Brocade Certified Layer 4-7 Professional Practice Questions w/answers For Exam

Transcription

1 Brocade Certified Layer 4-7 Professional Practice Questions w/answers For Exam

2 Section 1 1) A user is able to perform all configuration functions through the Web GUI even though RADIUS command authorization is enabled and restricted for this user. Which statement describes what is happening? A) The Web server option is not configured in the aaa authentication command. B) No command authorization is performed for the Web GUI. C) The Web server option is not configured in the aaa authorization command. D) The Web GUI does not support RADIUS. RADIUS authentication is not supported for Web management (GUI) access on the ServerIron ADX. 2) user=bob { default service = permit member admin # Global password global = cleartext "cat" service = exec { privlvl = 15 brocade-privlvl = 4 }} Referring to the output, which statement is true regarding the TACACS+ server configuration? A) The user bob will be granted super-user access to the Brocade ADX. B) The user bob will be granted port-config level access to the Brocade ADX. C) The user bob will be granted read-only access to the Brocade ADX. D) The user bob will be denied access. The value in the brocade-privlvl A-V pair is an integer that indicates the privilege level of the user. Possible values are 0 for super-user level, 4 for port-config level, or 5 for read-only level. If a value other than 0, 4, or 5 is specified, the default privilege level of 5 (read-only) is used. 3) Which statistical data can be viewed graphically on the Brocade ADX GUI? (Choose three.) A) Traffic statistics for real server B) virtual server port C) SSL acceleration D) global traffic statistics E) certificate requests The ServerIron ADX GUI can display graphical information for global traffic statistics, or real server and virtual server port information.

3 4) The Brocade ADX GUI in the exhibit is used to accomplish which objective? A) Generate a request for a SSL key that will be sent to a CA to be digitally signed. B) Generate a self-signed SSL key. C) Generate a request for a certificate that will be sent to a CA to be digitally signed. D) Generate a request for a self-signed certificate that will be sent to a CA to be digitally signed. To generate a request for a certificate that will be sent to a CA to be digitally signed, perform the following tasks: 1. Click Security in the context bar and select SSL Traffic Management. 2. Click the Certificates tab. 3. Click the down arrow next to Certificate Signing Request (CSR) Generation. Section 2 5) A customer has a mixture of old and new Web servers associated with a single VIP. After performance testing in the lab it is determined that the new servers can handle twice as much traffic as the old servers. Currently the older servers are failing Layer 7 HTTP Health Checks and the users are seeing intermittent Web application speed issues. Which two methods can the customer use to keep the old servers from being overloaded with requests? (Choose two.) A) Set the interval and retries under the port 80 attributes to reflect suitable response latency. B) Limit the maximum number of connections allowed on each real server associated with the old servers. C) Limit the maximum number of connections allowed on the virtual server associated with the older servers. D) Increase the ping interval and retries under the port 80 attributes to keep the servers from failing Layer 7 Health Checks. Increasing the number of seconds between health checks (interval), and the number of times the ServerIron ADX re-attempts a Health Check (retries), will give the old servers more time to respond to Health Checks. By limiting the maximum number of connections allowed on the old servers you can avoid a condition where the capacity threshold of the real server is exceeded and it is not responding to Layer 7 Health Checks.

4 6) server real WEB port http port http keepalive port http url "GET /" port http content-match m1 http match-list m1 down simple "Unable to connect to the database" Referring to the configuration shown in the exhibit, the real server is failing its Health Check. What are two reasons for the failure? (Choose two.) A) The root page is a redirect. B) The information in the match list is not present in the returned page. C) Lower level Health Checks are failing before it gets to Layer 7. D) You have not enabled Layer 7 health checking. The match list m1 would cause the ServerIron ADX to mark the port failed if the text "Unable to connect to the database" is found at the beginning of the reply from the server. If the text is not found, the ServerIron ADX would mark the port UP, as the default is UP. 7) The Brocade ADX is using the default settings. You bind a real server to a virtual server and the application port is unknown. Which statement is true regarding the Layer 4 Health Check behavior? A) The Brocade ADX will periodic perform Health Checks. B) The Brocade ADX will perform an initial Health Check. C) The Brocade ADX will perform alternate Health Checks. D) The Brocade ADX will not perform any Health Checks. When you bind a real server to a virtual server, the ServerIron ADX performs either a Layer 4 TCP Health Check, a Layer 4 UDP Health Check, or a Layer 7 health check to bring up the application port. If the application port is not one of the applications that is known to the ServerIron ADX, it uses a Layer 4 Health Check. Otherwise, the ServerIron ADX uses a Layer 7 Health Check for the known application port. By default, the ServerIron ADX does not repeat the initial Layer 4 Health Check after bringing up the port when you bind the real server to the virtual server. 8) Which Health Check begins when you bind a real server to a virtual server and the application port is not known? A) Layer 2 B) Layer 3 C) Layer 4 D) Layer 7 When you bind a real server to a virtual server, the ServerIron ADX performs either a Layer 4 TCP Health Check, a Layer 4 UDP health check, or a Layer 7 Health Check to bring up the application port. If the application port is not one of the applications that is known to the ServerIron ADX, it uses a Layer 4 Health Check. Otherwise, the ServerIron ADX uses a Layer 7 Health Check for the known application port.

5 Section 3 9) Your customer would like to disable Layer 7 Health Checks on their real servers for the HTTP port. They have implemented the port profile shown below but still see Layer 7 Health Checks when they bind the real servers to the virtual servers. server port http tcp l4-check only Which command will resolve their issue? A) l7-check-only for the HTTP port profile. B) port http l4-check-only for each virtual server. C) tcp keepalive disable for each real server. D) port http l4-check-only for each real server. port http l4-check-only configures the ServerIron ADX to use Layer 4 keepalive Health Checks for the HTTP port, instead of Layer 7 Health Checks. 10) server real r port http port http url "test1.html" port 8080 port 8080 url "test2.html" server virtual VIP port http bind http r1 http server virtual VIP port http bind http r no port http translate Referring to the exhibit, which command will ensure that VIP2 goes down when r1 fails Layer 7 Health Check? A) port http-use-alias-port-state under virtual server VIP1 B) tcp keepalive use-master-state under the port 8080 profile C) no port http translate under real server r1 D) port http-use-alias-port-state under server port 8080 To configure an alias port s health to be based on its master port s health, edit the alias port s profile by entering commands such as thse: ServerIronADX(config)#server port 8080 ServerIronADX(config-port-8080)#tcp keepalive use-master-state

6 11) You are configuring IPv4 VRRP-E on a Brocade ADX running Layer 3 firmware. Which three are available for tracking? (Choose three.) A) individual ports B) multiport trunks C) barrel processors D) upstream router reachability E) real server reachability When configuring VRRP-E on a ServerIron ADX running Layer 3 software, you can track individual ports, trunk ports and barrel processors (BPs): Syntax: track-port ethernet <portnum> ve <num> Syntax: [no] track-trunk-port ethernet <portnum> Syntax: [no] track-bp bp-priority <priority-value> 12) Which statement is true about Route Health Injection (RHI) configuration for real servers? A) The Brocade ADX and the server must be in the same subnet. B) You must use the same switch port for OSPF and for the globally-distributed SLB. C) The management station must be on the same subnet. D) The host with the highest metric appears in the client's routing table. For RHI the ServerIron ADX must be in the same subnet as the router. 13) Which two commands will provide an IPv6 route? (Choose two.) A) ipv6 route 700::/64 400::212:f2ff:fea8:1400 B) ipv6 route 2000:7838::/32 400::212:f2ff:fea8:1400 C) ipv6 route 700::/64 400:::f2ff:fea8:1400 D) ipv6 route 2000:7838::/32 400::f2ff:fea8:1400/34 Syntax: ipv6 route <dest-ipv6-prefix>/<prefix-length> <next-hop-ipv6-address> [<metric>] [distance <number>] To make the address less cumbersome, you can do the following: Omit the leading zeros; for example, 2001:db8:0:0:200:2d:d0ff:fe48:4672. Compress the successive groups of zeros at the beginning, middle, or end of an IPv6 address with two colons (::). This can only be once per address; for example, 2001:db8::200:2d:d0ff:fe48: ) Which two features are supported for IPv6 for Brocade ADX SLB? (Choose two.) A) real server hardware DSR B) stateless SLB C) syn-proxy D) Transparent Cache Switching A ServerIron ADX supports IPv6 stateless SLB and Transparent Cache Switching (TCS) for IPv6 cache servers.

7 15) What are three ways that you can create an SLB policy-list? (Choose three.) A) Use the CLI. B) Use the Brocade ADX GUI. C) Use IronView Network Manager. D) Download the file from TFTP. E) Use a USB flash. A policy list can be created in three ways depending on the number of policies being defined: If the number of policies is small, you can create the policy list file using the CLI. If the number of policies is large, you can download the policy list file from a TFTP server or a USB flash. 16) ServerIronADX(config)# server real rsa ServerIronADX(config-rs-rsA)# weight 1 ServerIronADX(config-rs-rsA)# exit ServerIronADX(config)# server real rsb ServerIronADX(config-rs-rsB)# weight 2 ServerIronADX(config-rs-rsB)# exit ServerIronADX(config)# server real rsc ServerIronADX(config-rs-rsC)# weight 3 ServerIronADX(config-rs-rsC)# exit The weights for rsa, rsb, and rsc are configured as shown in the exhibit. The configured server predictor is weighted. Where are the first three server requests sent? A) The first request is sent to server rsa, the second request is sent to server rsb and the third request is sent to server rsc. B) The first request is sent to server rsc, the second request is sent to server rsb and the third request is sent to server rsa. C) All three requests will be sent to server rsa. D) All three requests will be sent to server rsc. Weighted and Enhanced Weighted load balancing predictors assign a performance weight to each server. Weighted and Enhanced load balancing are similar to least connections, except that servers with a higher weight value receive a larger percentage of connections at a time. Assign a weight to each real server, and that weight determines the percentage of the current connections that are given to each server. The <weight-value> parameter specifies the real server s weight relative to other real servers in terms of the number of connections on the server. More precisely, this weight is based on the number of session table entries the ServerIron ADX has for TCP or UDP sessions with the real server. You can specify a value from 0 through The default is 1.

8 17) Which two statements are true about symmetric server load balancing active-standby? (Choose two.) A) Dual Brocade ADXs cannot share active loads. B) They support more connections, more throughput. C) The same application cannot be mapped to 2 or more VIPs. D) Both are active and continue to be a backup for each other in case the other fails. Symmetric-active is also called as active-standby VIP. Both ServerIron ADXs can receive SLB traffic, but only the active VIP handles the L4-7 SLB, while the standby VIP functions as a standby. The VIP with the highest configured sym-priority handles the flow. Symmetric SLB is supported in both Switch (S) code and Router (R) code. An active-standby topology can handle more connections and throughput than a hotstandby configuration where only one ADX is active at a time. Section 4 18) Your customer wants all references to in response data replaced with " Which type of HTTP rewrite policy will accomplish this request? A) HTTP response-header rewrite B) HTTP response-body rewrite C) HTTP type response-rewrite D) HTTP default rewrite A response-body rewrite configuration replaces all references to with in all response data. In other words, the data "href=' becomes "href= 19) A customer plans to introduce content switching to their network. The HTTP version being used in the network is 1.0. The customer creates the rule shown below, and finds that it does not work: (config)# csw-rule r4 header host exists What could be the reason? A) The syntax of the rule is not correct. B) No header should ever be used in a rule in HTTP 1.0. C) The host header is not defined for HTTP 1.0. D) CSW does not work for HTTP 1.0. The csw-rule command creates a rule that matches if an incoming packet contains an HTTP host header field. HTTP 1.0 does not officially require a Host header but the ServerIron ADX is expecting to see a Host header.

9 Section 5 20) Given the commands shown below: gslb policy dns cache-proxy round-trip-time active-rtt use-active-rtts-only Which statement is true? A) Round trip time is measured between a client PC and a GSLB site Brocade ADX. B) Round trip time is measured between a local DNS server and a GSLB site Brocade ADX. C) Round trip time is measured between a client PC and the GSLB controller Brocade ADX. D) Round trip time is measured between a local DNS server and the GSLB controller Brocade ADX. dns cache-proxy enables the ServerIron ADX to act as a proxy for a DNS server, by responding directly to the client queries without forwarding them to the DNS server. round-trip-time active-rtt useactive-rtts-only RTT algorithm selection based only on active RTT values (Mode 2) Only RTT values that were gathered actively by Site ServerIron ADXs will be used in determining the optimal IP address. 21) You want to perform GSLB for the domain brocade.com and already have an authoritative DNS server. The DNS server IP should remain the same and you do not want to register a new DNS server IP to a domain name registrar. Which GSLB feature can satisfy the requirement? A) proxy B) cache-proxy C) override D) transparent-intercept To configure transparent DNS query intercept to directly respond to queries using IP addresses configured on the ServerIron ADX, do the following: Configure a virtual server with the IP address of the authoritative DNS server that you want to intercept Specify the domain name and host application for which you want to intercept queries Enable the DNS transparent intercept feature Configure an IP policy to examine incoming DNS packets Enable dns transparent-intercept in the GSLB policy

10 Section 6 22) A browser exchanges several ciphers using SSL v2.0 with a server. There is a hacker initiating a man-inthe-middle attack. Which two statements are true? (Choose two.) A) The server code will reject the SSL offer. B) The attacker could use a brute force attack. C) The attacker could mount a cipher downgrade attack. D) The attacker could use a truncation attack. The symmetric key algorithms used in SSL v2.0 are without the benefit of asymmetric key protection, they come before the _WITH_ and SSL v2.0 uses them to encrypt the data; unlike SSL v3.0 data, SSL v2.0 data is open to brute force attacks, without Public/Private key protection. SSL v2.0 has no handshake protection and attackers can force parties to negotiate a weaker cipher even if they both support stronger ciphers (a downgrade attack). 23) Which type of key is used for bulk encryption? A) asymmetric key B) secure key C) symmetric key D) primary key Symmetric key is changed every session. If someone is able to get the symmetric key by a brute force attack, they cannot use it for the next session because the key is changed every session. Symmetric, Secret key is the best and is used for bulk encryption. 24) You perform SLB across real servers and want to encrypt data all the way to real servers from clients. Clients use SSL to access a VIP on a Brocade ADX. You do not need any manipulation over data. Which feature will minimize the configuration on the ADX while meeting the requirement? A) SSL termination B) SSL proxy C) Layer 4 SLB for port SSL D) Layer 7 SLB for port SSL When used in conjunction with SSL termination, SSL proxy provides an end-to-end SSL solution by encrypting traffic from the ADX to a Server. In the end-to-end solution, the traffic can be divided into two segments: Client to ADX, and ADX to server.

11 25) You are required to configure an HTTP TRL policy with a client rate limit on a Brocade ADX. Referring to the graphic which three procedures should you perform? (Choose three.) A) Define an HTTP TRL policy. B) Configure an HTTP TRL default maximum connection. C) Configure an HTTP TRL client rate limit. D) Configure the action to take if a client exceeds the configured rate limit. E) Configure an HTTP TRL default rate limit. The transaction rate limit parameters are grouped into a set and each set is associated with a name. To create a set of transaction rate limit rules, follow these steps: 1. Configure name of the set and enter client transaction rate limit configuration mode. ServerIronADX(config)#client-trans-rate-limit tcp TRL1 Syntax: [no] client-trans-rate-limit tcp udp icmp <name> 2. Specify the trl keyword for client subnet and set connection rate. ServerIronADX(config-client-trl-trl1)#trl monitor-interval 3 conn-rate 10 holddown-time 1 Syntax: [no] trl { <client-ipv4> <client-mask> <client-ipv6> <prefix> } monitorinterval <mon-value> conn-rate <con-value> hold-down-time <hold-down-value>

12 Section 7 26) After configuring rule-based ACLs, the network administrator wants to implement tighter control on all packet fragments on port e1/1 by executing the commands shown below: ServerIron(config)# interface ethernet 1/1 ServerIron(config-if-1/1)# ip access-group frag inspect Which three statements are true? (Choose three.) A) CPU filtering of packet fragments on port e1/1 is enabled. B) e1/1 will send all the fragments of all packets to the CPU. C) e1/1 will send all the fragments of a fragmented packet to the CPU. D) e1/1 will send all fragments of a fragmented packet in hardware. E) The CPU acts on each fragment according to the rule-based ACL applied to e1/1. For tighter control, you can enable CPU filtering of all packet fragments on a port. When you enable CPU filtering, the port sends all the fragments of a fragmented packet to the CPU. The CPU then permits or denies each fragment according to the ACL applied to the port. You can enable CPU filtering of fragments on individual ports. 27) DNS resolutions are taking too much time. After inspecting the DNS server, it shows 100% CPU usage. You are suspicious about a hacker attacking it. Which feature can be configured in the Brocade ADX to protect the DNS server? A) Enable SYN-Defense under the physical interface. B) Enable SYN-Proxy under the physical interface. C) Enable Transaction Rate Limiting (TRL) under the real server mode. D) Enable Connection Rate Limiting (CRL) under the real server mode. CRL is designed to provide DoS attack protection from clients that completely establish TCP connections but have the same goal of crippling the servers. Using CRL, the number of connections a client can establish per second is limited to a user-configured threshold.

13 Section 8 28) You notice performance issues when accessing your real servers. You verify the status of your Brocade ServerIron ADX and see that the server is marked as "Active". Shortly after, the server is marked as "Failed" and then "Active" again. You execute the command server no-fast-bringup and the condition stops. There was a successful Layer 4 Health Check followed by an unsuccessful Layer 7 Health Check. Why did this happen? A) The Brocade ADX does not continue to run Layer 4 and 7 Health Checks. server no-fast-bringup command will delay the marking of the port as active until both initial Layer 4 and 7 Health Checks are completed. B) The Brocade ADX does not continue to run Layer 4 and 7 Health Checks. server no-fast-bringup command will mark the port as active until both initial Layer 4 and 7 Health Checks are completed. C) The Brocade ADX continues to run Layer 4 and 7 Health Checks. server no-fast-bringup command will mark the port as active until all the Health Checks are completed. D) The Brocade ADX continues to run Layer 4 and 7 Health Checks. server no-fast-bringup command will delay the marking of the port as active until all the Health Checks are completed. The no-fast-bringup command prevents the ServerIron ADX from marking a port ACTIVE until it passes both Layer 4 and Layer 7 Health Checks. 29) You have been told that traffic from a particular IP address is not reaching any of the servers. Which three need to be executed to view packets traversing the Brocade ServerIron ADX? (Choose three.) A) filter packet B) debug filter C) buffer-size 128 D) start E) monitor You have to do the following to use the ServerIron ADX packet capture utility (debug filter): 1. enter utility (debug filter) 2. configure capture buffer (buffer-size <number in Kilobytes>) 3. specify packet size to capture (packet-size <number in decimal or whole >) 4. specify filters (specify <filter-id>) 5. apply filters (apply <filter-id>) 6. start capturing process (start) 7. stop capturing process (stop) 8. view captured packets (view <mp/bp/lc/sf>)

14 30) ServerIron ADX# rconsole 1 1 ServerIron ADX1/1# show ssl authentication-stats SSL certificate verification counters: Success : Failure : 387 Unknown user : 0 Signature failed : 0 Certificate expired : 387 Certificate revoked : 0 Cert not yet valid : 0 Cert signature failed : 0 Issuer pubkey decode fail : 0 Self signed cert : Issuer cert not found : 0 Subject Issuer mismatch : 0 Certificate untrusted : 0 Cert chain too long : 0 Cert not sent by peer : 0 CRL counters: CRL load failed : 0 CRL signature failed : 0 CRL not found : 0 CRL not yet valid : 0 CRL expired : You have been performing SSL-Proxy on your Brocade ADX for nine months with no problems. Suddenly, it no longer works. Referring to the output, what is the cause of the outage? A) The certificate on the client browser has expired. B) The certificate on the Brocade ADX has expired. C) The certificates on the real servers have expired. D) The CA certificate on the client browser has expired. The output shows 387 failed connections and 387 Certificate expired errors. 31) The error shown below has been reported on your Brocade ADX syslog: 00d00h08m34s:W:Port 80 on server r20: : Avg response time 27 exceeded lower threshold What does the error mean? A) The response-time shutdown threshold has been met and the server will continue receiving traffic. B) The response-time warning threshold has been exceeded and the server will continue receiving traffic. C) The response-time shutdown threshold has been exceeded and the server will be excluded from SLB. D) The response-time shutdown threshold has been exceeded and the server will continue receiving traffic. The ServerIron ADX compares the calculated response time and compares that with the configured response threshold. If the calculated response time is greater than the configured response threshold, the port is marked down.