15 - Private WANs with Internet VPN

Question 1

What device do Telcos use to split out Internet traffic from analog voice?

Answer 1

DSLAM

Question 2

What features or Goals can an Internet VPN provide?

Answer 2

• Confidentiality
• Authentication
• Data Integrity
• Anti-replay

Question 3

What is IPSEC?

Answer 3

An architecture or framework for Security Services for IP Networks. It defines how two Internet-connected devices can achieve the goals of a VPN.

Question 4

What does GRE stand for?

Answer 4

Generic Routing Encapsulation

Question 5

In GRE what is the delivery header?

Answer 5

Uses IP addresses from the Unsecured Network to allow routers to route the packet over the Internet

Question 6

What are the commands to build a GRE tunnel on router1?

Answer 6

• int s0/1
  
  • ip address 1.1.1.1 255.255.255.0
  • exit
• int tun0
  
  • ip address 10.1.3.1 255.255.255.0
  • tunnel mode gre ip
  • tunnel source s0/1
  • tunnel destination 2.2.2.2

Question 7

What are the commands to build a GRE tunnel on router2?

Answer 7

• int s1/1
  
  • ip address 2.2.2.2 255.255.255.0
  • exit
• int tun0
  
  • ip address 10.1.3.2 255.255.255.0
  • tunnel mode gre ip
  • tunnel source s1/1
  • tunnel destination 1.1.1.1

Question 8

Will a router filter an outbound VPN tunnel?

Answer 8

No, routers don’t filter packets that are created locally on the router. They will however filter an inbound packet.

Question 9

What are the commands necessary to build a GRE tunnel?

Answer 9

• public IP on the outside interface
• create tunnel interface
• private IP addresss
• tunnel mode gre ip
• tunnel source (public IP address on the outside interface)
• tunnel destination (remote public IP address)

Question 10

Will a VPN tunnel get built if the local router doesn’t have a route to the remote router public IP?

Answer 10

No.

Question 11

What would an ACL need to say to permit GRE?

Answer 11

permit gre any any

Question 12

What protocol and port does GRE use?

Answer 12

IP 47

Question 13

What is an NHRP server

Answer 13

server process on a DMVPN Hub router that provides tunnel IP and public IP address info of any other DMVPN router thus allowing router R2 to build a VPN tunnel to R3

Question 14

What is PPPoE?

Answer 14

PPP over Ethernet

Question 15

For PPPoE, what 6 commands are needed on the dialer interface?

Answer 15

• ip address negotiated
• mtu 1492
• encap ppp
• ppp chap hostname fred
• ppp chap password barney
• dialer pool 1

Question 16

For PPPoE, what 2 commands are needed on the physical interface?

Answer 16

* no ip address * ppp-client dial-pool-number 1

Question 17

For PPPoE, what command on the physical interface is auto-generated?

Answer 17

pppoe enable

Question 18

For PPPoE Verification what is the PPPoE Session:

Answer 18

IOS generated session that acts to implement PPP and PPPoE specifics such as session logic, status from IPCPs, sends and receives PPPoE messages to/from the ISP

Question 19

For PPPoE Verification what is the Virtual Access Interface?

Answer 19

If PPPoE reaches the desired ‘UP’ state, a Virtual Access Interface is created that Binds itself with the Dialer interface and Physical interface.

Question 20

What are 2 ‘show’ commands to verify the PPPoE configuration

Answer 20

* show interfaces dialer 2 * show interfaces virtual-access 2 config

Question 21

What is the ‘show’ command to check the PPPoE session status?

Answer 21

* show pppoe session interface gig0/1

Question 22

What ‘show’ command verifies L3 status?

Answer 22

* show ip route

Question 23

When troubleshooting PPPoE what is a good approach?

Answer 23

Layer 1 first, layer 2, then layer 3

Question 24

What should ‘show interfaces dialer2’ show?

Answer 24

up/up(spoofing)

Question 25

For PPPoE what commands enable layer 1?

Answer 25

* int dialer1 created * under dialer1 interface * dial pool 1 * under physical interface gig0/1 * pppoe-client dial-pool-number 1

Question 26

For PPPoE what commands enable layer 2?

Answer 26

* under dialer interface * encap ppp * ppp chap hostname fred *ppp chap password barney

Question 27

For PPPoE what commands enable layer 3?

Answer 27

* under dialer interface * ip address negotiated * mtu 1492 * under gig0/1 * no ip address

Question 28

For PPPoE what indicates layer 1 is not working?

Answer 28

show pppoe session’ gives no lines of output

Question 29

For PPPoE what indicates layer 1 is working but layer 2 is not?

Answer 29

* ‘show pppoe session’ shows no mac addresses, virtual access interface shows N/A, and state/type says PADISNT * show int dialer2 shows both line and protocol states as UP (Spoofing)

Question 30

For PPPoE what indicates layer 2 is working but layer 3 is not?

Answer 30

* show int dialer2 shows info for only dialer2 interface, nothing about the vi interface, no IP address for dialer2 * show pppoe session int gig0/1 shows MAC addresses, show Vi interface state as UP

Question 31

For PPPoE what indicates layer 3 is working

Answer 31

* show int dialer2 shows UP/UP (spoofing), show IP address and MTU 1492, shows encap PPP with LCP Closed, show info for Vi2 encap PPP, LCP Open, PPPoE vaccess, cloned from dialer2, interface is bound to Di2 (encap ppp) * show ip route shows the expected routes

Question 32

What are possible indications of bad username or password?

Answer 32

* layer 2 not working * show pppoe session lists physical interface and dialer interface but no Vi