Ch 2 - Remote Site Connectivity Flashcards

1
Q

T/F: L2 VPN allows routers at different sites to form L2 adjacencies as if they were L2 adjacent, i.e. on the same segment.

A

True. L2 VPNs behave much like a L2 switch.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What type of VPN allows a Provider Edge (PE) router to establish a peering connection with Customer Edge router(CE).

A

L3 VPN. Routes are learned by the PE and sent to the CE router on the end of the circuit. Typically MP-BGP.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is an ELSR?

A

Edge Label Switch Router. This is synonymous with a Provider Edge or PE router.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

T/F: GRE can encapsulate any L3 protocol.

A

True.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

T/F IPsec can protect multicast packets.

A

False. IPsec only protects unicast IP packets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

T/F: GRE can encapsulate multicast packets.

A

True. Routing protocols work over GRE tunnels.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

How do you establish a virtual tunnel interface?

A

R1(config)# interface tunnel 0

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Is it possible to use a virtual interface for a GRE tunnel source?

A

Yes. Loopbacks are valid tunnel source interfaces.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Imagine a scenario of four routers connected in series, i.e. RT1 - RT2 - RT3 - RT4, and a GRE tunnel is established between RT1 and RT4 (skipping RT3 and RT4). How many hops show if you traceroute the two tunnel endpoints?

A

1 hop. GRE endpoints seem to be separated by 1 hop regardless of how many routers are in between.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

T/F: is it possible for a router to support multiple tunnels on a single interface?

A

True. mGRE, Multi-point GRE makes this possible.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What protocol is used by DMVPN to discover the IP address at the far end of a tunnel so that a tunnel can be dynamically formed?

A

NHRP. Next Hop Resolution Protocol.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

T/F: DMVPN uses mGRE instead of GRE.

A

False. DMVPN uses both. In a hub and spoke model, mGRE is used by the hubs to establish tunnels to all the spokes and GRE is used by the spokes to establish a tunnel back to the Hub.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

T/F: GRE tunnels support unicast and multicast but not broadcast.

A

False. GRE tunnels support unicast, multicast and broadcast.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

T/F: NHRP uses a a client server model.

A

True. Hub router acts as a server the spokes act as clients.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

T/F: In NHRP, Spokes register with the hub and share their virtual tunnel interface IP.

A

False. Spokes register with the Hubs and share their physical IP.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

T/F: In NHRP, Spokes register with Hubs and share a logical IP that is assigned to their virtual tunnel interface.

A

True.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

T/F: Hubs build a table of virtual to virtual IP mappings to connect both sides of the tunnels.

A

False. The mapping table is a physical to virtual IP address mapping table.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

T/F: Public, routable IP addresses can be assigned to Loopback address.

A

True.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

T/F: NHRP queries are sent by the Hub to the spoke asking what physical IP to map to a virtual tunnel IP.

A

False. NHRP queries are sent TO the Hub BY the spoke asking what physical IP to map to a virtual tunnel IP. The spoke is acting a the client in the client-server model. The hub responds with the mapping and a new dynamic tunnel is setup.

20
Q

In the command, sh ip nhrp, what does the authoritative flag indicate?

A

The authoritative flag indicates that the information shown was provided by a router.

21
Q

What information does the ‘sh ip nhrp’ command show?

A

It shows the IP-NBMA address cache, with the tunnel interface name and how long since tunnel was created.

22
Q

What information does the ‘sh ip nhrp’ command show?

A

It shows the IP-NBMA address cache, with the tunnel interface name and how long since tunnel was created .

23
Q

What suite of protocols provides security to DMVPN?

A

IPsec is a collection of protocols that provide the security functionality to GRE tunnels.

24
Q

T/F: IPsec provides Confidentiality, Integrity, Authentication and Anti-replay.

A

True. Confidentiality from encryption, Integrity ensures data is not modified in flight by hashing or checksum, Authentication allows verification of remote router identity, and Anti-replay ensures packets are not duplicates by using sequence numbers.

25
Q

What does IKE stand for?

A

Internet Key Exchange protocol. IKE allows for manual configuration of keys and provides encryption between authenticated peers using these encryption keys.

26
Q

What does ISAKMP stand for?

A

Internet Security Association and Key Management Protocol.

27
Q

In which phase of an IPsec tunnel establishment process is the ISAKMP session established?

A

Phase 1.

28
Q

What are transform sets? What are they configuring?

A

They are part of IKE Phase 1 ISAKMP tunnel negotiations. They define the encryption and authentication protocols.

29
Q

In which phase of an IPsec tunnel establishment sequence is the hash method defined?

A

Phase 1. This is part of the ISAKMP negotiations.

30
Q

T/F: A security association (an SA) is the set of all parameters required for a tunnel.

A

True.

31
Q

T/F: ISAKMP security associations are bidirectional.

A

True. This is why the command ‘sh cry isakmp sa’ only shows one per tunnel. The same key exchange is used for data flowing across the tunnel in either direction.

32
Q

T/F: Phase 2 of the IPsec tunnel establishment sequence happens within the protection of the IKE Phase 1 tunnel.

A

True. Once the IKE Phase 1 tunnel is up all data is protected.

33
Q

T/F: IKE Phase 2 establishes the IPsec tunnel.

A

True.

34
Q

T/F: IPsec SA negotiations are unidirectional, I.e. each data flow uses a separate key exchange.

A

True. This is why the command ‘sh cry ipsec sa” shows two lines for each session.

35
Q

What do AH and ESP stand for?

A

Authentication Header protocol (IP protocol 50) and Encapsulating Security Payload protocol (IP protocol 51). IPsec relies on AH and ESP for integrity.

36
Q

What is the difference between AH and ESP?

A

ESP encrypts and AH does not. For this reason ESP is widely used and AH is not.

37
Q

What are the two modes that AH and ESP operate in?

A

Transport mode and Tunnel mode.

38
Q

What is the difference between Transport mode and Tunnel mode?

A

Transport mode uses the original IP header so the packet size is not increased and is used in client VPN software. Tunnel mode encapsulates the entire packet with an IPsec header. The new header has SA/DA of the VPN endpoint devices. Site to Site VPNs use Tunnel mode.

39
Q

With two endpoints using an IPsec tunnel, what is the difference between ‘interesting traffic’ and other traffic with respect to the tunnel?

A

Only interesting traffic is encrypted and sent through the tunnel. Other traffic can still flow between the hosts but will traverse outside of the tunnel.

40
Q

T/F: The IPsec SA will be torn down if there is no interesting traffic.

A

True.

41
Q

Which of the following is a valid design consideration for a hybrid VPN?

a. You cannot encapsulate an encrypted packet.
b. You cannot encrypt an encapsulated packet.
c. You might need to decrease the MTU size for frames on an interface.
d. You might need to increase the MTU size for frames on an interface.

A

C. A hybrid VPN uses more than one VPN technology. While you can encrypt a packet that has already been encapsulated by a VPN technology, and while you can encapsulate a packet that has already been encrypted, you might need to decrease the MTU for a frame on an interface configured for tunneling. The reason for the MTU decrease is that additional header information is added for each VPN technology you use. As a result, the maximum amount of data contained in a frame is reduced.

42
Q

In a Layer 3 MPLS VPN, with what does a CE router form a neighborship?

a. A PE in the MPLS network.
b. A CE at a remote location.
c. No neighborship is formed, because the MPLS network acts as a logical switch.
d. No neighborship is formed, because IP multicast traffic cannot be sent across an MPLS network.

A

A. In a Layer 3 MPLS VPN, a customer edge (CE) router forms a neighborship with a provider edge (PE) router (or an edge label switch router [ELSR]) in an MPLS network. In a Layer 2 MPLS VPN, the MPLS network acts as a Layer 2 switch. IP multicast traffic can flow across an MPLS network with no issue.

43
Q

You want to interconnect two remote sites with a VPN tunnel. The tunnel needs to support IP unicast, multicast, and broadcast traffic. Additionally, you need to encrypt traffic being sent over the tunnel. Which of the following VPN solutions meets the design requirements?

a. Use a GRE tunnel.
b. Use an IPsec tunnel.
c. Use a GRE tunnel inside of an IPsec tunnel.
d. Use an IPsec tunnel inside of a GRE tunnel.

A

C. A GRE tunnel can encapsulate any Layer 3 protocol, including IP unicast, multicast, and broadcast traffic. However, a GRE tunnel does not offer encryption.
An IPsec tunnel does offer encryption, but it can only transmit unicast IP traffic. Therefore, to meet the design requirements in this question, you could encapsulate the IP unicast, multicast, and broadcast traffic inside of a GRE tunnel. Because a GRE packet is a unicast IP packet, you could encapsulate the GRE packets inside of an IPsec tunnel, thus providing the required encryption.

44
Q

Identify technologies required for a DMVPN network. (Choose three.)

a. NHRP
b. IPsec
c. MPLS
d. mGRE

A

A, B, and D. A DMVPN network uses mGRE to dynamically form GRE tunnels between two sites needing a direct tunnel. NHRP is used by mGRE to discover the IP address of the device at the remote side of the tunnel. IPsec is used to secure the GRE packets. However, MPLS is not a requirement.

45
Q

Which of the following are characteristics of multipoint GRE? (Choose two.)

a. mGRE supports a wide variety of protocols.
b. A single mGRE interface can service multiple tunnels.
c. An mGRE interface is created for each tunnel.
d. mGRE only transports unicast IP packets.

A

A and B. Like traditional GRE, mGRE can transport a wide variety of protocols (for example, IP unicast, multicast, and broadcast traffic). Also, a single mGRE interface can service multiple tunnels.

46
Q

Which of the following are true for NHRP? (Choose two.)

a. The hub router is configured with the IP addresses of the spoke routers.
b. The spoke routers are configured with the IP address of the hub router.
c. Spoke routers query the hub router asking what tunnel interface IP address corresponds to a known physical interface IP address.
d. Spoke routers query the hub router asking what physical interface IP address corresponds to a known tunnel interface IP address.

A

B and D. NHRP (Next Hop Resolution Protocol) spokes are configured with the IP address of an NHRP hub, but the hub is not configured with the IP addresses of the spokes. When the spokes come online, they inform the hub of both the physical IP address (assigned to a physical interface) and the logical IP address (assigned to a virtual tunnel interface) that are going to be used for their tunnels. With the hub’s database populated, a spoke can query the hub to find out the IP address of a physical interface that corresponds to a specific tunnel interface’s IP address.

47
Q

Which IPsec feature primarily performs encryption?

a. Integrity
b. Confidentiality
c. Antireplay
d. Authentication

A

B. Data confidentiality is provided by encrypting data. Data integrity ensures that data is not modified in transit. Data authentication allows parties involved in a conversation to verify that the other party is the party it claims to be. IPsec uses antireplay protection to ensure that packets being sent are not duplicate packets.