Which three statements about these three show outputs are true?

Refer to the exhibit.

Which three statements about these three show outputs are true? (Choose three.)

Refer to the exhibit.

Which three statements about these three show outputs are true? (Choose three.)

A.
Traffic matched by ACL 110 is encrypted.

B.
The IPsec transform set uses SHA for data confidentiality.

C.
The crypto map shown is for an IPsec site-to-site VPN tunnel.

D.
The default ISAKMP policy uses a digital certificate to authenticate the IPsec peer.

E.
The IPsec transform set specifies the use of GRE over IPsec tunnel mode.

F.
The default ISAKMP policy has higher priority than the other two ISAKMP policies with a priority of
1 and 2

Explanation:
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_s3.html
Show crypto map Field Descriptions
Peer
Possible peers that are configured for this crypto map entry.
Extended IP access list Access list that is used to define the data packets that need to be encrypted.
Packets that are denied by this
access list are forwarded but not encrypted. The “reverse” of this access list is used to check the
inbound return packets, which are also encrypted. Packets that are denied by the “reverse” access
list are dropped because they should have been encrypted but were not.
Extended IP access check
Access lists that are used to more finely control which data packets are allowed into or out of the
IPsec tunnel.

Packets that are allowed by the “Extended IP access list” ACL but denied by the “Extended IP access
list check” ACL are dropped.
Current peer Current peer that is being used for this crypto map entry.
Security association lifetime
Number of bytes that are allowed to be encrypted or decrypted or the age of the security
association before new encryption keys must be negotiated.
PFS
(Perfect Forward Secrecy) If the field is marked as `Yes’, the Internet Security Association and Key
Management Protocol (ISAKMP) SKEYID-d key is renegotiated each time security association (SA)
encryption keys are renegotiated (requires another Diffie-Hillman calculation). If the field is marked
as `No’, the same ISAKMP SKEYID-d key is used when renegotiating SA encryption keys. ISAKMP keys
are renegotiated on a separate schedule, with a default time of 24 hours.
Transform sets
List of transform sets (encryption, authentication, and compression algorithms) that can be used
with this crypto map.
Interfaces using crypto map test Interfaces to which this crypto map is applied. Packets that are
leaving from this interface are subject to the rules of this crypto map for encryption. Encrypted
packets may enter the router on any interface, and they are decrypted. Nonencrypted packets that
are entering the router through this interface are subject to the “reverse” crypto access list check.



Leave a Reply 0

Your email address will not be published. Required fields are marked *