Chapter 6. IPS-Only Deployment in Inline Mode Flashcards
1.Which of the following statements is false?
A. A threat defense supports NAT in the inline mode.
B. An inline set is a logical group of one or more interface pairs.
C. A threat defense does not support blocking with reset or interactive blocking.
D. Both inline mode and transparent mode work like bump in the wire.
A. You can enable Network Address Translation (NAT) in the transparent mode; however, a threat defense does not support NAT in the inline mode.
2.Which of the following options offer better handling of traffic in an IPS-only deployment?
A. Enabling portfast on the switch ports that are connected to the inline interface pair.
B. Enabling the fail open features for the inline interface set.
C. Allowing the inline set to propagate its link state.
D. All of these answers are correct.
D. All of these answers are correct. Enabling portfast on the switch ports where inline interfaces are connected allows those switch ports to transition to the forwarding state immediately and reduces hardware bypass time. Also, enabling the fail open features for the inline interface set allows a threat defense to continue moving traffic through it without any interruption in case of an inspection failure. Finally, allowing the inline set to propagate its link state reduces the routing convergence time when one of the interfaces in an inline set goes down.
3.Which of the following statements is true?
A. The steps to configure inline mode and transparent mode are identical.
B. An inline pair uses loopback IP addresses to transfer traffic.
C. The Snort fail open feature is enabled on an inline set by default.
D. The Propagate Link State feature is not enabled by default on an inline set.
D. The Propagate Link State feature is not enabled by default on an inline set.
4.Which of the following statements is true?
A. You should include both interface pairs in the same inline set to ensure the recognition of asynchronous traffic.
B. The fail open feature allows a threat defense device to continue its traffic flow through the device by bypassing the detection.
C. Propagate Link State reduces the routing convergence time when one of the interfaces in an inline set goes down.
D. All of these answers are correct.
D. All of these answers are correct. Both interface pairs should be included in the same inline set to ensure the recognition of asynchronous traffic. Also, the fail open feature allows a threat defense to continue its traffic flow through the device by bypassing the detection. Finally, Propagate Link State reduces the routing convergence time when one of the interfaces in an inline set goes down.
5.Which command displays the advanced settings of an inline interface set?
A. show interface ip brief
B. show inline-set
C. show interface detail
D. show interface inline detail
B. The show inline-set command displays the advanced settings of an inline interface set.
