网友您好, 请在下方输入框内输入要搜索的题目:
题目内容
(请给出正确答案)
Which of the following commands will display a router’s crypto map IPsec security associationsettings?()
- A、show crypto map ipsec sa
- B、show crypto map
- C、show crypto engine connections active
- D、show ipsec crypto map
- E、show crypto map sa
- F、show ipsec crypto map sa
参考答案
更多 “Which of the following commands will display a router’s crypto map IPsec security associationsettings?()A、show crypto map ipsec saB、show crypto mapC、show crypto engine connections activeD、show ipsec crypto mapE、show crypto map saF、show ipsec crypto map sa” 相关考题
考题
先阅读如下说明,然后回答问题。[说明]IPSec(Internet协议安全)是一个工业标准网络安全协议,为IP网络通信提供透明的安全服务,保护TCP/IP通信免遭窃听和篡改,可以有效抵御网络攻击,同时保持易用性。IPSec有两个基本目标:保护 IP数据包安全;为抵御网络攻击提供防护措施。以下是IPSec部分配置清单。Cisco 3640 (config) crygto isakmp policy 1 (1)Cisco 3640 (config-isakmp) group 1 (2)Cisco 3640 (config-isakmp) anthentication pre-share (3)Cisco 3640 (config-isalmap) lifetime 3600Cisco 3640 (config) crypto isakmp key noIP4u address202.10.36.1 (4)Cisco 3640 (config) access-list 130 permit ip 192.168.1.0 0.0.0.255 172.19.20.0 0.0.0.255 (5)Cisco 3640 (config) crypto ipsec transform-set vpn1 ah-md5-hmac esp-des esp-md5-hmac (6)Cisco 3640 (config) crypto map shortsec 60 ipsec-isakmpCisco 3640 (config-crypto-map) set peer 202.10.36.1Cisco 3640 (config-crypto-map) set ixansform-setvgnl (7)Cisco 3640 (config-crypto-map) match address 130Cisco 3640 (config) interface s0Cisco 3640 (config-if) crypto real/shortsec (8)......请解释上述标有下画线语句的含义。
考题
阅读以下说明,回答【问题1】和【问题2】。【说明】VPN是通过公用网络Internet将分布在不同地点的终端连接在一起的专用网络。目前大多采用IPSec来实现IP网络上端点间的认证和加密服务(见图3)。VPN的基本配置如下:.公司总部网络子网为192.168.1.0/24。.路由器为100.10.15.1。.公司分部服务器为192.168.10.0/24。.路由器为200.20.25.1。执行下列步骤:(1)确定一个预先共享的密钥(保密密码)(保密密码假设为csai);(2)为SA协商过程配置IKE;(3)配置IPSec:Router(config) crypto isakmp policy1//policy1表示策略1,假如想多配几个VPN,可以写成policy2、policy3Router(config-isakmp) group1//使用group1长度的密钥,group命令有两个参数值:1和2//参数1表示密钥使用768位密钥,参数值2表示密钥使用1024位密钥Router(config-isakm)authentication pre-share(1)Router(config-isakm) ifetime 3600//对生成新SA的周期进行调整。这个值以秒为单位,默认值为86400,也就是一天。值得注意的是,两端的路由器都要设置相同的SA周期,否则VPN在正常初始化之后,将会在较短的一个SA周期内到达中断Router(config) crypto isakmp key csai address 200.20.25.1//返回到全局设置模式,确定要使用的预先共享密钥,指定VPN另一端路由器IP地址,即目的路由器IP地址。相应地,另一端路由器的配置也和以上命令类似,只不过把IP地址改成100.10.15.1Router(config) access-list 130 permit ip 192.168.1.00.0.0.255172.16.10.00.0.0.255(2)Router(config) crypto ipsec transform-set vpn1 ah-md5-hmac esp-des esp-md5-hmac(3)Router(config) crypto map shortsec 60 ipsec-isakmp//为定义生成新保密密钥的周期,如果攻击者破解了保密密钥,则他能够使用同一个密钥的所有通信。基于这个原因,我们要设置一个较短的密钥更新周期,比如,每分钟生成一个新密钥,这个命令在VPN两端的路由器上必须匹配。参数shortsec是我们给这个配置定义的名称,稍后可以将它与路由器的外部接口建立关联Router(config-crypto-map)setpeer200.20.25.(4)Router(config-crypto-map)set transform-set vpn1(5)Router(config-crypto-map)match address 130Router(config)interface s0Router(config-if) crypto map shortsec //将刚才定义的密码图应用到路由器的//外部接口请简述IPSec协议。
考题
阅读以下说明,回答问题1~3,将答案填入对应的解答栏内。某公司由总部和分支机构构成,通过IPSec实现网络安全,网络拓扑结构如图4-1所示。路由器之间的地址分配如表4-1所示。总部端路由器的部分配置如下,解释配置中语句部分含义。crypto isakmp policy 1 (1)authentication pre-share (2)group 2crypto isakmp key test123 address 202.96.1.2 (3)crypto ipsec transform-set VPNtag ah-md5-hmac esp-des (4)crypto map VPNdemp 10 ipsec-isakmpset peer 202.96.1.2 (5)set transform-set VPNtagmatch address 101!interface Tunnel0ip address 192.168.1.1 255.255.255.0 (6)no ip directed-broadcasttunnel source 202.96.1.1tunnel destination 202.96.1.2 (7)crypto map VPNdemointerface serial0/0ip address 202.96.1.1 255.255.255.252no ip directed-broadcastcrypto map VPNdemo (8)!interface Ethernet0/1ip address 168.1.1.1 255.255.255.0no ip directed-broadcastinterface Ethernet0/0ip address 172.22.1.100 255.255.255.0no ip directed-broadcast!ip classlessip route 0.0.0.0 0.0.0.0 202.96.1.2 (9)ip route 172.22.2.0 255.255.0.0 192.168.1.2 (10)access-lost 101 permit gre host 202.96.1.1 host 202.96.1.2
考题
某路由器的部分配置信息如下所示,请解释其中标有下划线部分的含义(“//”后为注释内容)。*配置路由器信息version 12.0hostname SecRouterboot system flash c1700-osy56i-mz 120-3-T3.bin//应用IKE共享密钥进行认证crypto isakmp policy 100 (1)hash md5 (2)/uauthentication pre-share (3)//与远端IP为172.16.2.1的对等体的共享密钥为“mcns”crypto isakmp key mcns address 172.16.2.1 (4)crypto ipsec transform-set l2 esp-des esp-md5-hmac (5)//配置加密图//指定用IKE来建立IPSec安全关联,以保护由该加密图条目所指定的数据流crypto map sharef 10 ipsec-isakmp (6)set peer 172.16.2.1 (7)set transform-set 12 (8)match address 151//配置接口interface serial0ip address 172.16.1.1 255.255.255.252ip access-group 101 incrypto map sharef (9)interface FastEthernet0end
考题
根据网络拓扑和R1的配置,解释并完成路由器R3的部分配置。 R3(config)ctypto isakmp key(7)address(8)R3(config)crypto transform-set testvpn ah—rod5—hmac esp-des esp-rod5-hmac(9)R3(cfg—crypto—ttans)exitR3(config)crypto map test 20 ipsec-isakmpR3(config—crypto—map)set peer 192.168.1.1R3(config—crypto—map)set transform-seI(10)
考题
试题五(共15分)阅读以下说明,回答问题1至问题2,将解答填入答题纸对应的解答栏内。【说明】某公司总部内采用RIP协议,网络拓扑结构如图5-1所示。根据业务需求,公司总部的192.168.40.0/24网段与分公司192.168.100.0/24网段通过VPN实现互联。在网络拓扑图中的路由器各接口地址如表5-1所示:【问题1】(6分,每空1分)根据网络拓扑和需求说明,完成路由器R2的配置:R2config tR2 (config)interface seria1 0/0R2 (config-if)ip address (1) (2)R2 (config-if)no shutdownR2(config-if)exitR2 (config)ip routingR2(config)router(3) ;(进入RIP协议配置子模式)R2 (config-router)network (4)R2 (config-router)network (5)R2 (config-router)network (6)R2 (config-router)version 2 :(设置RIP协议版本2)R2(config-router)exit【问题2】(9分,每空1.5分)根据网络拓扑和需求说明,完成(或解释)路由器R1的配置。Rl(config) interface seria1 0/0Rl(config-if) ip address (7) (8)Rl(config-if) no shutdownRl(config)ip route 192.168.100.0 0.0.0.255 202.100.2.3 ;(9)Rl(config)crypto isakmp policy 1Rl (config-isakmp)authentication pre-share ;(1 0)Rl(config-isakmp)encryption 3des ;加密使用3DES算法Rl(config-isakmp)hash md5 ;定义MD5算法Rl(config)crypto isakmp key test123 address (11) ;设置密钥为test123和对端地址Rl(config)crypto isakmp transform-set link ah-md5-h esp-3des;指定VPN的加密和认证算法。Rl(config)accress-list 300 permit ip 192.168.100.0 0.0.0.255 ;配置ACLRl(config)crypto map vpntest 1 ipsec-isakmp ;创建crypto map名字为vpntestRl(config-crypto-map)set peer 202.100.2.3 ;指定链路对端lP地址Rl(config-crypto-map)set transfrom-set link ;指定传输模式linkRl(config-crypto-map)match address 300 ;指定应用访控列表Rl(config) interface seria10/0Rl(config)crypto map(12) ;应用到接口
考题
Router R1, a branch router, connects to the Internet using DSL. Some traffic flows through a GRE and IPsec tunnel, over the DSL connection, destined for an Enterprise network.Which of the following answers best describes the router‘s logic that tells the router, for a given packet, to apply GRE encapsulation to the packet?()A. When the packet received on the LAN interface is permitted by the ACL listed on the tunnel greacl command under the incoming interfaceB. When routing the packet, matching a route whose outgoing interface is the GRE tunnel interfaceC. When routing the packet, matching a route whose outgoing interface is the IPsec tunnel interfaceD. When permitted by an ACL that was referenced in the associated crypto map
考题
Refer to the exhibit. Which command would verify if PBR reacts to packets sourced from 172.16.0.0/16?()
A. show ip routeB. show policy - mapC. show access - listsD. show route - map
考题
Refer to the exhibit. A new TAC engineer came to you for advice. A GRE over IPsec tunnel was configured, but the tunnel is not coming up. W hat did the TAC engineer configure incorrectly?()
A. The crypto isakmp configuration is not correct.B. The crypto map configuration is not correct.C. The interface tunnel configuration is not correct.D. The network configuration is not correct; netw ork 172.16.1.0 is missing.
考题
Router R1, a branch router, connects to the Internet using DSL. Some traffic flows through a GRE and IPsec tunnel, over the DSL connection, destined for an Enterprise network. Which of the following answers best describes the router's logic that tells the router, for a given packet, to apply GRE encapsulation to the packet?()A、When the packet received on the LAN interface is permitted by the ACL listed on the tunnel greacl command under the incoming interfaceB、When routing the packet, matching a route whose outgoing interface is the GRE tunnel interfaceC、When routing the packet, matching a route whose outgoing interface is the IPsec tunnel interfaceD、When permitted by an ACL that was referenced in the associated crypto map
考题
With a VPN Accelerator Module 2+ (VAM2+) installed in a Cisco 7200 series router, what will be the resulting action when entering the command no crypto engine accelerator slot number?()A、disables OIR on the VAM2+ moduleB、removes the VAM2+ crypto engine feature and disables the associated configuration commands from the routerC、disables dual VAM2+ hardware stateful failover capabilitiesD、disables the crypto engine hardware acceleration, resulting in all crypto functions to be performed in software
考题
You need to configure a GRE tunnel on a IPSec router. When you are using the SDM to configurea GRE tunnel over IPsec, which two parameters are required when defining the tunnel interfaceinformation?()A、The crypto ACL numberB、The IPSEC mode (tunnel or transport)C、The GRE tunnel interface IP addressD、The GRE tunnel source interface or IP address, and tunnel destination IP addressE、The MTU size of the GRE tunnel interface
考题
Which of the following commands will display the name of the IOS image file being used in a Cisco router?()A、Router# show IOSB、Router# show versionC、Router# show imageD、Router# show protocolsE、Router# show flash
考题
What method in a Cisco IOS router can confirm that packets marked for a particular QoS marking are being matched?()A、Issue a show policy-map interface command. B、Assuming Netflow is enabled, issue a show ip cache verbose flow command.C、Issue a show crypto ipsec session command.D、Issue a debug qos set command and a terminal monitor command.
考题
What is the purpose of this command in a Cisco Application Control Engine?() switch/Admin# show np 1 me-stats "-F0 v" A、 It displays the status of the internal SSL proxy structure associated with a vserver.B、 It displays the crypto-related statistics for a single NP.C、 It is the same output of a "show stats crypto" client/server.D、 It shows details on HTTP session entries.
考题
Which three features are benefits of using GRE tunnels in conjunction with IPsec for building site-to-site VPNs?()A、allows dynamic routing over the tunnelB、supports multi-protocol (non-IP) traffic over the tunnelC、reduces IPsec headers overhead since tunnel mode is usedD、simplifies the ACL used in the crypto mapE、uses Virtual Tunnel Interface (VTI) to simplify the IPsec VPN configuration
考题
Which operational mode command displays all active IPsec phase 2 security associations?()A、show ike security-associationsB、show ipsec security-associationsC、show security ike security-associationsD、show security ipsec security-associations
考题
When is an IPSec SA built on the Teleworker Router?()A、when the router is booted upB、when the router administratively does a no shutdown" on the IPSec SA C、when traffic matches a line of the access-list tied into the crypto-map in the router configuration, and that particular IPSec SA is not already up D、when the ISAKMP SA completes negotiation of all IPSec SAs (one per access-list line in the crypto ACL), it will be brought up immediately
考题
The number of packets (or flows) dropped because they do not conform to the ASA/PIX security policy can be viewed using what command? ()A、 show asp dropB、 show counters dropC、 show security-policyD、 show policy-map
考题
Which of the following statements is correct regarding a hybridcrypto system?()A、 uses symmetric crypto for keys distributionB、 uses symmetric crypto for proof of originC、 uses symmetric crypto for fast encrypted/decryptionD、 uses asymmetric crypto for message confidentialityE、 uses symmetric crypto to transmit the asymmetric keys that is thenused to encrypt a session
考题
Which command will allow you to display the configured QoS group and the ingress buffer allocated to each QoS group?()A、 show interface priority-flow-controlB、 show interface queuingC、 show queuing interfaceD、 show policy-map system type queuingE、 show policy-map interface ethernet type queuing
考题
单选题What is the purpose of this command in a Cisco Application Control Engine?() switch/Admin# show np 1 me-stats "-F0 v"A
It displays the status of the internal SSL proxy structure associated with a vserver.B
It displays the crypto-related statistics for a single NP.C
It is the same output of a show stats crypto client/server.D
It shows details on HTTP session entries.
考题
单选题Which of the following statements is correct regarding a hybridcrypto system?()A
uses symmetric crypto for keys distributionB
uses symmetric crypto for proof of originC
uses symmetric crypto for fast encrypted/decryptionD
uses asymmetric crypto for message confidentialityE
uses symmetric crypto to transmit the asymmetric keys that is thenused to encrypt a session
考题
多选题You need to configure a GRE tunnel on a IPSec router. When you are using the SDM to configurea GRE tunnel over IPsec, which two parameters are required when defining the tunnel interfaceinformation?()AThe crypto ACL numberBThe IPSEC mode (tunnel or transport)CThe GRE tunnel interface IP addressDThe GRE tunnel source interface or IP address, and tunnel destination IP addressEThe MTU size of the GRE tunnel interface
考题
单选题Which of the following commands will display a router’s crypto map IPsec security associationsettings?()A
show crypto map ipsec saB
show crypto mapC
show crypto engine connections activeD
show ipsec crypto mapE
show crypto map saF
show ipsec crypto map sa
考题
多选题Which three features are benefits of using GRE tunnels in conjunction with IPsec for building site-to-site VPNs?()Aallows dynamic routing over the tunnelBsupports multi-protocol (non-IP) traffic over the tunnelCreduces IPsec headers overhead since tunnel mode is usedDsimplifies the ACL used in the crypto mapEuses Virtual Tunnel Interface (VTI) to simplify the IPsec VPN configuration
考题
单选题Which command will allow you to display the configured QoS group and the ingress buffer allocated to each QoS group?()A
show interface priority-flow-controlB
show interface queuingC
show queuing interfaceD
show policy-map system type queuingE
show policy-map interface ethernet type queuing
热门标签
最新试卷
