchronizing time. Which of the following commands would not achieve your goal? (Select the best answer.) A. show clock detail B. show ntp associations C. show ntp associations detail D. show ntp status Correct Answer: A Section: (none) Explanation Explanation/Reference: Explanation: Of the available choices, only the show clock detail command would not enable you to determine from which of the three Network Time Protocol (NTP) servers Router2 is synchronizing time. The show clock detail command displays the date and time as it is configured on the device and general information about the source of the configuration. However, this command does not reveal the IP address or NTP peer status of an NTP source. The following is sample output from the show clock detail command: Router2#show clock detail 09:12:20.299 UTC Sat Jul 4 2015 Time source is NTP The show ntp associations command and the show ntp associations detail command would both enable you to determine from which of the three NTP servers Router2 is synchronizing time. The show ntp associations command displays both the address of the NTP server from which the client obtains its time and the address of the reference clock to which the NTP server is synchronized. When issued with the detail keyword, you can additionally determine the IP address of the NTP peer from which time was synchronized, the NTP source authentication status, the NTP hierarchical status of the server from which time was obtained, whether the NTP peer passes basic sanity checks, whether NTP believes the time is valid, and the stratum of the NTP peer. The following is sample output from both the show ntp associations command and the show ntp associations detail command: http://www.gratisexam.com/ The presence of our_master in the output of the show ntp associations detail command indicates the status of the device at the NTP peer IP address of 203.0.113.1. Similarly, the asterisk (*) in the output of the show ntp associations command indicates that Router2’s NTP master is the device with the IP address of 203.0.113.1. The show ntp status command would enable you to determine from which of the three NTP servers Router2 is synchronizing time. The show ntp status command displays no information when NTP is not running on a device. When NTP is running, the show ntp status command provides information about whether the local clock is synchronized, the local clock’s stratum level, and the IP address of the NTP peer that the local device is using as a reference clock. The following is sample output from the show ntp status command: Reference: Cisco: Cisco IOS Basic System Management Command Reference: show clock QUESTION 4 Which of the following indicates that aggressive mode ISAKMP peers have created SAs? (Select the best answer.) http://www.gratisexam.com/ A. AG_NO_STATE B. MM_NO_STATEC. AG_AUTH C. MM_KEY_AUTH D. QM_IDLE Correct Answer: A Section: (none) Explanation Explanation/Reference: Explanation: Of the available choices, the AG_NO_STATE state is most likely to indicate that aggressive mode Internet Security Association and Key Management Protocol (ISAKMP) peers have created security associations (SAs). The show crypto isakmp sa command displays the status of current IKE SAs on the router. The following states are used during aggressive mode: - AG_NO_STATE - The peers have created the SA. - AG_INIT_EXCH - The peers have negotiated SA parameters and exchanged keys. - AG_AUTH - The peers have authenticated the SA. The MM_NO_STATE state is the first transaction to occur when setting up Internet Key Exchange (IKE) SAs in main mode MM_NO_STATE indicates that the ISAKMP peers have created their SAs. However, an exchange that does not move past this stage indicates that main mode has failed. The following states are used during main mode: - MM_NO_STATE - The peers have created the SA. - MM_SA_SETUP - The peers have negotiated SA parameters. - MM_KEY_EXCH - The peers have exchanged DiffieHellman (DH) keys and have generated a shared secret.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages139 Page
-
File Size-