[Lead2pass New] Free Share 300-209 PDF Dumps With Lead2pass Updated Exam Questions (241-260)
2017 November Cisco Official New Released 300-209 Dumps in Lead2pass.com!
100% Free Download! 100% Pass Guaranteed!
Although the Cisco 300-209 dumps are very popular, Lead2pass offers a wide range of Cisco 300-209 exam dumps and will continue to release new study guide to meet the rapidly increasing demand of the IT industry.
Following questions and answers are all new published by Cisco Official Exam Center: https://www.lead2pass.com/300-209.html
QUESTION 241
A network engineer is troubleshooting a site VPN tunnel configured on a Cisco ASA and wants to validate that the tunnel is sending and receiving traffic. Which command accomplishes this task?
A. show crypto ikev1 sa peer
B. show crypto ikev2 sa peer
C. show crypto ipsec sa peer
D. show crypto isakmp sa peer
Answer: C
QUESTION 242
When troubleshooting clientless SSL VPN connections, which option can be verified on the client PC?
A. address assignment
B. DHCP configuration
C. tunnel group attributes
D. host file misconfiguration
Answer: D
Explanation:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/vpn/asa_91_vpn_config/webvpn-troubleshooting.html
QUESTION 243
Which two commands are include in the command show dmvpn detail? (Choose two.)
A. Show ip nhrp
B. Show ip nhrp nhs
C. Show crypto ipsec sa detail
D. Show crypto session detail
E. Show crypto sockets
Answer: BD
Explanation:
show dmvpn detail” returns the output of show ip nhrp nhs, show dmvpn,and show crypto session detail
http://www.cisco.com/c/en/us/support/docs/security-vpn/dynamic-multi-point-vpn-dmvpn/116957-technote-dmvpn-00.html
QUESTION 244
An engineer has integrated a new DMVPN to link remote offices across the internet using Cisco IOS routers. When connecting to remote sites, pings and voice data appear to flow properly and all tunnel stats seem to show that are up. However, when trying to connect to a remote server using RDP, the connection fails. Which action resolves this issue?
A. Change DMVPN timeout values.
B. Adjust the MTU size within the routers.
C. Replace certificate on the RDP server.
D. Add RDP port to the extended ACL.
Answer: B
Explanation:
Answers A and C do not make sense.
Answer D is valid only for split tunneling…if we want to pass the RDP traffic off tunnel. The ACL configured to establish the DMVPN tunnel only need udp 500/4500 and esp (50).
Answer B should be correct because voice traffic (UDP) and ping use smaller MTU size and will not be fragmented…and thus will work. RDP uses TCP / 3389 and isn’t fault tolerant.
QUESTION 245
Which feature is a benefit of Dynamic Multipoint VPN?
A. geographic filtering of spoke devices
B. translation PAT
C. rotating wildcard preshared keys
D. dynamic spoke-to spoke tunnel establishment
Answer: D
QUESTION 246
An engineer has configured Cisco AnyConnect VPN using IKEv2 on a Cisco ISO router. The user cannot connect in the Cisco AnyConnect client, but receives an alert message “Use a browser to gain access.” Which action does the engineer take to eliminate this issue?
A. Reset user login credentials.
B. Disable the HTTP server.
C. Correct the URL address.
D. Connect using HTTPS.
Answer: B
Explanation:
http://www.cisco.com/c/en/us/support/docs/security/flexvpn/115755-flexvpn-ike-eap-00.html
QUESTION 247
Refer to the exhibit. A network administrator is running DMVPN with EIGRP, when the administrator looks at the routing table on spoken 1 it displays a route to the hub only.
Which command is missing on the hub router, which includes spoke 2 and spoke 3 in the spoke 1 routing table?
A. no inverse arp
B. neighbor (ip address)
C. no ip split-horizon egrp 1
D. redistribute static
Answer: C
QUESTION 248
Which algorithm provides both encryption and authentication for plane communication?
A. RC4
B. SHA-384
C. AES-256
D. SHA-96
E. 3DES
F. AES-GCM
Answer: F
QUESTION 249
Refer to the exhibit. Client 1 cannot communication with Client 2. Both clients are using Cisco AnyConnect and have established a successful SSL VPN connection to the hub ASA.
Which command on the ASA is missing?
A. same-security-traffic permit inter-interface
B. same-security-traffic permit intra-interface
C. dns-server value 10.1.1.3
D. split-tunnel-network list
Answer: B
QUESTION 250
Which statement regarding GET VPN is true?
A. When you implement GET VPN with VRFs, all VHFs must be defined in the GDOI group configuration on the key server.
B. T ne pseudotime that is used for replay checking is synchronized via NTP.
C. Group members must acknowledge all KEK and TEK rekeys, regardless of configuration.
D. TEK rekesys can be load-balanced between two key servers operating in COOP.
E. The configuration that defines which traffic to encrypt is present only on the key server.
Answer: E
QUESTION 251
Which two statements comparing ECC and RSA are true? (Choose two.)
A. Key generation in FCC is slower and more CPU intensive than RSA.
B. ECC can have the same security as RSA but with a shorter key size
C. Key generation in ECC is faster and less CPU intensive than RSA.
D. ECC cannot have the same security as RSA. even with an increased key size.
E. ECC lags m performance when compared with RSA.
Answer: BC
QUESTION 252
Which two options arc purposes of the key server in Cisco IOS GETVPN? (Choose two.)
A. to define group members.
B. to distribute static routing information.
C. to distribute dynamic routing information.
D. to encrypt transit traffic.
Answer: AD
QUESTION 253
Refer to the exhibit. An engineer is troubleshooting a new GRE over IPSEC tunnel.
The tunnel is established, but the engineer cannot ping from spoke 1 to spoke 2.
Which type of traffic is being blocked?
A. ESP packets from spoke1 to spoke2
B. ISAKMP packets from spoke2 to spoke1
C. ESP packets from spoke2 to spoke1
D. ISAKMP packets from spoke1 to spoke2
Answer: C
QUESTION 254
A user is experiencing issues connecting to a Cisco AnyConnect VPN and receives this error message:
The AnyConnect package on the secure gateway could not be located.
You may be experiencing network connectivity issues. Please try connecting again.
Which option is the likely cause of this issue?
A. This Cisco ASA firewall has experienced a failure.
B. The user is entering an incorrect password.
C. The user’s operating system is not supported with the ASA’s current configuration.
D. The user laptop clock is not synchronized with NTP.
Answer: C
QUESTION 255
Which two operational advantages does GetVPN offer over site-to-site IPsec tunnel in a private MPLS-based core network? (Choose two.)
A. Key servers perform encryption and decryption of all the data in the network, which allows for tight security policies.
B. Traffic uses one VRF to encrypt data and a different on to decrypt data, which allows for multicast traffic isolation.
C. GETVPN is tunnel-less, which allows any group member to perform decryption and routing around network failures.
D. Packets carry original source and destination IP addresses, which allows for optimal routing of encrypted traffic.
E. Group Domain of Interpretation protocol allows for homomorphic encryption, which allows group members to operate on messages without decrypting them
Answer: CD
Explanation:
http://www.cisco.com/c/en/us/products/collateral/security/group-encrypted-transport-vpn/deployment_guide_c07_554713.html
QUESTION 256
An administrator received a report that a user cannot connect to the headquarters site using Cisco AnyConnect and receives this error. The installer was not able to start the Cisco VPN client, clientless access is not available, Which option is a possible cause for this error?
A. The client version of Cisco AnyConnect is not compatible with the Cisco ASA software image.
B. The operating system of the client machine is not supported by Cisco AnyConnect.
C. The driver for Cisco AnyConnect is outdatate.
D. The installed version of Java is not compatible with Cisco AnyConnect.
Answer: A
QUESTION 257
Scenario:
You are the senior network security administrator for your organization. Recently and junior
engineer configured a site-to-site IPsec VPN connection between your headquarters Cisco
ASA and a remote branch office.
You are now tasked with verifying the IKEvl IPsec installation to ensure it was properly
configured according to designated parameters. Using the CLI on both the Cisco ASA and
branch ISR, verify the IPsec configuration is properly configured between the two sites.
NOTE: the show running-config command cannot be used for this exercise.
Topology:
What is being used as the authentication method on Die branch ISR?
A. Certificates
B. Pre-shared keys
C. RSA public keys
D. Diffie-Hellman Group 2
Answer: D
QUESTION 258
Using the Next Generation Encryption technologies, which is the minimum acceptable encryption level to protect sensitive information?
A. AES 92 bits
B. AES 128 bits
C. AES 256 bits
D. AES 512 bits
Answer: B
QUESTION 259
An engineer is configuring an IPsec VPN with IKEv2.
Which three components are part of the IKEv2 proposal for this implementation? (Choos three.)
A. key ring
B. DH group
C. integrity
D. tunnel name
E. encryption
Answer: BCE
QUESTION 260
Which command can be used to troubleshoot an IPv6 FlexVPN spoke-to-hub connectivity failure?
A. show crypto lkev2 client flexvpn
B. show crypto identity
C. show crypto isakmp sa
D. show crypto gkm
Answer: A
Lead2pass offers the latest Cisco 300-209 dumps and a good range of Cisco Certification 300-209 answers. Most of our Cisco 300-209 exam dumps are exclusively prepared by the best brains and highly skilled professionals from the IT domain to ensure 100% pass in your Cisco 300-209 Exam.
More 300-209 new questions (with images) on Google Drive: https://drive.google.com/open?id=0B3Syig5i8gpDYnF5Vk16OS1tc1E
2017 Cisco 300-209 exam dumps (All 319 Q&As) from Lead2pass:
https://www.lead2pass.com/300-209.html [100% Exam Pass Guaranteed]