CCIE Security Exam (v4.1)
Question No: 161 DRAG DROP – (Topic 2)
Drag and drop the SMTP components on the left onto their corresponding roles on the right.
MTA – Is the component responsible to move email from sending mail server to the recipient mail server.
MUA – Is the component that interacts with the end user
POP/IMAP – Is the component responsible to fetch email from the recipient mail server mailbox to recipient MUA
MDA – Is the component responsible to move the email from MTA to the user mailbox in the recipient mail server
The following terminology is important in understanding the operation of a mail server.
->Mail User Agent (MUA): The MUA is a component which interacts with end users directly. Examples of MUA are Thunderbird, MS Outlook, Zimbra Desktop. Web mail interfaces like Gmail and Yahoo! are also MUA.
->Mail Transfer Agent (MTA): The MTA is responsible for transferring an email from a sending mail server all the way to a recipient mail server. Examples of MTA
are sendmail and postfix.
->Mail Delivery Agent (MDA): Within a destination mail server, local MTA accepts an incoming email from remote MTA. The email is then delivered to user#39;s mailbox by MDA.
->POP/IMAP: POP and IMAP protocols are used to fetch emails from a recipient server#39;s mailbox to recipient MUA.
Question No: 162 – (Topic 2)
Which encapsulation technique does VXLAN use?
MAC in TCP
MAC in MAC
MAC in UDP
MAC in GRE
Answer: C Explanation:
VXLAN is a MAC in IP/UDP(MAC-in-UDP) encapsulation technique with a 24-bit segment identifier in the form of a VXLAN ID.
Question No: 163 – (Topic 2)
Which two statements about SSL VPN smart tunnels on a Cisco IOS device are true? (Choose two.)
They are incompatible with split tunneling.
They do not support FTP.
They are incompatible with MAPI proxy.
They support private socket libraries.
They can be started in more than one Web browser at the same time.
Answer: A,C Explanation:
Restrictions for Cisco IOS SSL VPN Smart Tunnels Support
->Smart tunnels do not support split tunneling, Cisco Secure Desktop, private socket libraries, and MAPI proxy.
->Smart tunnels must not be started in two different web browsers simultaneously.
->Applications only with the winsock dll library such as Remote Desktop, VNCviewer, Outlook Express, Outlook Web Access (OWA), Secure Shell (SSH) using Putty, Telnet, FTP, and others are supported.
Reference: http://www.cisco.com/c/en/us/td/docs/ios- xml/ios/sec_conn_sslvpn/configuration/15-mt/sec-conn-sslvpn-15-mt-book/sec-conn- sslvpn-smart-tunnels-support.html
Question No: 164 – (Topic 2)
Which statement about the DH group is true?
It provides data confidentiality.
It does not provide data authentication.
It is negotiated in IPsec phase 2.
It establishes a shared key over a secured medium.
Question No: 165 – (Topic 2)
What ASA feature can you use to restrict a user to a specific VPN group?
A Webtype ACL
A VPN filter
Question No: 166 – (Topic 2)
Which two values you must configure on the Cisco ASA firewall to support FQDN ACL? (Choose two.)
a DNS server
an FQDN object
a policy map
a class map
a service object
a service policy
Reference: https://supportforums.cisco.com/document/66011/using-hostnames-dns- access-lists-configuration-steps-caveats-and-troubleshooting
Question No: 167 – (Topic 2)
Which statement is valid regarding SGACL?
SGACL mapping and policies can only be manually configured.
Dynamically downloaded SGACL does not override manually configured conflicting policies.
SGACL is access-list bound with a range of SGTs and DGTs.
SGACL is not a role-based access list.
Answer: C Explanation:
A role-based access control list bound to a range of SGTs and DGTs forms an SGACL Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec/sga cl_config.html
Question No: 168 – (Topic 2)
Which ICMP message type code indicates that fragment reassembly time has been exceeded?
Type 11, code 0
Type 11, Code 1
Type 12, Code 2
Type 4, Code 0
Answer: B Explanation: ICMP Type Literal
destination unreachable code 0 = net unreachable 1 = host unreachable 2 = protocol unreachable 3 = port unreachable 4 = fragmentation needed and DF set 5 = source route failed
redirect code 0 = redirect datagrams for the network 1 = redirect datagrams for the host 2 = redirect datagrams for the type of service and network 3 = redirect datagrams for the type of service and host
time-exceeded code 0 = time to live exceeded in transit 1 = fragment reassembly time exceeded
Question No: 169 – (Topic 2)
Refer the exhibit.
Two routers are connected using GRE through a WAN link. Your syslog server is logging the given error message. What is a possible reason for the errors?
The loopback interface is configured as the source of the tunnel
The connection is experiencing WAN link flapping
The tunnel key is misconfigured
Secondary addresses are being used on the physical interface
The tunnel source and destination are advertised through the tunnel itself
Question No: 170 – (Topic 2)
Refer to the exhibit.
Which two statements about this debug output are true? (Choose two.)
The request is from NHC to NHS.
The request is from NHS to NNC.
192.168.10.2 is the remote NBMA address.
192.168.10.1 is the local VPN address.
18.104.22.168 is the local non-routable address.
This debug output represents a failed NHRP request.
|Lowest Price Guarantee||Yes||No||No|
|Free VCE Simulator||Yes||No||No|