Ask Question
Cisco 300-730 Practice Test - Questions Answers
Question list
List of questions
Related questions
Question 1
A second set of traffic selectors is negotiated between two peers using IKEv2. Which IKEv2 packet will contain details of the exchange?
IKEv2 IKE_SA_INIT
IKEv2 INFORMATIONAL
IKEv2 CREATE_CHILD_SA
IKEv2 IKE_AUTH
Explanation:
The IKEv2 CREATE_CHILD_SA packet is used to establish a new security association (SA) between two peers. This packet contains the details of the exchange, including the traffic selectors, the cryptographic algorithms and keys to be used, and any other relevant information
Question 2
Refer to the exhibit.
The DMVPN tunnel is dropping randomly and no tunnel protection is configured. Which spoke configuration mitigates tunnel drops?
Option A
Option B
Option C
Option D
Question 3
On a FlexVPN hub-and-spoke topology where spoke-to-spoke tunnels are not allowed, which command is needed for the hub to be able to terminate FlexVPN tunnels?
interface virtual-access
ip nhrp redirect
interface tunnel
interface virtual-template
Explanation:
On a FlexVPN hub-and-spoke topology where spoke-to-spoke tunnels are not allowed, the command that is needed for the hub to be able to terminate FlexVPN tunnels is interface virtual-template. The interface virtual-template command is used to configure a virtual template interface which provides a secure tunnel for FlexVPN connections. The other commands listed - interface virtual-access, ip nhrp redirect, and interface tunnel - are not related to FlexVPN and are not used to terminate FlexVPN tunnels.
Question 4
Which statement about GETVPN is true?
The configuration that defines which traffic to encrypt originates from the key server.
TEK rekeys can be load-balanced between two key servers operating in COOP.
The pseudotime that is used for replay checking is synchronized via NTP.
Group members must acknowledge all KEK and TEK rekeys, regardless of configuration.
Explanation:
KS (key server) is 'caretaker' of the GM group. Group registrations and authentication of GMs is takencare of by KS server. Any GM who wants to join the group is required to be successfully authenticated inthe group and sends encryption keys and policy to be used within the group
Question 5
Refer to the exhibit.
Which two tunnel types produce the show crypto ipsec sa output seen in the exhibit? (Choose two.)
crypto map
DMVPN
GRE
FlexVPN
VTI
Question 6
Which two changes must be made in order to migrate from DMVPN Phase 2 to Phase 3 when EIGRP is configured? (Choose two.)
Add NHRP shortcuts on the hub.
Add NHRP redirects on the spoke.
Disable EIGRP next-hop-self on the hub.
Enable EIGRP next-hop-self on the hub.
Add NHRP redirects on the hub.
Explanation:
DMVPN disables the EIRGP next-hop-self with "no ip next-hop-self eigrp xxx" in DMVPN phase 2, and to go from Phase 2 to 3 you need use the NHRP protocol, and again enable EIRGP next-hop-self with "ip next-hop-self eigrp 134" under the tunnel interface https://www.cisco.com/c/en/us/td/docs/iosxml/ ios/sec_conn_dmvpn/configuration/15-mt/sec-conn-dmvpn-15-mt-book/sec-conn-dmvpndmvpn. html#GUID-BF561439-BCC0-4AAF-80D9-1F7876CB7B81
Question 7
Refer to the exhibit.
A customer cannot establish an IKEv2 site-to-site VPN tunnel between two Cisco ASA devices. Based on the syslog message, which action brings up the VPN tunnel?
Reduce the maximum SA limit on the local Cisco ASA.
Increase the maximum in-negotiation SA limit on the local Cisco ASA.
Remove the maximum SA limit on the remote Cisco ASA.
Correct the crypto access list on both Cisco ASA devices.
Question 8
Which two parameters help to map a VPN session to a tunnel group without using the tunnel-group list? (Choose two.)
group-alias
certificate map
optimal gateway selection
group-url
AnyConnect client version
Explanation:
https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generationfirewalls/98580-enable-group-dropdown.html
Question 9
Which method dynamically installs the network routes for remote tunnel endpoints?
policy-based routing
CEF
reverse route injection
route filtering
Explanation:
Reverse route injection (RRI) is a method that dynamically installs the network routes for remote tunnel endpoints. The RRI feature allows the router to automatically learn the routes for the remote networks and automatically install these routes into the routing table. This eliminates the need for the administrator to manually configure and maintain the routes for the remote networks. This feature is commonly used in VPN environments, where the router at the VPN endpoint needs to learn the routes for the remote networks behind the other VPN endpoint. The other options such as policy-based routing, CEF, and route filtering are not used to dynamically install the network routes for remote tunnel endpoints
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnav/configuration/12-4t/sec-vpn- availability-12-4t-book/sec-rev-rte-inject.html
Topic 2, Remote access VPNs
Question 10
Which command identifies a Cisco AnyConnect profile that was uploaded to the flash of an IOS router?
svc import profile SSL_profile flash:simos-profile.xml
anyconnect profile SSL_profile flash:simos-profile.xml
crypto vpn anyconnect profile SSL_profile flash:simos-profile.xml
webvpn import profile SSL_profile flash:simos-profile.xml
Explanation:
Reference: https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobilityclient/200533- AnyConnect-Configure-Basic-SSLVPN-for-I.html
Question