ExamTopics Logo
Mail Us[email protected]
Menu
Cisco Discussions
exam questions

Exam 300-410 All Questions

View all questions & answers for the 300-410 exam
Go to Exam

Exam 300-410 topic 1 question 608 discussion

Actual exam question from Cisco's 300-410
Question #: 608
Topic #: 1
[All 300-410 Questions]

SIMULATION
-


Guidelines
-

This is a lab item in which tasks will be performed on virtual devices.

• Refer to the Tasks tab to view the tasks for this lab item.
• Refer to the Topology tab to access the device console(s) and perform the tasks.
• Console access is available for all required devices by clicking the device icon or using the tab(s) above the console window.
• All necessary preconfigurations have been applied.
• Do not change the enable password or hostname for any device.
• Save your configurations to NVRAM before moving to the next item.
• Click Next at the bottom of the screen to submit this lab and move to the next question.
• When Next is clicked, the lab closes and cannot be reopened.


Topology
-




Tasks
-

Configure IPSec security policy on tunnel interfaces to ensure data confidentiality and integrity where mGRE tunnels are up and running between HUB and SPOKE routers.

1. Configure the ISAKMP policy parameters with the following attributes:
• AES256
• SHA256
• Group2
• lifetime 86400

2. Ensure that GRE IP Header should be encrypted inside the IPSec packet. Verify IPSec security association and ISAKMP encrypted key. Use ISAKMP key "abc123".
3. Configure a flexible ISAKMP Policy on the HUB to add peers that have the dynamic IP addresses where SPOKES must add HUB IP static entry using an encrypted key. Use a single command to configure it. Use IPSec phase-2 transform-set name as T-SET and IPSec Profile name as ’IPSEC-PROFILE’.

Show Suggested Answer Hide Answer
Suggested Answer:
by dapardo at June 22, 2024, 5:51 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
[Removed]
Highly Voted 3 months, 3 weeks ago
i had this lab in the exam, the only differences were: 1. configure MD5 instead of SHA256. 2. the name of ipsec profile was different in the exam (be aware of the details of names in the exam, they are not always the same). on all Routers: (config)#crypto isakmp policy 10 (config-isakmp)#encryption aes256 (config-isakmp)#hash md5 (config-isakmp)#authentication pre-share (config-isakmp)#group 2 (config-isakmp)#lifetime 86400 (config)#crypto isakmp key abc123 address 0.0.0.0 (config)#crypto ipsec transform-set T-SET esp-aes256 esp-md5-hmac (config)#crypto ipsec profile IPSEC-PROFILE (config-ipsec-profile)#set transform-set T-SET (config)#int tunnel 0 (config-if)#tunnel source (phisical interface or phisical ip) (config-if)#tunnel protection ipsec profile IPSEC-PROFILE there´s no need for this command "tunnel mode gre multipoint" cop r st
upvoted 5 times
Spectreker
2 days, 16 hours ago
Shouldn't we configure NHRP as well? On the Hub we have to configure Tunnel Mode Gre multipoint
upvoted 1 times
...
...
leipeG
Most Recent 1 month, 2 weeks ago
I successfully labbed this, assuming all interfaces to the WAN (I used a hub for this), are configured as g0/0 in the 192.168.0.X/24 range. Note, these physical interfaces/ranges are probably different during the exam. #R0 crypto isakmp policy 10 encryption aes 256 hash sha256 authentication pre-share group 2 lifetime 86400 exit crypto isakmp key abc123 address 0.0.0.0 crypto ipsec transform-set T-SET esp-aes 256 esp-sha256-hmac crypto ipsec profile IPSEC-PROFILE set transform-set T-SET int tunnel 0 tunnel source g0/0 tunnel protection ipsec profile IPSEC-PROFILE ip add 10.0.0.254 255.255.255.0 no shut int g0/0 ip add 192.168.0.254 255.255.255.0 no shut do show crypto isakmp sa do show crypto ipsec sa
upvoted 1 times
leipeG
1 month, 2 weeks ago
#R1 crypto isakmp policy 10 encryption aes 256 hash sha256 authentication pre-share group 2 lifetime 86400 exit crypto isakmp key abc123 address 0.0.0.0 crypto ipsec transform-set T-SET esp-aes 256 esp-sha256-hmac crypto ipsec profile IPSEC-PROFILE set transform-set T-SET int tunnel 0 tunnel source g0/0 tunnel destination 10.0.0.254 tunnel protection ipsec profile IPSEC-PROFILE ip add 10.0.0.1 255.255.255.0 no shut int g0/0 ip add 192.168.0.1 255.255.255.0 no shut do show crypto isakmp sa do show crypto ipsec sa
upvoted 1 times
test190502
1 week, 3 days ago
The tunnel interface protocol remains down, how did you succeed? R1#sh ip int b tunnel 0 Interface IP-Address OK? Method Status Protocol Tunnel0 10.0.0.1 YES NVRAM up down
upvoted 1 times
Spectreker
2 days, 16 hours ago
I get Protocol down as well
upvoted 1 times
...
...
leipeG
1 month, 2 weeks ago
#R2 crypto isakmp policy 10 encryption aes 256 hash sha256 authentication pre-share group 2 lifetime 86400 exit crypto isakmp key abc123 address 0.0.0.0 crypto ipsec transform-set T-SET esp-aes 256 esp-sha256-hmac crypto ipsec profile IPSEC-PROFILE set transform-set T-SET int tunnel 0 tunnel source g0/0 tunnel destination 10.0.0.254 tunnel protection ipsec profile IPSEC-PROFILE ip add 10.0.0.2 255.255.255.0 no shut int g0/0 ip add 192.168.0.2 255.255.255.0 no shut do show crypto isakmp sa do show crypto ipsec sa
upvoted 1 times
...
...
...
[Removed]
3 months, 3 weeks ago
i had this lab in the exam, the only differences were: 1. configure MD5 instead of SHA256. 2. the name of ipsec profile was different in the exam (be aware of the details of names in the exam, they are not always the same). on all Routers: (config)#crypto isakmp policy 10 (config-isakmp)#encryption aes256 (config-isakmp)#hash md5 (config-isakmp)#authentication pre-share (config-isakmp)#group 2 (config-isakmp)#lifetime 86400 (config)#crypto isakmp key abc123 address 0.0.0.0 (config)#crypto ipsec transform-set T-SET esp-aes256 esp-md5-hmac (config)#crypto ipsec profile IPSEC-PROFILE (config-ipsec-profile)#set transform-set T-SET (config)#int tunnel 0 (config-if)#tunnel source (phisical interface or phisical ip) (config-if)#tunnel protection ipsec profile IPSEC-PROFILE there´s no need for this command "tunnel mode gre multipoint" cop r st
upvoted 2 times
...
bf10690
3 months, 3 weeks ago
The answer is mostly correct. One thing that is missing is the "mode tunnel" configuration under the transform set. Without it, you won't be encrypting the GRE IP header which is one of the tasks.
upvoted 2 times
bk989
3 months, 1 week ago
also mode tunnel is default. And if I remember correctly we use mode tunnel for pre-fragmentation, if I remember correctly
upvoted 1 times
...
bk989
3 months, 2 weeks ago
I was thinking this too
upvoted 1 times
...
...
krobo
5 months, 2 weeks ago
Seems good
upvoted 2 times
5ef837d
5 months, 1 week ago
Doesn't seem good as tunnel mode gre multipoint and tunnel destionation are mutually exclusive commands on R1 and R2.
upvoted 2 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago