QUESTION 51 How many IPSec security associations should be active on the system under normal circumstances, after a single IPSec tunnel has been established?

A. One per protocol (ESP and AH)

B. Two per protocol (ESP and AH)

C. Three per protocol (ESP and AH)

D. Four per protocol (ESP and AH)

E. Five total (either ESP or AH) Answer: B Explanation: Once established, the set of security associations (outbound, to the remote peer) is then applied to the triggering packet as well as to subsequent applicable packets as those packets exit the PIX Firewall. "Applicable" packets are packets that match the same access list criteria that the original packet matched. For example, all applicable packets could be encrypted before being forwarded to the remote peer. The corresponding inbound security associations are used when processing the incoming traffic from that peer. If IKE is used to establish the security associations, the security associations will have lifetimes so that they will periodically expire and require renegotiation. (This provides an additional level of security.) Multiple IPSec tunnels can exist between two peers to secure different data streams, with each tunnel using a separate set of security associations. For example, some data streams might be just authenticated while other data streams must be both encrypted and authenticated. You can change the global lifetime values that are used when negotiating new IPSec security associations. (These global lifetime values can be overridden for a particular crypto map entry.) These lifetimes only apply to security associations established via IKE. Manually established security associations do not expire. There are two lifetimes: a "timed" lifetime and a "traffic-volume" lifetime. A security association expires after the respective lifetime is reached and negotiations will be initiated for a new one.

QUESTION 52 Which of the following does NOT qualify to be an example of a supported ISAKMP keying mechanism?

A. Pre-shared

B. Perfect Forward Secrecy

C. RSA

D. Certificate authority Answer: B Explanation: The three main mechanisms of devices authentication are - Preshared keys, Digital signatures, encrypted nonces CCIE Professional Development Networks Security Principles and Practices by Saadat Malik pg 306 The two entities must agree on a common authentication protocol through a negotiation process using either RSA signatures, RSA encrypted nonces, or pre-shared keys. To specify that IPSec should ask for perfect forward secrecy (PFS) when requesting new security associations for this crypto map entry, or that IPSec requires PFS when receiving requests for new security associations

QUESTION 53 Exhibit: 10.1.1.0/24 through OSPF 10.1.0.0/16 through EIGRP 10.1.0.0&16 static Which one of the routers would forward a packet destined for 10.1.1.1 if a router had the three routers listed?

A. 10.1.0.0/16 though EIGRP, because EIGRP routes are always preferred over OSPF or static routes.

B. 10.1.0.0/16 static, because static routes are always preferred over OSPF or EIGRP routes.

C. 10.1.1.0/24 through OSPF because the route with the longest prefix is always chosen.

D. Whichever route appears in the routing table first.

E. The router will load share between the 10.1.0.0/16 route through EIGRP and the 10.1.0.0/16 static route. Answer: C Explanation:

This is a tricky question. If you look at the AD the 0/1 for static/default routes would be chosen first then (90) EIGRP then (110) OSPF So pick your option. I think it is OSPF because all static and default routes would be the chosen route.

QUESTION 54 Which of the following represents the correct description of the authentication sequence for the IOS Firewall Authentication Proxy?

A. The user authenticates by FTP, and route maps are downloaded from the proxy server.

B.