1. Which network topology is in use when two sites interconnect using a secure VPN using point-to-point connectivity?拓扑结构判断:两个站点之间通过安全的VPN直接相连。
A.Hub-and-spoke network中心辐射网络
B.Partially meshed network不完全网状网
C.Individual point-to-point VPN connection点对点VPN
D.Fully meshed network完全网状网
E.Star topology network星型拓扑
A B C D E
C
2. Which network topology is in use when one central site is considered a hub and all other sites connect directly to the hub site? Most user traffic flows between their respective spoke networks and the hub, but when necessary, two spoke sites can communicate by the hub network acting as a relay between the spoke networks. 拓扑结构判断:中央站点是网络的核心,所有分支站点均与中央站点相连。大部分用户流量在分支站点和中央站点之间传输,两个分支站点在必要时也可以通过中央站点相互通信。
A.Partially meshed network不完全网状网
B.Star topology network星型拓扑
C.Hub-and-spoke network中心辐射网络
D.Fully meshed network完全网状网
E.Individual point-to-point VPN connection点对点VPN
A B C D E
C
3. Which network topology is in use when multiple sites interconnect with each other dependent upon their communication needs? Each site Can have multiple connections to other sites,but there is no one site that is more important than another. If connectivity is needed between two sites that does not exist, another direct VPN connections added to the network topology. 拓扑结构判断:多个站点根据通信需要相连。每个站点存在多条与其他站点的连接,所有站点的地位是平等的。如果两个站点之间不存在所需的连接,则网络中将生成另一条直接VPN连接。
A.Hub-and-spoke network中心辐射网络
B.Individual point-to-point VPN connection点对点VPN
C.Star topology network星型网络
D.Fully meshed network完全网状网
E.Partially meshed network不完全网状网
A B C D E
E
4. Which network topology is in use when every network has a direct VPN connection to every other network? This topology provides any—to—any communication and provides the most optimal direct path for network traffic. 拓扑结构判断:每个网络通过VPN与其他网络直接相连,这种拓扑能实现所有网络之间的通信,并提供最佳的数据传输路径。
A.Fully meshed network完全网状网
B.Star topology network星型拓扑
C.Partially meshed network不完全网状网
D.Individual point-to-point VPN connection点对点VPN
E.Hub-and-spoke network中心辐射网络
A B C D E
A
5. Which of the following VPN technologies uses nontunneled IPsec as its encapsulation mode?以下哪种VPN技术采用非隧道IPSec作为封装模式?
7. The Internet Key Exchange(IKE)protocol communicates over which port?互联网密钥交换(IKE)协议使用哪个端口通信?
A.UDP 500
B.UDP 50
C.TCP 500
D.ESP 500
E.TCP443
A B C D E
A
8. Which encapsulation mode, when deployed in tunnel mode, provides confidentiality, authenticity, integrity, and anti-replay by encapsulating and protecting the entire original IP packet? 在隧道模式下,哪种封装模式通过封装整个IP包以提供保密性、真实性、完整性与抗重放服务?
A.Authentication Headers(AH)认证头(AH)胁议
B.Internet Security Association and Key Management Protocol(ISAKMP)互联网安全关联与密钥管理协议(ISAKMP)
C.Diffie-Hellman key exchange with Perfect Forward Secrecy(PFS)采用完全正向加密(PFS)的DH密钥交换协议
11. The line protocol of a virtual tunnel interface depends on the state of which of the following?虚拟隧道接口的线路协议状态与以下哪种因素有关?
A.Physical interface物理接口
B.Routing table路由表
C.VPN tunnel VPN隧道
D.Peer's VPN tunnel对等体的VPN隧道
E.Crypto map加密映射
A B C D E
C
12. The encapsulation on a virtual tunnel interface must be which of the following?虚拟隧道接口必须采用以下哪种方式加密?
A.Frame Relay帧中继
B.ATM异步传输模式
C.AH or ESP认证头或封装安全载荷协议
D.ISAKMP互联网安全关联与密钥管理协议
E.HDLC高级数据链路控制
A B C D E
C
13. The IKE policy on both peers must match on all parameters except for which of the following?为两个对等体配置IKE策略时,除以下哪个参数外,其余所有参数必须匹配?
A.Authentication认证协议
B.Encryption algorithm加密算法
C.Diffie-Hellman group DH组
D.Pre-shared key value预共享密钥值
E.ISAKMP lifetime ISAKMP有效期
A B C D E
E
14. Industry best practices recommend that you use which hash algorithm and DH key length combination for IKE phase 1 policies?配置IKE阶段1策略时,行业中通常建议采用哪种认证算法与DH密钥长度?
A.SHA-1 andDHgroup 5 SHA-1与DH5
B.MD5 and DH group 1 MD5与DH1
C.AES-128 and IPsec AES-128与IPSec
D.DES and RSA DES与RSA
E.3DES and ISAKMP 3DES与ISAKMP
A B C D E
A
15. Why should static point-to-point virtual tunnel interfaces use IP unnumbered addresses?静态点对点虚拟隧道接口应采用无编号IP寻址的原因是什么?
A.It makes static routing easier. 便于静态路由
B.VTIs cannot have their own IPs and must use IP unnumbered addresses. VTI无法通过唯一的IP地址加以标识,只能通过无编号的IP地址加以标识
C.For a peer to find them. 便于对等体搜索
D.To conserve IP address space. 节省IP地址空间
A B C D
D
16. The line protocol on a virtual tunnel interface goes up and down based upon which of the following?虚拟隧道接口的线路协议状态与以下哪个因素有关?
A.Seeing its own Ethernet loopback packet return当自身发送的以太网环回数据包返回时
B.Successful Layer 2 connectivity成功建立二层连接
C.The state of the IPsec SA negotiation IPSec SA协商的状态
D.The network administrator not shutting the interface管理员未关闭接口
E.None of these answers are correct. 以上答案均不正确
A B C D E
C
17. Where are dynamic point-to-point VTI tunnels deployed?动态点对点VTI隧道应部署在哪种设备上?
A.On the hub router中央路由器
B.On each spoke router所有分支路由器
C.On the hub router and on each spoke router中央路由器与所有分支路由器
D.On the VPN concentrator VPN集中器
E.None ofthese answers are correct. 以上答案均不正确
A B C D E
A
18. The IP address of a virtual tunnel interface must be configured using which inter face command?为虚拟隧道接口配置IP地址时,必须采用以下哪种接口命令?
A.ip address
B.ip address dhcp
C.ip address pppoe
D.ip unnumbered
A B C D
D
19. What is the one central trusted introducer called?唯一的集中式可信任引介者被称为?
A.Identity certificate身份证书
B.RSA algorithm RSA算法
C.Certificate authority证书权威机构
D.X.500 distinguished name X.500可分辨名
E.None of these answers are correct. 以上皆不对
A B C D E
C
20. A list of all certificates that are no longer valid is called which of the following?包含所有无效证书的列表被称为?
A.Old certificate list老旧证书列表
B.Revoked Certificate List吊销的证书列表
C.Certificate Revocation List(CRL)证书吊销列表(CRL)
D.Invalid Certificate Authority List无效证书权威机构列表
E.Expired Certificate List过期证书列表
A B C D E
C
21. Which of the following is something that can cause issues in a PKI system?在PKI体系中,以下哪项可能会引起故障的发生?
A.Synchronized time同步的时间
B.Variable time可变的时间
C.Unsynchronized time不同步的时间
D.Manually configured time手动配置的时间
E.None of these answers are correct. 以上皆不对
A B C D E
C
22. The SCEP interface on a Cisco IOS Software Certificate Server is enabled with what command?使用以下哪条命令在Cisco IOS软件证书服务器上开启SCEP接口?
A.ip scep server
B.set scep server enable
C.ip http server
D.crypto server scep
E.None of these answers are correct. 以上皆不对
A B C D E
C
23. To integrate PKI-based authentication with site-to-site VPNs,which protocol must be configured to use PKI-based authentication?为了整合基于PKI的认证与站点到站点VPN,你必须配置以下哪项协议来使用基于PKI的认证?
A.IKE
B.GRE
C.AAA
D.RSA
E.VPN
A B C D E
A
24. PKI clients can enroll to the Cisco IOS Software Certificate Server using which two types of enrollment? PKI客户端可以使用以下哪两种类型的注册方法向Cisco IOS软件证书服务器注册?
A.SCEP
B.IKE
C.TACACS
D.Manual手动
A B C D
AD
25. Which storage method is considered the most secure for storing a Cisco IOS Software PKI client's private key?以下哪种存储方式能够最安全地保存Cisco IOS软件PKI客户端的私钥?
A.USB Smart Token USB智能令牌
B.NVRAM in clear text明文存储于NVRAM
C.Encrypted on an external USB storage加密存储于外部USB存储
D.Encrypted on NVRAM加密存储于NVRAM
E.Private section in NVRAM存储于NVRAM的私有分区
A B C D E
A
26. What information does the client send to the CA during the enrollment process?在注册过程中,客户端向CA发送了什么信息?
A.IP address IP地址
B.Client's private key客户端的私钥
C.Client's public key客户端的公钥
D.Name of device设备名字
A B C D
CD
27. By default,what will the IKE process on Cisco IOS Software routers accept if signed by its locally defined trust point CA?默认情况下,如果使用本地定义的信任点CA,那么以下哪项能够被Cisco IOS软件路由器的IKE过程所接受?
A.A client IP address客户端IP地址
B.Client's private key客户端的私钥
C.Any valid certificate所有有效的证书
D.A new CRL新的CRL
A B C D
C
二、填空题
1. Use individual P2P VPN peering only when the number of VPN connections is ______. 仅当VPN连接的数量______时采用点对点VPN隧道。
很少
2. When using any-to-any communications with direct communication paths with lowlatency and high throughput, a ______ topology is typically the only choice. 当要求任意站点之间都能直接通信、数据传输延时较低且吞吐量较高时,一般采用______拓扑。
全互连。
3. A VPN technology that starts with a hub-and-spoke topology but allows dynamically and automatically built VPNs between spoke sites is ______. 初始状态为中心辐射拓扑,且分支站点之间可以动态并自动构建VPN的技术称为______。
DMVPN
4. Cisco GET VPN is considered to be a ______ encapsulation mode and therefore cannot be used on transport networks that cannot route internal VPN addresses. Cisco GET VPN是一种______封装模式,无法在不支持内部地址路由的传输网络中使用。
无隧道
5. ______ provides a framework that provides pokey negotiations and key management processes.是一种用于策略协商与密钥管理的框架。
Internet密钥交换(IKE)
6. ______ is a set of security protocols that work together to provide security to IP traffic while in transit. ______由一系列安全协议构成,用于保护IP流量在传输时的安全。
IPSec
7. ______ provides a mixture of security services for IPv4 and IPv6, such as confidentiality, authenticity, and integrity of IP data. ______适用于IPv4和IPv6,用于为网络中传输的IP数据提供机密性、真实性与完整性。
ESP封装
8. A VPN technology that supports ______ must be chosen if the transport network does not route internal VPN address spaces. 如果传输网络不支持内部地址路由,则必须选择支持______的VPN技术。
隧道
9. One major benefit of using IPsec VTIs is that it is no longer required to apply a ______ to a physical interface. IPSec VTI的一个主要优点是无需将______应用到物理接口。
加密图(crypto map)
10. VTIs support native IPsec tunneling, including ______ with standards-based Ipsec implementations of other vendors. VTI支持原生IPSec隧道技术,能与其他厂商基于标准的IPSec部署______。
相互兼容
11. IPsec VTIs support ______, such as voice and video. IPSec VTI支持语音、视频等______。
多播流量
12. IPsec ______ define the encapsulation(ESP or AH), the packet authentication/ integrity algorithm (SHA-1 or MD5), and the IPsec mode(transport or tunnel)that is used with a VPN policy. IPSec ______定义了加密协议(ESP或AH)、认证算法(SHA-1或MD5)、IPSec模式(传输模式或隧道模式)等VPN策略中使用的信息。
转换
13. Many of the ______ interface options that can be applied to physical interfaces can beapplied to the IPsec virtual tunnel interface. 不少应用在物理接口的______接口特性也可以应用在IPSec VTI。
通用
14. Cisco IOS Software IPsec ______ is not supported on VTIs. IPSec VTI不支持Cisco IOS软件的______特性。
有状态故障倒换
15. In a VTI-based IPsec VPN, IPsec requests SA establishment as soon as the virtualtunnel interfaces (VTI) are ______. 在基于VTI的IPSec VPN中,只要VTI ______,IPSec就会建立SA。
所有配置完成
16. ______ IP addressing is mandatory with DVTI tunnels. DVTI隧道必须采用______IP寻址方式。
无编号(unnumbered)
17. ______ is where existing point-to-point key exchanges can be tied together to soften the public key distribution problem. ______能够配合现存的安全点到点密钥交换方法来缓和公钥分发的问题。
可信任引介
18. When enrolling to a PKI, clients submit their ______ and ______ to the CA. 当向PKI注册时,客户端需要向CA提交自己的______和______。
公钥 名字
19. When deploying PKI-enabled VPNs, one of the major choices is whether to use a ______ PKI or an ______ PKI. 当部署基于PKI的VPN时,最为重要的选择之一便是决定使用______PKI,还是______PKI。
仅支持VPN的 企业级
20. Digital signatures are commonly used by many authentication protocols for traffic running over ______ networks. 当流量在______网络上传输时,许多认证协议通常都使用数字签名对流量的真实性和完整性进行保护。
不可信任或公共
21. To participate in the PKI system,all end users must ______ with the CA, which involves a process in which they submit their public key and their name to the CA. 为了参与到PKI体系,所有的终端用户都必须向CA______,该过程需要它们提交自己的公钥和名字给CA。
注册
22. An ______ is a piece of information that binds a PKI member's name to its public key and puts it into a standard format. ______是一种遵循标准格式的信息块,它绑定了PKI成员的公钥与名字。
身份证书
23. The Cisco IOS Software Certificate Server stores its database on the local ______ of the router. Cisco IOS软件证书服务器把数据库存储于路由器的本地______。