Share your ARCH Experience
Please share with us your experience after taking the ARCH v2.1 642-874 exam, your materials, the way you learned, your recommendations…
Your posts are warmly welcome!
Please don’t ask for links to download copyright materials here…
Q is in 642-873 Anderson dump people getting 950+ with on 642-873
Exam C question 9
matches to answers C D on Q 267
5.8
QUESTION NO: 100
To securely transport EIGRP traffic, a network administrator will build VPNs between sites. What
is the best method to accomplish the transport of EIGRP traffic?
A. IPSec in tunnel mode
B. IPSec in transport mode
C. GRE with IPSec in transport mode
D. GRE with IPSec in tunnel mode
Answer: D
So, this is good or not? As I checked this seems to be true..
100
D is wrong tunnel mode is crazy then the packet has got 3 headers on it now
original ip header / gre header / ipsec tunnel mode header. silly
c. GRE with IPSEC is always transports mode , because GRE tunneling gives the packet a new header
@Victor ….Can u make a consolidated Word document and post it in a file-share site and send t link….It wil be much better rather than filling this page…..
@victor
Hmm ok. Seems you are right. My brain just blowing up after 3 weeks searching and checking.. Tired..
@Q100
I am agree with you Victor but there are a recommendation sets on self-study v2 page 431 about DMVPN which says:
– Use tunnel protection mode to associate a GRE tunnel with the IPsec profile on
the same router. Tunnel protection specifies that IPsec encryption is performed
after the GRE headers are added to the tunnel packet. Both ends of the tunnel
need to be protected.
– Use IPsec in tunnel mode
any thoughts?
@ Question 100 I am with D
It is not down to headers, Victor !!.
the way i think it is suppose to work is that
EIGRP updated can only be carried by GRE
once you do GRE over IPSE in Tunnel mode or transport mode it dosent make any difference
the reasoen why i go with tunnel mode is that IPSEC default mode is tunnel so when we do GRE over IPSEC it is tunnel mode not transport mode.
@Kash
it seems that ref also suggests D.
But about headers, the sentence from ref says another thing: “Tunnel protection specifies that IPsec encryption is performed after the GRE headers are added to the tunnel packet.”
adding header will effect EIGRP updaes , I dont think it will ???
EIGRP multicast—-encapsulates with GRE unicast—–encrypts by IPSec tunnel mode—–sends to the remote end—-decrypts—– de-encapsulates—EIGRP multicast
that is my understanding of this.
it seems silly; isn’t it?
QUESTION NO: 19
In base e-Commerce module designs, where should firewall perimeters be placed?
A. core layer
B. Internet boundary
C. aggregation layer
D. aggregation and core layers
E. access and aggregation layers
Answer: A is correct,
Cisco web site has Arch exam questions that you can do and one is exactly this question (word for word)
Cisco marks A as the correct answer
here is the link multilayer game , arch
https://learningnetwork.cisco.com/docs/DOC-1639
@victor
agree, “base e-Commerce” and “firewall perimeters” guarantee that! also self-study v2 page 317 figure 7-17
QUESTION NO: 40
When designing remote access to the Enterprise Campus network for teleworkers and mobile
workers, which of the following should the designer consider?
A. It is recommended to place the VPN termination device in line with the Enterprise Edge Edge
firewall, with ingress traffic limited to SSL only
B. Maintaining access rules, based on the source IP of the client, on an internal firewall drawn
from a headend RADIUS server is the most secure deployment
C. VPN Headend routing using Reverse Route Injection (RRI) with distribution is recommended
when the remote user community is small and dedicated DHCP scopes are in place
D. Clientless SSL VPNs provide more granular access control than SSL VPN clients (thin or thick),
including at Layer 7
Answer: A
Explanation: A is wrong C is correct.
Book say almost the A answer – from student guide
“It is recommended to place the VPN termination device in line with the Enterprise Edge Edge
firewall, with ingress traffic limited to SSL and IPSec only”
thanks victor and Pedram you save me one question
look at the point this text is from 2nd Edition
“In the base design, the core layer supports the first stage of firewalls”
Point to be noted is first stage of Firewalls is Core layer then you add fireewall in Aggregation and bla bla ….
@victor
Q40 D is correct; Ref self-study v2, page 410
“Tunnel-based VPNs (IPsec and SSL VPN clients) provide Layer 3 control at the protocol,
port, and destination IP level.
Clientless SSL VPNs can provide more granular Layer 7 access control, including URL-based access or file server directory-level access control.”
Victor Q40, I cannot uderstand why u go with C ,
Yep, Q40 – D right. From the guide, as Pedram wrote.
So what about Q100, tunnel or transport? C or D?
@bd
Q100 I will go for D tunnel one
@kash you are correct D is a better answer, RRI is not recommended when the remote user community is small
i greee with everyone D is better on Q40
Yes all Q 100 Anser is D
how ever i am just stuck with Q 40
Do SSL acces to Teleworkers … ??? sorry i cannot find this info on self study guide 2nd Edition
Q100 i go C
http://www.atslog.dp.ua/ch03lev1sec3.html
Transport mode is always used when using IPSec to encrypt GRE packets. Figure 3-13 shows how.
Victor :) your link is not Cisco
i agree with victor but look at this
IPsec Tunnel versus Transport Mode
Integrating p2p GRE with either IPsec tunnel mode or transport mode has been debated. Tunnel mode adds an additional 20 bytes to the total packet size. Either tunnel or transport mode work in a p2p GRE over IPsec implementation; however, several restrictions with transport mode should be considered. If the crypto tunnel transits either a Network Address Translation (NAT) or Port Address Translation (PAT) device, tunnel mode is required. In addition, this design guide shows configuration examples for implementing p2p GRE over IPsec where the p2p GRE tunnel endpoints are different than the crypto tunnel endpoints. Tunnel mode is also required in these cases.
http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/P2P_GRE_IPSec/2_p2pGRE_Phase2.html
Kash
All your info is true ,
GRE header will be the one that gets modified by NAT the internal header would not be changed.
IPsec in transport/tunnel mode by inteslf (no GRE) need NatT to get thru Nat routers.
so maybe [GRE header [IPSEC header [ standard header [data]]]]
is how they get around using Nat-t
cool D looks good
so u happy with GRE IPSEC Tunnel mode ?
Q13
correct?
@kash
ya
QUESTION NO: 13
Which two restrictions must the Enterprise Campus network designer consider when evaluating
WAN connectivity options? (Choose two)
A. OSPF over multicast EMS or VPLS network may not have consistent broadcast or multicast
performance
B. IP multicast is not supported over Lover 3 MPLS VPN; instead a Layer 2 MPLS WN must be
utilized with service provider support
C. QoS requirements with MPLS-VPN must be implemented by the service provider
D. Hierarchical VPLS designs are the least scalable
E. IGMP snooping is not on option with VPLS or EMS; instead administrative scoping or allowing
sufficient bandwidth for unnecessary multicast traffic at the edge links is required
Answer: A,C
Explanation: AE i think , both A and E mentioned in the student guide
C is part true / layer 3 QoS (DSCP) is ISP managed on MPLS L3 and Customer managed on MPLS L2
Victor i think now i should start studing the new Jig saw puzzle and memorize it … beacuse now i look at the question i have 3 options in ming
what i learnet first time
what i learnt second time
what we all decided , i have to less then 24 hours left .
I have contacted P4S as well to check the update of questions , they put priority to my questions and they said i will see it in the form of update on P4S i am not very optimistic about it
feeling better about the exam now, thanks for all the help guys
i just have to read up on FCIP and FCoE before the test
also still rusty on SLB , need to check those questions now i think
im ofline for a while now , good luck with your exam 2morro Kash
page 183 study guide
Is QoS needed?
• If QoS is available from the service provider, the customer needs to decide whether to buy an MPLS service with QoS. Using Layer 3 VPNs allows the customer to implement QoS internally
this shows ISP have to set it up
i have failed twice , P4s is no good and wont be by 2morro so
look at your old score reports and check the sections the you went bad at
and that is the parts of the p4s which are no good.
for me it was IP and security sections
i am in the same spot as you , i have to keep going with this untill i get it , even if i go 10x
no choice for me.
so please update tomorrow with whatever you’ve got and good luck
for me it was IP and Security
IP 33 %
Security 50 %
i have confirmed i am happy with Q 13 A and C
dont worry i will give you honest feed back if i dont pass i only have 3 days to do any 642 exam to save my CCNP And CCSP do you suggest any easy 642 exam
ip 33% Security %50 ditto
so if both of those can get to 75% then that will be pass and then some i think
so only 1/3 of the IP questions are correct in the p4s and 1/2 the security questions have errors
have we fixed 2/3 of the IP questions and 1/2 the Security Questions??
if so then we re better of than the 1st time
back in a fair while / but back b4 your test
cya
huum but i just failed with one Question i scored 748 and passing was 790
5.8
QUESTION NO: 117
You are the network consultant from Cisco.com. Please point out two statements correctly
describe an IPS device?
A. It resembles a Layer 2 bridge.
B. Traffic flow through the IPS resembles traffic flow through a Layer 3 router.
C. Inline interfaces which have no IP addresses cannot be detected.
D. Malicious packets that have been detected are allowed to pass through, but all subsequent
traffic is blocked.
Answer: A,C
True? Seems that something wrong.. I don’t know, but B,D looks a little better, or A, D.
bd @ q117
Page 388
An IPS resembles a Layer 2 bridge or repeater
The inline interfaces have no MAC or IP address and cannot be detected directly
hope it clarifies
@Kash
Many thanks! I am just nervous, tomorrow have an exam too.. My 2nd attempt. I feel much more better now, but may be this is not enough to pass..
bd what time is ur Exam where r u geographically ? I am in UK i have exam at 16:00 hours
@Kash
Russia. GMT+4. Exam early morning, 14 hours left from now.
My summary for EXAM
Q9 C,E
Q17 C
Q19 A
Q40 D
Q42 B
Q49 D,F
Q51 A, C
Q56 C
Q59 A
Q64 DRAG AND DROP
Q90 C
Q97 C
Q99 B
Q156 B
Q230 B
Q243 A, C
Q249 D, F
Q267 C, D
sorry Q24 C, D
AAAH Q249 C, D
bd Can you Check 249 ? plz
@Kash
C. only eight interfaces can belong to an asymmetric routing group
“…You can create up to 32 ASR groups and assign a maximum of 8 interfaces to each group…”
D. operational in both failover and non-failover configurations
“…In failover configurations, return traffic for a connection that originated on one unit may return through the peer unit…” About non-failover nothing. But may be true, why not. We can allow returning traffic to be accepted on the peer or not accept, I guess this is like an option. May be.
Can somebody right here an answer to D&D Q123? In my PDF version and .vce very poor quality in this question.