May 2017 updated: Actualtests Cisco 300-209 test question 31-40

It is impossible to pass Cisco 300-209 exam without any help in the short term. Come to Testking soon and find the most advanced, correct and guaranteed Cisco 300-209 practice questions. You will get a surprising result by our Renovate Implementing Cisco Secure Mobility Solutions (SIMOS) practice guides.


The article at Testaimer.com going over http://www.testaimer.com/300-209-test is very comprehensive.

Q31. Which option describes the purpose of the command show derived-config interface virtual-access 1? 

A. It verifies that the virtual access interface is cloned correctly with per-user attributes. 

B. It verifies that the virtual template created the tunnel interface. 

C. It verifies that the virtual access interface is of type Ethernet. 

D. It verifies that the virtual access interface is used to create the tunnel interface. 

Answer:


Q32. Refer to the exhibit. 

An administrator is adding IPv6 addressing to an already functioning tunnel. The administrator is unable to ping 2001:DB8:100::2 but can ping 209.165.200.226. Which configuration needs to be added or changed? 

A. No configuration change is necessary. Everything is working correctly. 

B. OSPFv3 needs to be configured on the interface. 

C. NHRP needs to be configured to provide NBMA mapping. 

D. Tunnel mode needs to be changed to GRE IPv4. 

E. Tunnel mode needs to be changed to GRE IPv6. 

Answer:


Q33. Which statement regarding GET VPN is true? 

A. TEK rekeys can be load-balanced between two key servers operating in COOP. 

B. When you implement GET VPN with VRFs, all VRFs must be defined in the GDOI group configuration on the key server. 

C. Group members must acknowledge all KEK and TEK rekeys, regardless of configuration. 

D. The configuration that defines which traffic to encrypt is present only on the key server. 

E. The pseudotime that is used for replay checking is synchronized via NTP. 

Answer:


Q34. Which option is a required element of Secure Device Provisioning communications? 

A. the introducer 

B. the certificate authority 

C. the requestor 

D. the registration authority 

Answer:


Q35. Which hash algorithm is required to protect classified information? 

A. MD5 

B. SHA-1 

C. SHA-256 

D. SHA-384 

Answer:


Q36. Scenario: 

You are the senior network security administrator for your organization. Recently and junior engineer configured a site-to-site IPsec VPN connection between your headquarters Cisco ASA and a remote branch office. 

You are now tasked with verifying the IKEvl IPsec installation to ensure it was properly configured according to designated parameters. Using the CLI on both the Cisco ASA and branch ISR, verify the IPsec configuration is properly configured between the two sites. 

NOTE: the show running-config command cannot be used for this exercise. 

Topology: 

In what state is the IKE security association in on the Cisco ASA? 

A. There are no security associations in place 

B. MM_ACTIVE 

C. ACTIVE(ACTIVE) 

D. QM_IDLE 

Answer:

Explanation: 

This can be seen from the "show crypto isa sa" command: 


Q37. Which command simplifies the task of converting an SSL VPN to an IKEv2 VPN on a Cisco ASA appliance that has an invalid IKEv2 configuration? 

A. migrate remote-access ssl overwrite 

B. migrate remote-access ikev2 

C. migrate l2l 

D. migrate remote-access ssl 

Answer:

Explanation: 

Below is a reference for this question: 

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113597-ptn-113597.html 

If your IKEv1, or even SSL, configuration already exists, the ASA makes the migration process simple. On the command line, enter the migrate command: 

migrate {l2l | remote-access {ikev2 | ssl} | overwrite} 

Things of note: 

Keyword definitions: 

l2l - This converts current IKEv1 l2l tunnels to IKEv2. 

remote access - This converts the remote access configuration. You can convert either the IKEv1 or the SSL tunnel groups to IKEv2. 

overwrite - If you have a IKEv2 configuration that you wish to overwrite, then this keyword converts the current IKEv1 configuration and removes the superfluous IKEv2 configuration. 


Q38. Refer to the exhibit. 

Which exchange does this debug output represent? 

A. IKE Phase 1 

B. IKE Phase 2 

C. symmetric key exchange 

D. certificate exchange 

Answer:


Q39. Which.DAP endpoint attribute checks for the matching MAC address of a client machine? 

A. device 

B. process 

C. antispyware 

D. BIA 

Answer:


Q40. You are troubleshooting a site-to-site VPN issue where the tunnel is not establishing. After issuing the debug crypto isakmp command on the headend router, you see the following output. What does this output suggest? 

1d00h: ISAKMP (0:1): atts are not acceptable. Next payload is 0 

1d00h: ISAKMP (0:1); no offers accepted! 

1d00h: ISAKMP (0:1): SA not acceptable! 

1d00h: %CRYPTO-6-IKMP_MODE_FAILURE. Processing of Main Mode failed with peer at 10.10.10.10 

A. Phase 1 policy does not match on both sides. 

B. The transform set does not match on both sides. 

C. ISAKMP is not enabled on the remote peer. 

D. There is a mismatch in the ACL that identifies interesting traffic. 

Answer: