[Free] 2018(Aug) Dumps4cert VMware VCAW510 Dumps with VCE and PDF Download 191-200

Dumps4cert.com : Latest Dumps with PDF and VCE Files
2018 Aug VMware Official New Released VCAW510
100% Free Download! 100% Pass Guaranteed!

CCIE Security Exam (v4.1)

Question No: 191 – (Topic 2)

Which command sets the key-length for the IPv6 SeND protocol?

  1. ipv6 nd inspection

  2. ipv6 nd ra-interval

  3. ipv6 nd prefix

  4. ipv6 nd secured

  5. ipv6 nd ns-interval

Answer: D Explanation:

ipv6 nd secured key-length [[minimum | maximum] v alue Example:

Router(config)# ipv6 nd secured key-length minimum 512

Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6/configuration/15- 2mt/ipv6-15-2mt-book/ip6-first-hop-security.html

Question No: 192 – (Topic 2)

Which three parameters does the HTTP inspection engine use to inspect the traffic on Cisco IOS firewall? (Choose three.)

  1. source address

  2. application

  3. transfer encoding type

  4. minimum header length

  5. request method

  6. destination address

Answer: B,C,E

Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/https/configuration/15- mt/https-15-mt-book/nm-https-inspection-engine.html

Question No: 193 – (Topic 2)

Which two statements about the IPv6 OSPFv3 authentication Trailer are true (choose two)

  1. The AT-bit resides in the OSPFv3 Header field

  2. The IPv6 Payload length includes the length of the authentication Trailer

  3. It Provide an alternative option to OSPFv3 IPsec authentication

  4. The AT-bit must be set only in OSPFv3 Hello packets that include an Authentication Trailer

  5. The AT-bit must be set only in OSPFv3 Database Description packets that include an Authentication Trailer

  6. The OSPFv3 packet length includes the length of the Authentication Trailer

Answer: D,E

Question No: 194 – (Topic 2)

An RSA key pair consists of a public key and a private key and is used to set up PKI. Which statement applies to RSA and PKI?

  1. The public key must be included in the certificate enrollment request.

  2. The RSA key-pair is a symmetric cryptography.

  3. It is possible to determine the RSA key-pair private key from its corresponding public key.

  4. When a router that does not have an RSA key pair requests a certificate, the certificate request is sent, but a warning is shown to generate the RSA key pair before a CA signed certificate is received.

Answer: A Explanation:

An RSA key pair consists of a public key and a private key. When setting up your PKI, you must include the public key in the certificate enrollment request. After the certificate has been granted, the public key will be included in the certificate so that peers can use it to

encrypt data that is sent to the router. The private key is kept on the router and used both to decrypt the data sent by peers and to digitally sign transactions when negotiating with peers.

Reference: http://www.cisco.com/c/en/us/td/docs/ios-


Question No: 195 – (Topic 2)

Which two statements about IPv6 path MTU discovery are true? (Choose two.)

  1. If the destination host receives an ICMPv6 Packet Too Big message from a router, it reduces its path MTU.

  2. It can allow fragmentation when the minimum MTU is below a configured value.

  3. The discovery packets are dropped if there is congestion on the link.

  4. If the source host receives an ICMPv6 Packet Too Big message from a router, it reduces its path MTU.

  5. During the discovery process, the DF bit is set to 1.

  6. The initial path MTU is the same as the MTU of the original node’s link layer interface.

Answer: D,F Explanation:

IPv6 routers do not support fragmentation or the Don#39;t Fragment option. For IPv6, Path MTU Discovery works by initially assuming the path MTU is the same as the MTU on the link layer interface where the traffic originates. Then, similar to IPv4, any device along the path whose MTU is smaller than the packet will drop the packet and send back an ICMPv6 Packet Too Big (Type 2) message containing its MTU, allowing the source host to reduce its Path MTU appropriately. The process is repeated until the MTU is small enough to traverse the entire path without fragmentation.

Reference: https://en.wikipedia.org/wiki/Path_MTU_Discovery

Question No: 196 – (Topic 2)

Which two statements about the BGP backdoor feature are true? (Choose two.)

  1. It makes IGP learned routes preferred over eBGP learned routes.

  2. It makes iBGP learned routes preferred over IGP learned routes.

  3. It changes the eBGP administrative distance from 20 to 200.

  4. It makes eBGP learned routes preferred over IGP learned routes.

  5. It changes the eBGP administrative distance from 200 to 20.

  6. It changes the iBGP administrative distance from 200 to 20.

Answer: A,C Explanation:

The “Backdoor Feature” is often used to increase the administrative distance of eBGP to 200 with the goal of making the IGP learned routes to be preferred.

Reference: https://supportforums.cisco.com/document/148471/what-bgp-backdoor-feature

Question No: 197 – (Topic 2)

What feature enables extended secure access from non-secure physical location?

  1. 802.1x port-based authentication

  2. Strom control

  3. Port security

  4. CBAC

  5. NEAT

Answer: E

Question No: 198 – (Topic 2)

Which statement is true regarding Transparent mode configuration on Cisco ASA firewall running version 9.x?

  1. Networks connected with the ASA data interfaces must be in different subnets for the traffic to flow.

  2. Bridge Groups are not supported in Transparent mode.

  3. Default route defined on the ASA is only for the management traffic return path.

  4. You need to make management interface of the ASA as the next-hop for the connected devices to establish reachability across the ASA.

  5. Management interface does not update the MAC address table.

Answer: C Explanation:

Transparent Firewall Guidelines

->In transparent firewall mode, the management interface updates the MAC address table in the same manner as a data interface; therefore you should not connect both a management and a data interface to the same switch unless you configure one of the switch ports as a routed port (by default Cisco Catalyst switches share a MAC address for all VLAN switch ports). Otherwise, if traffic arrives on the management interface from the physically-connected switch, then the ASA updates the MAC address table to use the management interface to access the switch, instead of the data interface. This action causes a temporary traffic interruption; the ASA will not re-update the MAC address table for packets from the switch to the data interface for at least 30 seconds for security reasons.

->Each directly-connected network must be on the same subnet.

->Do not specify the bridge group management IP address as the default gateway for connected devices; devices need to specify the router on the other side of the ASA as the default gateway.

->The default route for the transparent firewall, which is required to provide a return path for management traffic, is only applied to management traffic from one bridge group network. This is because the default route specifies an interface in the bridge group as well as the router IP address on the bridge group network, and you can only define one default route. If you have management traffic from more than one bridge group network, you need to specify a static route that identifies the network from which you expect management traffic.

Reference: http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_gen eral_config/intro_fw.html

Question No: 199 – (Topic 2)

Refer to the exhibit.

Ensurepass 2018 PDF and VCE

Which option is the reason for the failure of the DMVPN session between R1 and R2?

  1. incorrect tunnel source interface on R1

  2. IPsec phase-1 policy mismatch

  3. tunnel mode mismatch

  4. IPsec phase-2 policy mismatch

  5. IPsec phase-1 configuration missing peer address on R2

Answer: B

Question No: 200 – (Topic 2)

Which statement describes the computed authentication data in the AH protocol?

  1. It is part of the original IP header.

  2. It is sent to the peer.

  3. It is part of a new IP header.

  4. It provides integrity only for the new IP header.

Answer: B

100% Dumps4cert Free Download!
Download Free Demo:VCAW510 Demo PDF
100% Dumps4cert Pass Guaranteed!
VCAW510 Dumps

Dumps4cert ExamCollection Testking
Lowest Price Guarantee Yes No No
Up-to-Dated Yes No No
Real Questions Yes No No
Explanation Yes No No
Free VCE Simulator Yes No No
Instant Download Yes No No

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.