Answer: A, C. VRs add a security benefit over other solutions since the interfaces and route tables are separated from the main table. Also, VRs avoid the complexity of rib-groups that plague other solutions.

Answer: C. The direction that encapsulates the packet into the IPSec tunnel should be used. In an interface-style service set, this is normally set to output whereas a next hop service set usually uses input.

Answer: False. You can apply multiple proposals to the IPSec tunnel; only one proposal has to match on each side for tunnel establishment.

Answer: A. You must use a next hop-style service set to support routing protocols.

Answer: C. Strangely enough, after a packet gets GRE encapsulation, the incoming interface is set to the next hop outgoing interface. This causes the GRE packet to be subject to input filters and services on the outgoing interface.

Answer: D. If a PC wants to be hidden from the outside world, you should deploy source NAT. This changes the “private” source IP to one or more “public” IP addresses.

Answer: C. One of the most common configuration errors when making service rules is not specifying the correct direction, especially when using next hop-style service sets, and match directions often seem backward when compared to interface-style service sets. Remember that traffic mapped to the inside interface is input traffic and traffic mapped to the outside interface is output traffic.

Answer: True. At the time of this writing, IPSec ...