Which three statements about these three show outputs are true?

Refer to the exhibit. Which three statements about these three show outputs are true? (Choose three.)

640-554-implementing-cisco-ios-network-security-iins_img_046
A. Traffic matched by ACL 110 is encrypted.
B. The IPsec transform set uses SHA for data confidentiality.
C. The crypto map shown is for an IPsec site-to-site VPN tunnel.
D. The default ISAKMP policy uses a digital certificate to authenticate the IPsec peer.
E. The IPsec transform set specifies the use of GRE over IPsec tunnel mode.
F. The default ISAKMP policy has higher priority than the other two ISAKMP policies with a priority of 1 and 2

SHOW ANSWERS

Correct Answer: ACD
Explanation/Reference:
Explanation:
Get Latest & Actual 640-554 Exam’s Question and Answers from Passleader.

640-554-implementing-cisco-ios-network-security-iins_img_004
http://www.passleader.com

640-554-implementing-cisco-ios-network-security-iins_img_001
Show crypto map Field Descriptions
Peer
Possible peers that are configured for this crypto map entry. Extended IP access list Access list that is used to define the data packets that need to be encrypted. Packets that are denied by this access list are forwarded but not encrypted. The “reverse” of this access list is used to check the inbound return packets, which are also encrypted. Packets that are denied by the “reverse” access list are dropped because they should have been encrypted but were not.
Extended IP access check
Access lists that are used to more finely control which data packets are allowed into or out of the IPsec tunnel.
Packets that are allowed by the “Extended IP access list” ACL but denied by the “Extended IP access list check” ACL are dropped.
Current peer Current peer that is being used for this crypto map entry.
Security association lifetime
Number of bytes that are allowed to be encrypted or decrypted or the age of the security association before new encryption keys must be negotiated.
PFS
(Perfect Forward Secrecy) If the field is marked as `Yes’, the Internet Security Association and Key Management Protocol (ISAKMP) SKEYID-d key is renegotiated each time security association (SA) encryption keys are renegotiated (requires another Diffie-Hillman calculation). If the field is marked as `No’, the same ISAKMP SKEYID-d key is used when renegotiating SA encryption keys. ISAKMP keys are renegotiated on a separate schedule, with a default time of 24 hours.
Transform sets
List of transform sets (encryption, authentication, and compression algorithms) that can be used with this crypto map.
Interfaces using crypto map test Interfaces to which this crypto map is applied. Packets that are leaving from this interface are subject to the rules of this crypto map for encryption. Encrypted packets may enter the router on any interface, and they are decrypted. Nonencrypted packets that are entering the router through this interface are subject to the “reverse” crypto access list check.

Leave a Reply Cancel reply