2017 November Cisco Official New Released 300-209 Dumps in Lead2pass.com!
100% Free Download! 100% Pass Guaranteed!
How to 100% pass 300-209 exam? Lead2pass 300-209 dump is unparalleled in quality and is 100% guaranteed to make you pass 300-209 exam. All the 300-209 exam questions are the latest. Here are some free share of Cisco 300-209 dumps.
Following questions and answers are all new published by Cisco Official Exam Center: https://www.lead2pass.com/300-209.html
QUESTION 201
Which three configurations are required for both IPsec VTI and crypto map-based VPNs? (Choose three.)
A. transform set
B. ISAKMP policy
C. ACL that defines traffic to encrypt
D. dynamic routing protocol
E. tunnel interface
F. IPsec profile
G. PSK or PKI trustpoint with certificate
Answer: ABG
QUESTION 202
Which statement regarding hashing is correct?
A. MD5 produces a 64-bit message digest.
B. SHA-1 produces a 160-bit message digest.
C. MD5 takes more CPU cycles to compute than SHA-1.
D. Changing 1 bit of the input to SHA-1 can change up to 5 bits in the output.
Answer: B
QUESTION 203
Refer to the exhibit. Which type of mismatch is causing the problem with the IPsec VPN tunnel?
A. PSK
B. Phase 1 policy
C. transform set
D. crypto access list
Answer: A
QUESTION 204
Which three changes must be made to migrate from DMVPN Phase 2 to Phase 3 when EIGRP is configured? (Choose three.)
A. Enable EIGRP next-hop-self on the hub.
B. Disable EIGRP next-hop-self on the hub.
C. Enable EIGRP split-horizon on the hub.
D. Add NHRP redirects on the hub.
E. Add NHRP shortcuts on the spoke.
F. Add NHRP shortcuts on the hub.
Answer: BDE
QUESTION 205
Which algorithm provides both encryption and authentication for data plane communication?
A. SHA-96
B. SHA-384
C. 3DES
D. AES-256
E. AES-GCM
F. RC4
Answer: E
QUESTION 206
Which three configurations are prerequisites for stateful failover for IPsec? (Choose three.)
A. Only the IKE configuration that is set up on the active device must be duplicated on the standby device; the IPsec configuration is copied automatically.
B. Only crypto map configuration that is set up on the active device must be duplicated on the standby device.
C. The IPsec configuration that is set up on the active device must be duplicated on the standby device.
D. The active and standby devices can run different versions of the Cisco IOS software but need to be the same type of device.
E. The active and standby devices must run the same version of the Cisco IOS software and should be the same type of device.
F. Only the IPsec configuration that is set up on the active device must be duplicated on the standby device; the IKE configuration is copied automatically.
G. The IKE configuration that is set up on the active device must be duplicated on the standby device.
Answer: CEG
QUESTION 207
Which two statements comparing ECC and RSA are true? (Choose two.)
A. ECC can have the same security as RSA but with a shorter key size.
B. ECC lags in performance when compared with RSA.
C. Key generation in ECC is slower and less CPU intensive than RSA..
D. ECC cannot have the same security as RSA, even with an increased key size.
E. Key generation in ECC is faster and less CPU intensive.
Answer: AE
QUESTION 208
Which two are features of GETVPN but not DMVPN and FlexVPN? (Choose two.)
A. one IPsec SA for all encrypted traffic
B. no requirement for an overlay routing protocol
C. design for use over public or private WAN
D. sequence numbers that enable scalable replay checking
E. enabled use of ESP or AH
F. preservation of IP protocol in outer header
Answer: AB
QUESTION 209
A customer requires all traffic to go through a VPN. However, access to the local network is also required. Which two options can enable this configuration? (Choose two.)
A. split exclude
B. use of an XML profile
C. full tunnel by default
D. split tunnel
E. split include
Answer: AB
QUESTION 210
As network consultant, you are asked to suggest a VPN technology that can support a multivendor environment and secure traffic between sites. Which technology should you recommend?
A. DMVPN
B. FlexVPN
C. GET VPN
D. SSL VPN
Answer: B
QUESTION 211
Which protocol must be enabled on the inside interface to use cluster encryption in SSL VPN load balancing?
A. TLS
B. DTLS
C. IKEv2
D. ISAKMP
Answer: D
QUESTION 212
Refer to the exhibit. Which type of VPN implementation is displayed?
A. IKEv2 reconnect
B. IKEv1 cluster
C. IKEv2 load balancer
D. IKEv1 client
E. IPsec high availability
F. IKEv2 backup gateway
Answer: C
QUESTION 213
An engineer is troubleshooting a DMVPN spoken router and sees a CRPTO-4-IKMP_BAD_MESSAGE debug message that a spoke router “failed its sanity check or is malformed” Which issue does the error message indicate?
A. mismatched preshared key
B. unsupported transform propsal
C. invalid IP packet SPI
D. incompatible transform set
Answer: A
QUESTION 214
Which PKI enrollment method allows the user to separate authentication and enrollment actions and also provides an option to specify HTTP/TFTP commands to perform file retrieval from the server?
A. enrollment profile
B. enrollment terminal
C. enrollment url
D. enrollment selfsigned
Answer: A
QUESTION 215
Refer to the exhibit. A customer cannot establish an IKEv2 site-to-site VPN tunnel between two Cisco ASA devices. Based on the syslog message, which action can bring up the VPN tunnel?
A. Increase the maximum SA limit on the local Cisco ASA.
B. Correct the crypto access list on both Cisco ASA devices.
C. Remove the maximum SA limit on the remote Cisco ASA.
D. Reduce the maximum SA limit on the local Cisco ASA.
E. Correct the IP address in the local and remote crypto maps.
F. Increase the maximum SA limit on the remote Cisco ASA.
Answer: A
Explanation:
Since unknown request rejected by CAC. CAC is use to limit SA.
QUESTION 216
Refer to the exhibit. Which type of VPN is being configured, based on the partial configuration snippet?
A. DMVPN with dual hub
B. GET VPN with dual group member
C. FlexVPN backup gateway
D. GET VPN with COOP key server
E. FlexVPN load balancer
Answer: D
QUESTION 217
Which configuration is used to build a tunnel between a Cisco ASA and ISR?
A. crypto map
B. DMVPN
C. GET VPN
D. GRE with IPsec
E. GRE without IPsec
Answer: A
QUESTION 218
Refer to the exhibit. What is the problem with the IKEv2 site-to-site VPN tunnel?
A. incorrect PSK
B. crypto access list mismatch
C. incorrect tunnel group
D. crypto policy mismatch
E. incorrect certificate
Answer: B
QUESTION 219
Which two statements regarding IKEv2 are true per RFC 4306? (Choose two.)
A. It is compatible with IKEv1.
B. It has at minimum a nine-packet exchange.
C. It uses aggressive mode.
D. NAT traversal is included in the RFC.
E. It uses main mode.
F. DPD is defined in RFC 4309.
G. It allows for EAP authentication.
Answer: DG
QUESTION 220
Which DAP endpoint attribute checks for the matching MAC address of a client machine?
A. device
B. process
C. antispyware
D. BIA
Answer: A
Always up-to-date Lead2pass 300-209 VCE – everything you need for your Cisco 300-209 exam to pass. Our Cisco 300-209 software allows you to practise exam dumps in real 300-209 exam environment. Welcome to choose.
More 300-209 new questions (with images) on Google Drive: https://drive.google.com/open?id=0B3Syig5i8gpDYnF5Vk16OS1tc1E
2017 Cisco 300-209 exam dumps (All 319 Q&As) from Lead2pass:
https://www.lead2pass.com/300-209.html [100% Exam Pass Guaranteed]
Comments are closed.