User Account Shopping Cart
Practice Exams:
View All

300-730 Cisco Practice Test Questions and Exam Dumps



Question 1:

A second set of traffic selectors is negotiated between two peers using IKEv2. Which IKEv2 packet will contain details of the exchange?

A. IKEv2 IKE_SA_INIT
B. IKEv2 INFORMATIONAL
C. IKEv2 CREATE_CHILD_SA
D. IKEv2 IKE_AUTH

Correct answer: C

Explanation:

In the IKEv2 (Internet Key Exchange version 2) protocol, traffic selectors define the set of IP traffic that is permitted to flow through a Security Association (SA). These are particularly useful in IPsec VPNs to establish which subnets or IP ranges are protected by the IPsec tunnel.

When a second set of traffic selectors is negotiated, this implies that an additional Child SA (a set of keys and parameters used for encrypting data) is being created after the initial IKE_SA (Security Association) is already established. This process is handled through the CREATE_CHILD_SA exchange in IKEv2.

The CREATE_CHILD_SA message is used to negotiate:

  • New Child SAs (including traffic selectors for those SAs)

  • Rekeying of existing Child SAs

  • Changing the cryptographic parameters of Child SAs

On the other hand:

  • IKE_SA_INIT is the first exchange and is used to establish the initial IKE SA, setting up parameters like Diffie-Hellman exchange, nonces, and cryptographic algorithms.

  • IKE_AUTH is used right after IKE_SA_INIT to authenticate the peers and establish the first Child SA. It does contain traffic selectors, but only for the initial SA.

  • INFORMATIONAL messages are used for deleting SAs, reporting errors, or sending notifications; they do not negotiate traffic selectors or create new SAs.

Therefore, any time new traffic selectors (such as for a second set of protected IP ranges) need to be negotiated, the CREATE_CHILD_SA packet is the one that carries the payload containing the new traffic selectors and other necessary parameters for establishing a new Child SA.

This is important in scenarios such as:

  • Multi-subnet VPNs

  • Changing the traffic scope of a VPN without renegotiating the entire IKE session

  • Re-keying or updating SAs for security compliance

Thus, CREATE_CHILD_SA is the correct message where the details of the new traffic selectors will be present.


Question 2:

In a FlexVPN hub-and-spoke topology where direct tunnels between spokes are not permitted, which command is necessary for the hub to successfully terminate FlexVPN tunnels?

A. interface virtual-access
B. ip nhrp redirect
C. interface tunnel
D. interface virtual-template

Correct Answer: D

Explanation:

In a FlexVPN configuration—an IPsec-based VPN technology that uses a unified approach for different VPN topologies—understanding the role of virtual interfaces is critical, especially in a hub-and-spoke design. When spoke-to-spoke communication is not permitted (i.e., spoke-to-spoke dynamic tunnels are disallowed), all VPN traffic is routed through the hub. This requires the hub to dynamically terminate multiple VPN connections from different spokes.

To achieve this, the hub uses virtual template and virtual access interfaces. These virtual interfaces are designed for creating on-demand tunnel connections, particularly in dynamic or scalable environments such as FlexVPN. Here's how they work:

  • Virtual template interfaces are used to define a reusable configuration for VPN tunnels. When a spoke connects, a virtual access interface is dynamically created based on the settings in the virtual template. This allows the hub to terminate many tunnels without needing to configure each one individually.

  • The virtual access interface itself is dynamically created and not directly configured by administrators. Instead, it inherits its configuration from the virtual template.

So, in this question, the command that enables the hub to terminate tunnels in such a dynamic and scalable way is interface virtual-template, making D the correct answer. This command allows you to define a virtual template interface, which the hub uses as a model to instantiate virtual access interfaces on-the-fly when spokes initiate a tunnel.

Let’s briefly review why the other options are incorrect:

  • A. interface virtual-access: This is not a command you directly configure. The virtual access interface is generated automatically at the hub when a tunnel is established, based on the virtual template. Therefore, while virtual access interfaces are important, the command interface virtual-access is not manually entered and does not enable tunnel termination directly.

  • B. ip nhrp redirect: This command is related to enabling spoke-to-spoke direct communication in DMVPN. However, the question explicitly states that spoke-to-spoke tunnels are not allowed. Therefore, this command is irrelevant in this context.

  • C. interface tunnel: While this command is used to create a static tunnel interface, it does not address the scalability or dynamic nature required by FlexVPN when many spokes connect to a central hub. Static tunnel interfaces are more commonly used in legacy VPN designs or for specific point-to-point tunnels, not in FlexVPN with dynamic tunnel creation.

Therefore, in the context of FlexVPN hub-and-spoke architecture where dynamic spoke tunnels are formed to a centralized hub and direct spoke-to-spoke tunnels are not allowed, the correct command needed on the hub to terminate these dynamic tunnels is interface virtual-template.

This approach provides flexibility and scalability, especially in large deployments with many spokes. It allows centralized control while minimizing manual configuration. As spokes initiate VPN tunnels, the hub uses the virtual template to spawn virtual access interfaces, thereby ensuring consistent policy and efficient tunnel management without the overhead of static configuration.


Question 3:

Which statement about GETVPN is true?

A. The configuration that defines which traffic to encrypt originates from the key server.
B. TEK rekeys can be load-balanced between two key servers operating in COOP.
C. The pseudotime that is used for replay checking is synchronized via NTP.
D. Group members must acknowledge all KEK and TEK rekeys, regardless of configuration.

Correct answer: B

Explanation:

GETVPN (Group Encrypted Transport VPN) is a Cisco technology designed for securing IP traffic over a private WAN (like MPLS) without the need for point-to-point tunnels. It uses a centralized Key Server (KS) to manage cryptographic keys and policy information for a group of routers, known as Group Members (GMs).

The true statement about GETVPN is that TEK (Traffic Encryption Key) rekeys can be load-balanced between two key servers operating in COOP (Cooperative Key Server mode). This means multiple key servers can be configured to provide redundancy and, optionally, load sharing. When in COOP mode, key servers exchange state information, including keying material and policies, to ensure synchronization. The TEK rekeys, which are periodically sent to GMs to rotate encryption keys for security, can be sent by either key server, and this process can be load-balanced to improve performance and resilience.

Here’s why the other options are incorrect or misleading:

  • A. While the key server distributes keying material and policy (like traffic selectors), the configuration defining what traffic to encrypt is still locally configured on each GM. The key server does not push an access control list or match criteria to the GMs.

  • C. The pseudotime used in GETVPN for anti-replay protection is a logical time maintained by the key server, not synchronized using NTP. It helps in detecting and dropping replayed packets, but it is not reliant on NTP synchronization.

  • D. Group Members do not necessarily acknowledge rekey messages (KEK or TEK). GETVPN uses reliable or best-effort methods depending on configuration, and acknowledgment behavior depends on specific parameters like the rekey method (unicast vs multicast) and settings like rekey acknowledgement flags. Therefore, this statement is overly broad and inaccurate.

In summary, option B correctly describes a feature of GETVPN: load balancing of TEK rekeys in a cooperative key server deployment. This feature is particularly useful for large-scale enterprise networks that require high availability and load distribution across multiple key servers.


Question 4:

When migrating from DMVPN Phase 2 to Phase 3 in a network using EIGRP, which two configuration changes must be implemented to support the new phase? (Choose two.)

A. Add NHRP shortcuts on the hub.
B. Add NHRP redirects on the spoke.
C. Disable EIGRP next-hop-self on the hub.
D. Enable EIGRP next-hop-self on the hub.
E. Add NHRP redirects on the hub.

Correct Answers: C and E

Explanation:

When migrating from DMVPN Phase 2 to DMVPN Phase 3, the main objective is to optimize spoke-to-spoke communication and routing efficiency. In Phase 2, spoke-to-spoke tunnels are allowed, but routing protocols like EIGRP require special consideration because the next-hop IP remains that of the spoke, and that can lead to suboptimal routing behavior unless carefully managed. Phase 3 solves these issues using NHRP redirects and NHRP shortcuts, which help dynamically update routing paths and enable optimal traffic flow.

Let’s break down what changes are necessary and why:

Key Characteristics of DMVPN Phase 3:

  • Phase 3 introduces NHRP Redirects and NHRP Shortcuts to allow spokes to dynamically discover and establish direct tunnels with other spokes.

  • Routing protocols like EIGRP work more efficiently in Phase 3 because the hub can remain in the routing path logically, while traffic flows directly between spokes physically.

Correct Option Analysis:

C. Disable EIGRP next-hop-self on the hub:
This is correct. In DMVPN Phase 2, EIGRP typically uses next-hop-self, which rewrites the next-hop IP address to that of the hub. This behavior prevents spokes from knowing the actual source spoke IP address and thus prevents direct tunnels from being formed.
 In Phase 3, you must disable next-hop-self on the hub so that spokes can learn about each other’s real IP addresses through EIGRP advertisements and initiate direct communication via NHRP shortcuts.

E. Add NHRP redirects on the hub:
This is also correct. The NHRP redirect capability must be configured on the hub so that it can inform spokes that they can reach another spoke directly, bypassing the hub. When a spoke sends traffic to another spoke via the hub, the hub sends an NHRP redirect telling the spoke to initiate a direct tunnel to the destination spoke. This is a cornerstone of Phase 3 operation.

Incorrect Option Analysis:

A. Add NHRP shortcuts on the hub:
Incorrect. NHRP shortcuts are used on the spokes, not the hub. Shortcuts allow the spoke to dynamically form a tunnel to another spoke based on the NHRP redirect received from the hub.

B. Add NHRP redirects on the spoke:
 Incorrect. NHRP redirects must be configured on the hub, not the spokes. The hub is the one that receives initial traffic from the spokes and then instructs them to create a shortcut.

D. Enable EIGRP next-hop-self on the hub:
 Incorrect. As mentioned above, this would prevent spokes from learning the real next-hop IP address (which would be another spoke), thus breaking the Phase 3 optimization model. Phase 3 requires that next-hop-self be disabled, not enabled.

Migrating from DMVPN Phase 2 to Phase 3 in an EIGRP environment involves enabling dynamic spoke-to-spoke tunnels while still allowing the hub to manage control traffic. This is achieved by:

  1. Configuring NHRP redirects on the hub, so it can notify spokes about better routing paths.

  2. Disabling EIGRP next-hop-self on the hub, allowing the real next-hop (spoke) IP address to be advertised and used for direct tunneling.

These two changes are critical to achieving the traffic optimization benefits of DMVPN Phase 3.


Question 5:

Which two parameters help to map a VPN session to a tunnel group without using the tunnel-group list? (Choose two.)

A. group-alias
B. certificate map
C. optimal gateway selection
D. group-url
E. AnyConnect client version

Correct answers: A, D

Explanation:

When a user connects to a Cisco ASA VPN gateway, the system needs to determine which tunnel group to associate the session with. Normally, this can be done using a tunnel-group list, where users are presented with options to choose from. However, if the tunnel-group list is not used or shown to the user, other mechanisms must be used to map the VPN session to the correct tunnel group.

Two such mechanisms are:

A. group-alias
The group-alias is an alternate name for the tunnel group. It is configured on the ASA and can be entered manually by the user at the VPN login prompt. When the user types this alias, the ASA uses it to map the session to the correct tunnel group. This is a common method when the tunnel-group list is disabled, and it enables direct user input to map the session.

D. group-url
The group-url is another way to map a session to a tunnel group, without relying on a user to select it from a list. It is a specially formatted URL (e.g., https://vpn.company.com/HR) where the portion after the slash directly corresponds to a tunnel group. If a user connects using a specific group-url, the ASA automatically maps them to the associated tunnel group. This method is especially useful for automatic connections and pre-configured VPN profiles, like in Cisco AnyConnect deployments.

Why the other options are incorrect:

B. certificate map
While certificate maps are used to map certificates to tunnel groups in certificate-based authentication scenarios, they are not a general method for mapping sessions without user input unless digital certificates are in use and specifically configured for this purpose. Though technically viable in some setups, it is not a primary or widely used method compared to group-alias or group-url.

C. optimal gateway selection
Optimal Gateway Selection (OGS) is a feature used by the AnyConnect client to select the best available gateway based on metrics like latency or location. It does not determine the tunnel group mapping; it decides which ASA to connect to, not which tunnel group within that ASA is selected.

E. AnyConnect client version
The client version is used to determine compatibility and sometimes policy enforcement, but it does not influence which tunnel group is selected. It may determine posture assessments or client updates, but it is unrelated to session-to-tunnel-group mapping.

In conclusion, the two most direct and commonly used methods to map a VPN session to a tunnel group without displaying the tunnel-group list are group-alias and group-url. These provide flexible and user-transparent ways to direct sessions appropriately in both interactive and automated VPN environments.


Question 6:

What method is used to dynamically install network routes for remote tunnel endpoints?

A. policy-based routing
B. CEF
C. reverse route injection
D. route filtering

Correct Answer: C

Explanation:

To understand which method dynamically installs network routes for remote tunnel endpoints, it's important to distinguish between static and dynamic routing techniques within Virtual Private Network (VPN) architectures—especially IPsec VPNs.

One critical mechanism for achieving dynamic route installation is Reverse Route Injection (RRI). This technique is widely used in VPN scenarios where routes to remote peer networks (those reachable through IPsec tunnels) need to be known to the routing infrastructure dynamically.

Let’s break down what RRI does and why C is the correct answer:

What is Reverse Route Injection (RRI)?

Reverse Route Injection is a feature supported on Cisco routers (especially in crypto map-based IPsec VPN configurations), which allows a device to automatically install static routes into the routing table for remote VPN peers. These routes correspond to the remote subnets protected by the IPsec tunnel. This is particularly useful in large-scale deployments where configuring static routes manually would be impractical.

When an IPsec VPN peer initiates a tunnel and the crypto map is applied to an interface, RRI injects a static route into the routing table for the protected network on the remote side of the tunnel, pointing to the remote tunnel endpoint. This allows routing decisions to be made dynamically and ensures that traffic is properly forwarded into the VPN tunnel.

RRI is commonly used in hub-and-spoke VPN topologies, where the central hub needs to learn about all the spoke routes dynamically without using a dynamic routing protocol.

Why the Other Options Are Incorrect:

A. policy-based routing
Policy-Based Routing (PBR) is used to override normal routing behavior based on policies such as source address, protocol, or application. It is not used to dynamically install routes. Instead, it statically dictates how traffic should be routed, regardless of what is in the routing table.

B. CEF (Cisco Express Forwarding)
CEF is a packet-switching mechanism, not a routing protocol or method for installing routes. It speeds up the forwarding of packets by using a precomputed FIB (Forwarding Information Base), but it does not install routes. It only uses the routes already present in the routing table.

D. route filtering
 Route filtering is a method used to control which routes are advertised, received, or installed in the routing table. It does not dynamically create or install routes—it simply manages or restricts them. Filtering is useful for policy control but doesn’t serve the function described in the question.

When a router establishes an IPsec tunnel, and dynamic route awareness is required for the remote network at the other end of the tunnel, Reverse Route Injection (RRI) is the correct method. It helps maintain dynamic and accurate routing information on the device by creating static routes automatically when VPN tunnels are brought up.

Therefore, in the context of dynamically installing routes for remote tunnel endpoints, reverse route injection is the correct and most appropriate method.

Question 7:

Which two Cisco ASA features can help mitigate the risk of an internal user accessing unauthorized applications? (Choose 2.)

A. Context-aware access
B. Identity-based firewall rules
C. Transparent mode firewall
D. Web filtering
E. Application-layer filtering

Correct answers: A, E

Explanation:

Cisco ASA (Adaptive Security Appliance) provides multiple features to secure network environments by controlling both incoming and outgoing traffic. When it comes to preventing internal users from accessing unauthorized applications, Cisco ASA offers context-aware and application-layer capabilities that are especially effective.

A. Context-aware access
This feature enables the firewall to analyze the context of a user's session, such as device type, user identity, role, location, or application. Based on this context, administrators can create granular access policies. For example, users from the HR department may be allowed access to internal HR applications but restricted from using remote admin tools or file-sharing services like Dropbox. This layered contextual control enhances security and reduces the risk of unauthorized access.

E. Application-layer filtering
This is another powerful feature that operates at Layer 7 of the OSI model. It allows the firewall to inspect and filter traffic based on the application, not just IP addresses or ports. This is particularly important in modern networks where many applications use common ports (e.g., HTTP/HTTPS). By examining the actual content and protocol behavior, the ASA can detect and block applications like peer-to-peer (P2P) sharing, instant messaging, or cloud storage apps, even if they attempt to masquerade as regular web traffic. This is essential in preventing users from accessing unauthorized or shadow IT applications.

Now, let’s review why the other options are incorrect or less relevant:

B. Identity-based firewall rules
Although this feature helps tailor policies based on user identity (e.g., integrating with Active Directory to enforce access based on users or groups), by itself it does not filter or control applications. It's more about who is accessing the network rather than what they are accessing. While useful in broader policy design, it doesn't directly block unauthorized applications unless combined with other features.

C. Transparent mode firewall
Transparent mode allows the ASA to function as a Layer 2 bridge, making it easier to insert into existing networks without changing IP addressing. However, this mode doesn't provide enhanced controls over applications or user behavior. It is mainly a deployment mode and doesn't inherently provide application control or context-based filtering.

D. Web filtering
Web filtering can help restrict access to specific websites or categories (e.g., gambling, social media), but it does not address non-web-based applications, such as FTP tools, P2P applications, or remote desktop clients. While useful in securing HTTP/HTTPS traffic, it's narrower in scope compared to full application-layer filtering.

In summary, context-aware access and application-layer filtering are the most effective Cisco ASA features for mitigating the risk of users accessing unauthorized applications, as they allow granular, intelligent control based on both the user's role and the nature of the application traffic.


Question 8:

Which two advantages result from integrating Cisco Identity Services Engine (ISE) with Cisco AnyConnect? (Choose two.)

A. Granular control over endpoint posture assessment
B. Real-time monitoring of endpoint application usage
C. Secure VPN tunneling with user and device authentication
D. Automated patch management for connected endpoints
E. Enforced access control based on user roles and device type

Correct Answers: A and E

Explanation:

When Cisco Identity Services Engine (ISE) is integrated with Cisco AnyConnect, organizations gain powerful tools for enforcing identity-based security policies and assessing the state of connecting endpoints before they are granted access to the network. Cisco ISE acts as a centralized policy engine, while AnyConnect serves as the endpoint agent responsible for secure connections and posture data collection. Together, they enable a context-aware, adaptive security posture across the network.

Let’s explore the two correct options in detail:

A. Granular control over endpoint posture assessment:
This is correct. One of the most significant benefits of integrating Cisco ISE with Cisco AnyConnect is the ability to perform posture assessment. Posture refers to evaluating the security status of an endpoint before allowing it to connect. For example, administrators can check whether a device has up-to-date antivirus software, the latest OS patches, or enabled firewalls. The integration allows granular control, meaning administrators can define very specific policies—such as allowing only corporate-managed laptops with up-to-date antivirus and full-disk encryption to access sensitive resources. If a device fails a posture check, Cisco ISE can restrict access or redirect the user to a remediation portal.

E. Enforced access control based on user roles and device type:
This is also correct. Cisco ISE is designed to implement policy-based access control, and it does so using a combination of user identity, device identity, and contextual attributes such as location or device health. When a user connects using AnyConnect, ISE can determine who the user is, what type of device they’re using (corporate laptop, mobile phone, BYOD, etc.), and assign them to a corresponding policy group. For instance, IT staff may have broader access than interns, and personal mobile devices may only be allowed limited network access. This granular control is central to implementing Zero Trust Network Access (ZTNA) principles.

Now let’s address the incorrect options:

B. Real-time monitoring of endpoint application usage:
This is incorrect. While Cisco AnyConnect can collect some telemetry data, and Cisco ISE can enforce policies based on posture, neither is designed to monitor real-time application usage. That functionality is more aligned with tools like Cisco Secure Endpoint or third-party endpoint detection and response (EDR) solutions.

C. Secure VPN tunneling with user and device authentication:
While this statement is true in part, the secure VPN tunneling and basic user/device authentication are native features of AnyConnect itself, not the result of integration with ISE. AnyConnect can authenticate users using certificates or credentials even without ISE. However, when ISE is added, it enhances policy enforcement rather than directly enabling VPN tunneling.

D. Automated patch management for connected endpoints:
This is incorrect. Patch management involves detecting, downloading, and applying software updates, which is outside the scope of ISE and AnyConnect. That function is usually handled by endpoint management systems like Microsoft SCCM or mobile device management (MDM) platforms. ISE can detect whether a device is missing patches during posture checks, but it does not install patches.

Cisco ISE and Cisco AnyConnect integration primarily strengthens endpoint visibility, compliance enforcement, and role-based access control. It enables organizations to enforce highly tailored network access decisions based on real-time posture evaluation and identity data. The combination supports a secure, adaptive access framework in dynamic network environments—critical for enterprises embracing Zero Trust and hybrid work models.

The correct answers are A and E.


Avanset - #1 VCE Player & Designer
How to Open VCE Files

Use VCE Exam Simulator to open VCE files

VCE Player for MAC
Sign UpSign Up Learn MoreLearn More Full VersionFull Version
UP

LIMITED OFFER: GET 30% Discount

This is ONE TIME OFFER

ExamSnap Discount Offer
Enter Your Email Address to Receive Your 30% Discount Code

A confirmation link will be sent to this email address to verify your login. *We value your privacy. We will not rent or sell your email address.

Download Free Demo of VCE Exam Simulator

Experience Avanset VCE Exam Simulator for yourself.

Simply submit your e-mail address below to get started with our interactive software demo of your free trial.

Free Demo Limits: In the demo version you will be able to access only first 5 questions from exam.