Ch 16: Overlay Tunnels Flashcards

Question 1

Q

What is an overlay network?

Answer

A

An overlay network is a logical or virtual network built over a physical transport network referred to as an underlay network. Overlay networks are used to overcome shortcomings of traditional networks by enabling network virtualization, segmentation, and security to make traditional networks more manageable, flexible, secure (by means of encryption), and scalable

Question 2

Q

The following are examples of overlay tunneling technologies. What are these?

GRE
IPsec
LISP
VXLAN
MPLS

Answer

A

Examples of overlay tunneling technologies include the following:

Generic Routing Encapsulation (GRE)
IP Security (IPsec)
Locator ID/Separation Protocol (LISP)
Virtual Extensible LAN (VXLAN)
Multiprotocol Label Switching (MPLS)

Question 3

Q

T/F: An overlay tunnel can be built over another overlay tunnel.

Answer

A

True.

MPLS tunneling is not supported across the Internet unless it is tunneled within another tunneling protocol, such as GRE, which can then be encrypted with IPsec (MPLS over GRE over IPsec). A key takeaway from this is that an overlay tunnel can be built over another overlay tunnel.

Question 4

Q

Fact: Different combinations of overlay tunneling and encryption technologies opened the door to next-generation overlay fabric networks such as the following acronyms. What are these?

SD-WAN
SD-Access
ACI
VTS

Answer

A

Different combinations of overlay tunneling and encryption technologies opened the door to next-generation overlay fabric networks such as:

Software-Defined WAN (SD-WAN)
Software-Defined Access (SD-Access)
Application Centric Infrastructure (ACI)
Cisco Virtual Topology System (VTS)

Question 5

Q

Which of the following commands are optional for GRE configuration? (Choose two.)

tunnel source {ip-address | interface-id}
tunnel destination ip-address
tunnel mode gre {ip | ipv6}
keepalive

Answer

A

3 and 4.

When configuring a tunnel interface, the default mode is GRE, so there is no need to specify the tunnel mode with the command tunnel mode gre {ip | ipv6}. The command is useful when the tunnel mode is changed to another type (such as IPsec) and there is a need to change the tunnel mode back to GRE.

The keepalive command is also optional. It is used to make sure the other end of the tunnel is operational. This command does not need to be configured on both ends of the tunnel in order to work.

Question 6

Q

T/F: GRE was originally created to provide transport for non-routable legacy protocols.

Answer

A

True.

GRE was originally created to provide transport for non-routable legacy protocols such as Internetwork Packet Exchange (IPX) across an IP network, and it is now more commonly used as an overlay for IPv4 and IPv6.

Question 7

Q

Which of the following should not be dynamically advertised via an IGP into a GRE tunnel?

Loopback interfaces
The GRE tunnel source interface or source IP address
Connected interfaces
The GRE tunnel IP address

Answer

A

2.

The tunnel source interface or source IP address should not be advertised into a GRE tunnel because it would cause recursive routing issues. This is the outside, routable interface.

Question 8

Q

Which of the following are modes of packet transport supported by IPsec? (Choose two.)

Tunnel mode
Transparent mode
Transport mode
Crypto mode

Answer

A

1 and 3.

Traditional IPsec provides two modes of packet transport: tunnel mode and transport mode.

Question 9

Q

Which of the following are encryption protocols that should be avoided? (Choose two.)

a. DES
b. 3DES
c. AES
d. GCM
e. GMAC

Answer

A

1 and 2.

DES and 3DES are weak encryption protocols that are no longer recommended for use.

Question 10

Q

Which of the following is the message exchange mode used to establish an IKEv1 IPsec SA?

Main mode
Aggressive mode
Quick mode
CREATE_CHILD_SA

Answer

A

3.

The message exchange method used to establish an IPsec SA for IKEv1 is known as quick mode or QM. Main mode and aggressive mode are IKEv1 methods used to establish IKE SAs. For IKEv2, IKE_Auth creates an IPsec SA. If additional IPsec SAs are needed, a CREATE_CHILD_SA exchange is used to establish them.

Question 11

Q

LISP separates IP addresses into which of the following? (Choose two.)

RLOCs
LISP entities
Subnets and hosts
EIDs

Answer

A

1 and 4.

LISP separates IP addresses into endpoint identifiers (EIDs) and routing locators (RLOCs).

Question 12

Q

What is the destination UDP port used by the LISP data plane?

a. 4341
b. 4143
c. 4342
d. 4142

Answer

A

A.

The destination UDP port used by the LISP data plane is 4341. UDP port 4342 is used for LISP’s control plane messages.

Question 13

Q

T/F: ETRs are the only devices responsible for responding to map requests originated by ITRs.

Answer

A

False.

An ETR (Egress Tunnel Router) may also request that the MS(Mapping Server) answer map requests on its behalf by setting the proxy map reply flag (P-bit) in the map register message.

ITR (Ingress Tunnel Router): An ITR is responsible for finding EID-to-RLOC mappings for all traffic destined for LISP-capable sites.

Question 14

Q

Which of the following UDP ports is the UDP port officially assigned by the IANA for VXLAN?

a. 8947
b. 4789
c. 8472
d. 4987

Answer

A

B.

The IANA’s assigned VXLAN UDP destination port is 4789, while for Linux it is port 8472. The reason for this discrepancy is that when VXLAN was first implemented in Linux, the VXLAN UDP destination port had not yet been officially assigned, and Linux decided to use port 8472 because many vendors at the time were using that value.

Question 15

Q

T/F: The VXLAN specification defines a data plane and a control plane for VXLAN.

Answer

A

False.

The VXLAN specification defines VXLAN as a data plane protocol, but it does not define a VXLAN control plane, which was left open to be used with any control plane.

Question 16

Q

T/F: A GRE tunnel has many uses but they cannot be used to tunnel traffic through a firewall or an ACL.

Answer

A

False.

Yes they can be used to tunnel traffic through a firewall or an ACL or to connect discontiguous networks, and they can even be used as networking duct tape for bad routing designs. Their most important application is that they can be used to create VPNs.

Question 17

Q

T/F: In a GRE encapsulated packet, the new IP header information allows the packet to be routed between the two tunnel endpoints without inspection of the packet’s payload.

Answer

A

True.

When a router encapsulates a packet for a GRE tunnel, it adds new header information to the packet, which contains the remote endpoint IP address as the destination.

The new IP header information allows the packet to be routed between the two tunnel endpoints without inspection of the packet’s payload.

After the packet reaches the remote endpoint, the GRE headers are removed, and the original packet is forwarded out the remote router.

Figure 16-1 illustrates an IP packet before and after GRE encapsulation.

Question 18

Q

Here are the commands to configure a GRE tunnel. Put them in order.

ip mtu mtu (optional)
interface tunnel tunnel-number
keepalive [seconds [retries]] (optional)
ip address ip-address subnet-mask
tunnel source {ip-address | interface-id}
bandwidth [1-10000000] (optional)
tunnel destination ip-address

Answer

A

The proper order is: 2, 5, 7, 4, 6, 3, 1.

The 6 steps for configuring GRE tunnels are as follows:

Create the tunnel interface by using the global configuration command interface tunnel tunnel-number.
Identify the local source of the tunnel by using the interface parameter command tunnel source {ip-address | interface-id}. The tunnel source interface indicates the interface that will be used for encapsulation and de-encapsulation of the GRE tunnel. The tunnel source can be a physical interface or a loopback interface. A loopback interface can provide reachability if one of the transport interfaces fails.
Identify the remote destination IP address by using the interface parameter command tunnel destination ip-address. The tunnel destination is the remote router’s underlay IP address toward which the local router sends GRE packets.
Allocate an IP address to the tunnel interface to the interface by using the command ip address ip-address subnet-mask.
(Optional) Define the tunnel bandwidth. Virtual interfaces do not have the concept of latency and need to have a reference bandwidth configured so that routing protocols that use bandwidth for best path calculation can make an intelligent decision. Bandwidth is also used for quality of service (QoS) configuration on the interface. Bandwidth is defined with the interface parameter command bandwidth [1-10000000], which is measured in kilobits per second.
(Optional) Specify a GRE tunnel keepalive. Tunnel interfaces are GRE point-to-point (P2P) by default, and the line protocol enters an up state when the router detects that a route to the tunnel destination exists in the routing table. If the tunnel destination is not in the routing table, the tunnel interface (line protocol) enters a down state.
- Tunnel keepalives ensure that bidirectional communication exists between tunnel endpoints to keep the line protocol up. Otherwise, the router must rely on routing protocol timers to detect a dead remote endpoint.
- Keepalives are configured with the interface parameter command keepalive [seconds [retries]]. The default timer is 10 seconds, with three retries.
(Optional) Define the IP maximum transmission unit (MTU) for the tunnel interface. The GRE tunnel adds a minimum of 24 bytes to the packet size to accommodate the headers that are added to the packet. Specifying the IP MTU on the tunnel interface has the router perform the fragmentation in advance of the host having to detect and specify the packet MTU. IP MTU is configured with the interface parameter command ip mtu mtu.

Question 19

Q

T/F: Virtual interfaces have no concept of bandwidth.

Answer

A

True.

Virtual interfaces do not have the concept of latency and need to have a reference bandwidth configured so that routing protocols that use bandwidth for best-path calculation can make an intelligent decision. Bandwidth is also used for quality of service (QoS) configuration on the interface.

Question 20

Q

T/F: A GRE tunnel source must be a physical interface.

Answer

A

False.

The tunnel source interface indicates the interface that will be used for encapsulation and de-encapsulation of the GRE tunnel. The tunnel source can be a physical interface or a loopback interface. A loopback interface can provide reachability if one of the transport interfaces fails.

Question 21

Q

T/F: The tunnel destination is the remote router’s overlay IP address toward which the local router sends GRE packets.

Answer

A

False.

The tunnel destination is the remote router’s underlay IP address toward which the local router sends GRE packets. The underlay tunnel is the physical infrastructure.

Question 22

Q

Fact: GRE tunnels need to have a working route in the route table in order to be in an up state. Why is this?

Answer

A

Tunnel interfaces are GRE point-to- point (P2P) by default, and the line protocol enters an up state when the router detects that a route to the tunnel destination exists in the routing table.

If the tunnel destination is not in the routing table, the tunnel interface (line protocol) enters a down state.

Keepalives are a solution to this problem. Tunnel keepalives ensure that bidirectional communication exists between tunnel endpoints to keep the line protocol up. Otherwise, the router must rely on routing protocol timers to detect a dead remote endpoint.

Question 23

Q

What is the minimum number of bytes that a GRE encapsulation will add to a packet?

Answer

A

The GRE tunnel adds a minimum of 24 bytes to the packet size to accommodate the headers that are added to the packet.

Question 24

Q

How much overhead is introduced to a packet with GRE encapsulation and using AES + SHA1 for security?

Answer

A

See attached figure.

Question 25

Q

Write the config for R1 and R2 so that:

OSPF is enabled on the LAN (10.0.0.0/8)
R1 ID of 1.1.1.1 - Area 1
R2 ID of 2.2.2.2 - Area 2
OSPF is enabled on the GRE tunnel (192.168.100.0/24) (Area 0)
Default routes for R1 and R2 point to their respective ISPs
Use Tunnel 100, BW=4Kbps, IPs of tunnels = .1 and .2, MTU=1400, keepalives should be sent every 5 seconds with 3 retries, Tunnel source and destination should be G0/1 on both routers.

Answer

A

Example 16-2 provides a GRE tunnel configuration for R1 and R2, following the steps for GRE configuration listed earlier in this section. OSPF is enabled on the LAN (10.0.0.0/8) and GRE tunnel (192.168.100.0/24) networks. With this configuration, R1 and R2 become direct OSPF neighbors over the GRE tunnel and learn each other’s routes. The default static routes are pointing to their respective ISP routers.

Question 26

Q

What is the command to view the state of a GRE tunnel?

Answer

A

The state of a GRE tunnel can be verified with the command:

show interface tunnel number.

Example 16-3 shows output from this command. Notice that the output includes the tunnel source and destination addresses, keepalive values (if any), the tunnel line protocol state, and the fact that the tunnel is a GRE/IP tunnel.

Question 27

Q

What would you expect to see if you ran a traceroute from 10.1.1.1 to 10.2.2.2?

Answer

A

Notice that from R1’s perspective, the 10.2.2.2 network is only one hop away.

The traceroute does not display all the hops in the underlay. In the same fashion, the packet’s time-to-live (TTL) is encapsulated as part of the payload. The original TTL decreases by only one for the GRE tunnel, regardless of the number of hops in the transport network.

Question 28

Q

What is the default TTL on a GRE tunnel?

What is the command to change the default setting of TTL?

Answer

A

During GRE encapsulation, the default GRE TTL value is 255.

The interface parameter command tunnel ttl <1-255> is used to change the GRE TTL value.

Question 29

Q

Here are two common issues with GRE tunnels. What is a quick summary of these two pesky problems?

Recursive Routing
Outbound Interface Selection

Answer

A

Recursive Routing: This happens when a routing protocol is used carelessly on a network tunnel. Care must be taken not to include the externally facing interface IP in the advertisement across the tunnel! If a router tries to reach the remote router’s encapsulating interface (transport IP address) via the tunnel (overlay network), problems will occur. Recursive routing problems are remediated by preventing the tunnel endpoint address from being advertised across the tunnel network.
Outbound Interface Selection: This is simply the wrong interface sends traffic. A very common error.

Question 30

Q

What do the following syslog error messages indicate? What is the usual cause and solution?

01: 56:39.808: %TUN-5-RECURDOWN: Tunnel100 temporarily disabled due to recursive routing
01: 56:39.811: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel100, changed state to down
01: 57:44.840: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on Tunnel100 from FULL to DOWN, Neighbor Down: Interface down or detached
01: 57:44.845: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel100, changed state to up
01: 57:44.849: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on Tunnel100 from LOADING to FULL, Loading Done

Answer

A

The syslog messages indicates a recursive routing issue is occurring on the tunnel. This will repeat endlessly.

For the issue shown in Example 16-6, removing the tunnel endpoint interfaces (Internet-facing interfaces) from OSPF would stabilize the topology.

Question 31

Q

List the three most insecure methods IPSec offers for both data security and protections from Man in the Middle attacks.

Answer

A

Data Encryption Standard (DES)Data confidentiality
Triple DES (3DES) (Data confidentiality
MD5 (HMAC function, Data Integrity, MitM attack mitigation)

Question 32

Q

What is HMAC?

Answer

A

Hash Message Authentication Code (HMAC). HMAC functions:

Message Digest 5 (MD5) algorithm
Secure Hash Algorithm (SHA-1)

NOTE: The use of MD5 is not recommended.

These are used for:

Data integrity
Prevents man-in-the-middle (MitM) attacks by ensuring that data has not been tampered with during its transit across an unsecure network.

Question 33

Q

What does IPSec use for data confidentiality?

Answer

A

Data Encryption Standard (DES)
Triple DES (3DES)
Advanced Encryption Standard (AES)

Note: The use of DES and 3DES is not recommended.

These standards protect data from eavesdropping attacks through encryption algorithms. Changes plaintext into encrypted ciphertext.

Question 34

Q

What are the two methods IPSec uses for Peer authentication?

Answer

A

Pre-Shared Key (PSK)
Digital certificates

Verifies the identity of the VPN peer through authentication.

Question 35

Q

What is Replay detection? How does IPSec defeat this attack?

Answer

A

Prevents MitM attacks where an attacker captures VPN traffic and replays it back to a VPN peer with the intention of building an illegitimate VPN tunnel.

Every packet is marked with a unique sequence number. A VPN device keeps track of the sequence number and does not accept a packet with a sequence number it has already processed.

Question 36

Q

IPsec uses two different packet headers to deliver the security services, what are they?

Answer

A

Authentication header
Encapsulating Security Payload (ESP)

Question 37

Q

What is the authentication header and what does it provide? Why is it not used typically?

Answer

A

The IP authentication header provides data integrity, authentication, and protection from hackers replaying packets.
The authentication header ensures that the original data packet (before encapsulation) has not been modified during transport on the public network.
It creates a digital signature similar to a checksum to ensure that the packet has not been modified, using protocol number 51 located in the IP header.
The authentication header does not support encryption (data confidentiality) and NAT traversal (NAT-T), and for this reason, its use is not recommended, unless authentication is all that is desired.

Question 38

Q

What is ESP?

Answer

A

Encapsulating Security Payload (ESP) provides data confidentiality, authentication, and protection from hackers replaying packets. Typically, payload refers to the actual data minus any headers, but in the context of ESP, the payload is the portion of the original packet that is encapsulated within the IPsec headers.

ESP ensures that the original payload (before encapsulation) maintains data confidentiality by encrypting the payload and adding a new set of headers during transport across a public network. ESP uses the protocol number 50, located in the IP header. Unlike the authentication header, ESP does provide data confidentiality and supports NAT-T.

Question 39

Q

Traditional IPsec provides two modes of packet transport. What is the difference between these two?

Tunnel mode
Transport mode

Answer

A

Tunnel mode: Encrypts the entire original packet and adds a new set of IPsec headers. These new headers are used to route the packet and also provide overlay functions.

Transport mode: Encrypts and authenticates only the packet payload. This mode does not provide overlay functions and routes based on the original IP headers.

Question 40

Q

How many bits is the key used by DES? What is the difference between DES and Triple DES?

Answer

A

Data Encryption Standard (DES): A 56-bit symmetric data encryption algorithm that can encrypt the data sent over a VPN. This algorithm is very weak and should be avoided.

Triple DES (3DES): A data encryption algorithm that runs the DES algorithm three times with three different 56-bit keys. Using this algorithm is no longer recommended. The more advanced and more efficient AES should be used instead.

Question 41

Q

What is AES?

Answer

A

Advanced Encryption Standard (AES): A symmetric encryption algorithm used for data encryption that was developed to replace DES and 3DES. AES supports key lengths of 128 bits, 192 bits, or 256 bits and is based on the Rijndael algorithm.

Question 42

Q

What is MD5?

Answer

A

Message Digest 5 (MD5): A one-way, 128-bit hash algorithm used for data authentication. Cisco devices use MD5 HMAC, which provides an additional level of protection against MitM attacks. Using this algorithm is no longer recommended, and SHA should be used instead.

Question 43

Q

What is SHA?

Answer

A

Secure Hash Algorithm (SHA): A one-way, 160-bit hash algorithm used for data authentication. Cisco devices use the SHA-1 HMAC, which provides additional protection against MitM attacks.

Question 44

Q

What is DH in IPsec? What is the significance of the DH groups? What is the purpose of DH?

Answer

A

Diffie-Hellman (DH): An asymmetric key exchange protocol that enables two peers to establish a shared secret key used by encryption algorithms such as AES over an unsecure communications channel.

A DH group refers to the length of the key (modulus size) to use for a DH key exchange. For example, group 1 uses 768 bits, group 2 uses 1024, and group 5 uses 1536, where the larger the modulus, the more secure it is.

The purpose of DH is to generate shared secret symmetric keys that are used by the two VPN peers for symmetrical algorithms, such as AES. The DH exchange itself is asymmetrical and CPU intensive, and the resulting shared secret keys that are generated are symmetrical. Cisco recommends avoiding DH groups 1, 2, and 5 and instead use DH groups 14 and higher.

Question 45

Q

What is an RSA signature?

Answer

A

RSA signatures: A public-key (digital certificates) cryptographic system used to mutually authenticate the peers.

Question 46

Q

What is a PSK?

Answer

A

Pre-Shared Key: A security mechanism in which a locally configured key is used as a credential to mutually authenticate the peers.

Question 47

Q

What is a transform set?

Answer

A

A transform set is a combination of security protocols and algorithms.

During the IPsec SA negotiation, the peers agree to use a particular transform set for protecting a particular data flow. When such a transform set is found, it is selected and applied to the IPsec SAs on both peers.

Question 48

Q

What is the transform set: esp-aes 256 esp-sha-hmac

Answer

A

esp-aes 256: ESP with the 256-bit AES encryption algorithm

esp-sha-hmac: ESP with the SHA (HMAC-Hash Method Authentication Code variant) authentication algorithm

Question 49

Q

What is IKE?

Answer

A

Internet Key Exchange (IKE) is a protocol that performs authentication between two endpoints to establish security associations (SAs), also known as IKE tunnels.

These security associations, or tunnels, are used to carry control plane and data plane traffic for IPsec.

There are two versions of IKE: IKEv1 (specified in RFC 2409) and IKEv2 (specified in RFC 7296). IKEv2 was developed to overcome the limitations of IKEv1 and provides many improvements over IKEv1’s implementation. For example, IKEv2 supports EAP (certificate-based authentication), has anti-DoS capabilities, and needs fewer messages to establish an IPsec SA.

Understanding IKEv1 is still important because some legacy infrastructures have not yet migrated to IKEv2 or have devices or features that don’t support IKEv2.

Question 50

Q

What is ISAKMP?

Answer

A

Short answer = IKE, in Cisco-speak.

Internet Security Association Key Management Protocol (ISAKMP) is a framework for authentication and key exchange between two peers to establish, modify, and tear down SAs. It is designed to support many different kinds of key exchanges. ISAKMP uses UDP port 500 for communication between peers.

IKE is the implementation of ISAKMP using the Oakley and Skeme key exchange techniques. Oakley provides perfect forward secrecy (PFS) for keys, identity protection, and authentication; Skeme provides anonymity, repudiability, and quick key refreshment. For Cisco platforms, IKE is analogous to ISAKMP, and the two terms are used interchangeably.

Question 51

Q

IKEv1 defines two phases of key negotiation for IKE and IPsec SA establishment, Phase1 and Phase2. What happens in each phase?

Answer

A

IKEv1 defines two phases of key negotiation for IKE and IPsec SA establishment:

Phase 1: Establishes one bidirectional SA between two IKE peers, known as an ISAKMP SA. Because the SA is bidirectional, once it is established, either peer may initiate negotiations for phase 2.

Phase 2: Establishes two unidirectional IPsec SAs, leveraging the ISAKMP SA established in phase 1 for the negotiation.

Question 52

Q

Phase 1 negotiation can occur using main mode (MM) or aggressive mode (AM). The peer that initiates the SA negotiation process is known as the _________, and the other peer is known as the __________.

Answer

A

Phase 1 negotiation can occur using main mode (MM) or aggressive mode (AM). The peer that initiates the SA negotiation process is known as the initiator, and the other peer is known as the responder.

Question 53

Q

Main mode consists of six message exchanges (MM1-MM6) and tries to protect all information during the ISAKMP (IKE in Cisco-land) negotiation so that no information is exposed to eavesdropping. Put their definitions in order.

This is the first message that the initiator sends to a responder. One or multiple SA proposals are offered, and the responder needs to match one of the them for this phase to succeed. The SA proposals include different combinations of the following:
- Hash algorithm: MD5 or SHA
- Encryption algorithm: DES (bad), 3DES (less bad…), or AES (best)
- Authentication method: Pre-Shared Key or digital certificates
- Diffie-Hellman (DH) group: Group 1, 2, 5, and so on.
- Lifetime: How long until this IKE Phase 1 tunnel should be torn down (default is 24 hours). This is the only parameter that does not have to exactly match with the other peer to be accepted. If the lifetime is different, the peers agree to use the smallest lifetime between them.
This message is sent from the responder to the initiator with the SA proposal that it matched.
The responder sends its own key to the initiator. At this point, encryption keys have been shared, and encryption is established for the ISAKMP SA.
The initiator starts authentication by sending the peer router its IP address.
The responder sends back a similar packet and authenticates the session. At this point, the ISAKMP SA is established.
In this message, the initiator starts the DH key exchange. This is based on the DH group the responder matches in the proposal.

Answer

A

These are almost in the right order. Number 6 and number 2 were reversed.

MM1: This is the first message that the initiator sends to a responder. One or multiple SA proposals are offered, and the responder needs to match one of the them for this phase to succeed. The SA proposals include different combinations of the following:

Hash algorithm: MD5 or SHA
Encryption algorithm: DES (bad), 3DES (less bad…), or AES (best)
Authentication method: Pre-Shared Key or digital certificates
Diffie-Hellman (DH) group: Group 1, 2, 5, and so on
Lifetime: How long until this IKE Phase 1 tunnel should be torn down (default is 24 hours). This is the only parameter that does not have to exactly match with the other peer to be accepted. If the lifetime is different, the peers agree to use the smallest lifetime between them.

MM2: This message is sent from the responder to the initiator with the SA proposal that it matched.

MM3: In this message, the initiator starts the DH key exchange. This is based on the DH group the responder matches in the proposal.

MM4: The responder sends its own key to the initiator. At this point, encryption keys have been shared, and encryption is established for the ISAKMP SA.

MM5: The initiator starts authentication by sending the peer router its IP address.

MM6: The responder sends back a similar packet and authenticates the session. At this point, the ISAKMP SA is established.

Question 54

Q

T/F: Aggressive mode consists of a three-message exchange and takes less time to negotiate keys between peers; however, it doesn’t offer the same level of encryption security provided by main mode negotiation, and the identities of the two peers trying to establish a security association are exposed to eavesdropping.

Answer

A

True.

When main mode is used, the identities of the two IKE peers are hidden. Although this mode of operation is very secure, it takes longer than aggressive mode to complete the negotiation.

These are the three aggressive mode messages:

AM1: In this message, the initiator sends all the information contained in MM1 through MM3 and MM5.

AM2: This message sends all the same information contained in MM2, MM4, and MM6.

AM3: This message sends the authentication that is contained in MM5.

Question 55

Q

What happens in Phase2?

Answer

A

Phase 2 uses the existing bidirectional IKE SA to securely exchange messages to establish one or more IPsec SAs between the two peers.

Unlike the IKE SA, which is a single bidirectional SA, a single IPsec SA negotiation results in two unidirectional IPsec SAs, one on each peer.

The method used to establish the IPsec SA is known as quick mode.

Question 56

Q

Phase2, or Quick mode, uses a three-message exchange. What happens in each of these 3 states?

QM1
QM2
QM3

Answer

A

Quick mode uses a 3-message exchange, like a 3-way handshake:

QM1: The initiator (which could be either peer) can start multiple IPsec SAs in a single exchange message. This message includes agreed-upon algorithms for encryption and integrity decided as part of phase 1, as well as what traffic is to be encrypted or secured.

QM2: This message from the responder has matching IPsec parameters.

QM3: After this message, there should be two unidirectional IPsec SAs between the two peers.

Question 57

Q

What is PFS?

What phase does this occur in?

Is it required?

What is the purpose?

Answer

A

Perfect Forward Secrecy (PFS) is an additional function for phase 2 that is recommended but is optional because it requires additional DH exchanges that require additional CPU cycles.

The goal of this function is to create greater resistance to crypto attacks and maintain the privacy of the IPsec tunnels by deriving session keys independently of any previous key. This way, a compromised key does not compromise future keys.

Question 58

Q

What is the minimum number of messages for MM and for AM?

Answer

A

Based on the minimum number of messages that aggressive, main, and quick modes may produce for IPsec SAs to be established between two peers, the following can be derived:

Main mode uses six messages, and quick mode uses three, for a total of nine messages.

Aggressive mode uses three messages, and quick mode uses three, for a total of six messages.

Question 59

Q

T/F: IKEv2 is an evolution of IKEv1 that includes many changes and improvements that simplify it and make it more efficient.

Answer

A

True.

One of the major changes has to do with the way the SAs are established. In IKEv2, communications consist of request and response pairs called exchanges and sometimes just called request/response pairs.

Question 60

Q

What is IKE_SA_INIT?

Answer

A

In IKEv2, the first exchange, IKE_SA_INIT, negotiates cryptographic algorithms, exchanges nonces, and performs a Diffie-Hellman exchange.

This is the equivalent to IKEv1’s first two pairs of messages MM1 to MM4 but done as a single request/response pair.

nonce: A word or expression coined for one-time use.

Question 61

Q

What is IKE_AUTH?

Answer

A

In IKEv2, the second exchange, IKE_AUTH, authenticates the previous messages and exchanges identities and certificates.

Then it establishes an IKE SA and a child SA (the IPsec SA). This is equivalent to IKEv1’s MM5 to MM6 as well as QM1 and QM2 but done as a single request/ response pair.

Question 62

Q

With IKEv2, it takes a total of ______ messages to bring up the bidirectional IKE SA and the unidirectional IPsec SAs, as opposed to six with IKEv1 aggressive mode or nine with IKEv1 main mode.

Question 63

Q

T/F: IKEv2 exchanges are backward compatible with IKEv1.

Answer

A

False.

Since the IKEv2 SA exchanges are completely different from those of IKEv1, they are incompatible with each other.

Table 16-5 illustrates some of the major differences between IKEv1 and IKEv2.

Question 64

Q

What is EAP?

Answer

A

Extensible Authentication Protocol (EAP): The addition of EAP made IKEv2 the perfect solution for remote-access VPNs.

EAP is an authentication framework, not a specific authentication mechanism.

EAP is not a wire protocol; instead it only defines the information from the interface and the formats. Each protocol that uses EAP defines a way to encapsulate by the user EAP messages within that protocol’s messages.

EAP is in wide use. For example, in IEEE 802.11 (WiFi) the WPA and WPA2 standards have adopted IEEE 802.1X (with various EAP types) as the canonical authentication mechanism.

Answer 64

A

Asymmetric authentication: IKEv2 removes the requirement to negotiate the authetication method and introduces the ability to specify the authentication method in the IKE_AUTH exchange.

As a result, each peer is able to choose its method of authentication. This allows for asymmetric authentication to occur, so the peers can use different authentication methods.

Answer 65

A

Simplifies configuration for hub-and-spoke and spoke-to-spoke VPNs. It accomplishes this by combining multipoint GRE (mGRE) tunnels, IPsec, and Next Hop Resolution Protocol (NHRP).

Answer 66

A

Cisco Group Encrypted Transport VPN (GET VPN) was developed specifically for enterprises to build any-to-any tunnel-less VPNs (where the original IP header is used- i.e. transport mode) across service provider MPLS networks or private WANs.

It does this without affecting any of the existing MPLS private WAN network services (such as multicast and QoS). Moreover, encryption over private networks addresses regulatory-compliance guidelines such as those in the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley Act, the Payment Card Industry Data Security Standard (PCI DSS), and the Gramm-Leach-Bliley Act (GLBA).

Answer 67

A

FlexVPN is Cisco’s implementation of the IKEv2 standard, featuring a unified VPN solution that combines site-to-site, remote access, hub-and-spoke topologies and partial meshes (spoke-to-spoke direct). FlexVPN offers a simple but modular framework that extensively uses virtual access interfaces while remaining compatible with legacy VPN implementations using crypto maps.

Answer 68

A

Remote Access VPN access allows remote users to securely VPN into a corporate network. It is supported on IOS with FlexVPN (IKEv2 only) and on ASA 5500-X and FirePOWER firewalls.

Answer 69

A

True.

Figure 16-4 illustrates a comparison of GRE packet encapsulation and IPsec tunnel mode with a VTI.

Answer 70

A

Crypto maps should not be used for tunnel protection because they have many limitations that are resolved with IPsec profiles, including the following:

Crypto maps cannot natively support the use of MPLS.
Configuration can become overly complex.
Crypto ACLs are commonly misconfigured.
Crypto ACL entries can consume excessive amounts of TCAM space.

Answer 71

A

The steps to enable a VTI over IPsec are very similar to those for GRE over IPsec configuration using IPsec profiles. The only difference is the addition of the command:

tunnel mode ipsec {ipv4 | ipv6} under the GRE tunnel interface to enable VTI on it and to change the packet transport mode to tunnel mode.

To revert to GRE over IPsec, the command tunnel mode gre {ip | ipv6} is used.

Answer 72

A

crypto isakmp policy 10 authentication pre-share hash sha256
encryption aes

group 14
!
crypto isakmp key CISCO123 address 100.64.2.2
!
crypto ipsec transform-set AES_SHA esp-aes esp-sha-hmac mode transport

ip access-list extended GRE_IPSEC_VPN permit gre host 100.64.1.1 host 100.64.2.2

!
crypto map VPN 10 ipsec-isakmp
match address GRE_IPSEC_VPN
set transform AES_SHA
set peer 100.64.2.2
!
interface GigabitEthernet0/1

ip address 100.64.1.1 255.255.255.252

crypto map VPN
!
interface Tunnel100

bandwidth 4000
ip address 192.168.100.1 255.255.255.0

ip mtu 1400
tunnel source GigabitEthernet0/1

tunnel destination 100.64.2.2

router ospf 1
router-id 1.1.1.1
network 10.1.1.1 0.0.0.0 area 1

network 192.168.100.1 0.0.0.0 area 0

Answer 73

A

The rapid growth of the default-free zone (DFZ), also known as the Internet routing table, led to the development of the Cisco Location/ID Separation Protocol (LISP). LISP is a routing architecture and a data and control plane protocol that was created to address routing scalability problems on the Internet:

Aggregation issues: Many routes on the Internet routing table are provider-independent routes that are non-aggregable, and this is part of the reason the Internet routing table is so large and still growing.
Traffic engineering: A common practice for ingress traffic engineering into a site is to inject more specific routes into the Internet, which exacerbates the Internet routing table aggregation/scalability problems.
Multihoming: Proper multihoming to the Internet requires a full Internet routing table (785,000 IPv4 routes at the time of writing). If a small site requires multihoming, a powerful router is needed to be able to handle the full routing table (with large memory, powerful CPUs, more TCAM, more power, cooling, and so on), which can be cost-prohibitive for deployment across small sites.
Routing instability: Internet route instability (also known as route churn) causes intensive router CPU and memory consumption, which also requires powerful routers.

Answer 74

A

Following are the definitions for the LISP architecture components illustrated in Figure 16-5.

Endpoint identifier (EID): An EID is the IP address of an endpoint within a LISP site. EIDs are the same IP addresses in use today on endpoints (IPv4 or IPv6), and they operate in the same way.

LISP site: This is the name of a site where LISP routers and EIDs reside.

Ingress tunnel router (ITR): ITRs are LISP routers that LISP-encapsulate IP packets coming from EIDs that are destined outside the LISP site.

Egress tunnel router (ETR): ETRs are LISP routers that de-encapsulate LISP- encapsulated IP packets coming from sites outside the LISP site and destined to EIDs within the LISP site.

Tunnel router (xTR): xTR refers to routers that perform ITR and ETR functions (which is most routers).

Proxy ITR (PITR): PITRs are just like ITRs but for non-LISP sites that send traffic to EID destinations.

Proxy ETR (PETR): PETRs act just like ETRs but for EIDs that send traffic to destinations at non-LISP sites.

Proxy xTR (PxTR): PxTR refers to a router that performs PITR and PETR functions.

LISP router: A LISP router is a router that performs the functions of any or all of the following: ITR, ETR, PITR, and/or PETR.

Routing locator (RLOC): An RLOC is an IPv4 or IPv6 address of an ETR that is Internet facing or network core facing.

Map server (MS): This is a network device (typically a router) that learns EID-to-prefix mapping entries from an ETR and stores them in a local EID-to-RLOC mapping database.

Map resolver (MR): This is a network device (typically a router) that receives LISP-encapsulated map requests from an ITR and finds the appropriate ETR to answer those requests by consulting the map server.

Map server/map resolver (MS/MR): When MS and the MR functions are implemented on the same device, the device is referred to as an MS/MR.

Answer 75

A

Now that the basic terminology has been described, the following three LISP main components are explained:

LISP routing architecture
LISP control plane protocol
LISP data plane protocol

Answer 76

A

In traditional routing architectures, an endpoint IP address represents the endpoint’s identity and location. If the location of the endpoint changes, its IP address also changes.

LISP separates IP addresses into endpoint identifiers (EIDs) and routing locators (RLOCs). This way, endpoints can roam from site to site, and the only thing that changes is their RLOC; the EID remains the same.

Answer 77

A

The control plane operates in a very similar manner to the Domain Name System (DNS).

Just as DNS can resolve a domain name into an IP address, LISP can resolve an EID into an RLOC by sending map requests to the MR (Map Resolver), as illustrated in Figure 16-6.

This makes it a very efficient and scalable on-demand routing protocol because it is based on a pull model, where only the routing information that is necessary is requested (as opposed to the push model of traditional routing protocols, such as BGP and OSPF, that push all the routes to the routers— including unnecessary ones).

Answer 78

A

Locator/ID Separation Protocol (LISP) (RFC 6830) is a “map-and-encapsulate” protocol which is developed by the Internet Engineering Task Force LISP Working Group.

The basic idea behind the separation is that the Internet architecture combines two functions, routing locators (where a client is attached to the network) and identifiers (who the client is) in one number space: the IP address.

LISP supports the separation of the IPv4 and IPv6 address space following a network-based map-and-encapsulate scheme (RFC 1955). In LISP, both identifiers and locators can be IP addresses or arbitrary elements like a set of GPS coordinates or a MAC address.

Answer 79

A

True.

ITRs (Ingress Tunnel Routers) LISP(Locator/Identifier Separation Protocol)-encapsulate IP packets received from EIDs(Endpoint IDentifiers) in an outer IP UDP(User Datagram Protocol) header with source and destination addresses in the RLOC(Resource LOCator) space; in other words, they perform IP-in-IP/UDP encapsulation.

The original IP header and data are preserved; this is referred to as the inner header. Between the outer UDP header and the inner header, a LISP shim header is included to encode information necessary to enable forwarding plane functionality, such as network virtualization.

Figure 16-7 illustrates the LISP packet frame format.

Answer 80

A

This field is a 24-bit value that is used to provide device and path level network virtualization.

In other words, it enables VRF and VPNs for virtualization and segmentation much as VPN IDs do for MPLS networks. This is useful in preventing IP address duplication within a LISP site or just as a secure boundary between multiple organizations.

Answer 81

A

True.

Because EIDs and RLOCs can be either IPv4 or IPv6 addresses, the LISP data plane supports the following encapsulation combinations:

IPv4 RLOCs encapsulating IPv4 EIDs
IPv4 RLOCs encapsulating IPv6 EIDs

Answer 82

A

False.

When setting up LISP, the ETR(Egress Tunnel Router) routers need to be configured with the EID(EndPoint IDentifier) prefixes within the LISP site that will be registered with the MS (Map Server).

Answer 83

A

VXLAN, Virtually Extensible LAN, is an overlay data plane encapsulation scheme that was developed to address the various issues seen in traditional Layer 2 networks. It extends Layer 2 and Layer 3 overlay networks over a Layer 3 underlay network, using MAC-in-IP/UDP tunneling. Each overlay is termed a VXLAN segment.

Answer 84

A

The Internet Assigned Numbers Authority (IANA) assigned to VXLAN the UDP destina- tion port 4789; the default UDP destination port used by Linux is 8472.

The reason for this discrepancy is that when VXLAN was first implemented in Linux, the VXLAN UDP desti- nation port had not yet been officially assigned, and Linux decided to use port 8472 since many vendors at the time were using UDP destination port 8472. Later, IANA assigned port 4789 for VXLAN, and to avoid breaking existing deployments, Linux distributions decided to leave port 8472 as the default value. Figure 16-13 illustrates the VXLAN packet format.

Answer 85

A

Unlike the VLAN ID, which has only 12 bits and allows for 4000 VLANs, VXLAN has a 24-bit VXLAN network identifier (VNI), which allows for up to 16 million VXLAN segments (more commonly known as overlay networks) to coexist within the same infrastructure.

Answer 86

A

The 24-bit VNI(Virtual Network Identifier) field is located in the VXLAN shim header that encapsulates the original inner MAC frame originated by an endpoint.

The VNI is used to provide segmentation for Layer 2 and Layer 3 traffic.

Answer 87

A

VTEPs are entities that originate or terminate VXLAN tunnels. They map Layer 2 and Layer 3 packets to the VNI to be used in the overlay network.

Each VTEP has two interfaces:

Local LAN interfaces: These interfaces on the local LAN segment provide bridging between local hosts.
IP interface: This is a core-facing network interface for VXLAN. The IP interface’s IP address helps identify the VTEP in the network. It is also used for VXLAN traffic encapsulation and de-encapsulation.

Figure 16-14 illustrates the VXLAN VTEP with the IP interface and the local LAN interface.

Answer 88

A

True.

The VXLAN standard defines VXLAN as a data plane protocol, but it does not define a VXLAN control plane; it was left open to be used with any control plane. Currently four different VXLAN control and data planes are supported by Cisco devices:

VXLAN with Multicast underlay
VXLAN with static unicast VXLAN tunnels
VXLAN with MP-BGP EVPN control plane
VXLAN with LISP control plane

MP-BGP EVPN and Multicast are the most popular control planes used for data center and private cloud environments. For campus environments, VXLAN with a LISP control plane is the preferred choice.

Answer 89

A

Cisco Software Defined Access (SD-Access) is an example of an implementation of VXLAN with the LISP control plane.

As illustrated in Figure 16-15, LISP encapsulation is only capable of performing IP-in-IP/ UDP encapsulation, which allows it to support Layer 3 overlays only, while VXLAN encapsulation is capable of encapsulating the original Ethernet header to perform MAC-in-IP encapsulation, which allows it to support Layer 2 and Layer 3 overlays.

Answer 90

A

interface tunnel tunnel-number

Answer 91

A

keepalive [seconds [retries]]

Answer 92

A

crypto map map-name seq-num [ipsec-isakmp]

Answer 93

A

crypto map map-name

Answer 94

A

crypto ipsec profile ipsec-profile-name

Answer 95

A

tunnel protection ipsec profile profile-name

Answer 96

A

tunnel mode ipsec {ipv4 | ipv6}

Answer 97

A

tunnel mode gre {ip | ipv6}

Answer 98

A

show crypto isakmp sa

Answer 99

A

show crypto ipsec sa

Brainscape's Knowledge GenomeTM

Ch 16: Overlay Tunnels Flashcards

Brainscape's Knowledge Genome^TM