Ch 2 - Remote Site Connectivity

Question 1

T/F: L2 VPN allows routers at different sites to form L2 adjacencies as if they were L2 adjacent, i.e. on the same segment.

Answer 1

True. L2 VPNs behave much like a L2 switch.

Question 2

What type of VPN allows a Provider Edge (PE) router to establish a peering connection with Customer Edge router(CE).

Answer 2

L3 VPN. Routes are learned by the PE and sent to the CE router on the end of the circuit. Typically MP-BGP.

Question 3

What is an ELSR?

Answer 3

Edge Label Switch Router. This is synonymous with a Provider Edge or PE router.

Question 4

T/F: GRE can encapsulate any L3 protocol.

Answer 4

True.

Question 5

T/F IPsec can protect multicast packets.

Answer 5

False. IPsec only protects unicast IP packets.

Question 6

T/F: GRE can encapsulate multicast packets.

Answer 6

True. Routing protocols work over GRE tunnels.

Question 7

How do you establish a virtual tunnel interface?

Answer 7

R1(config)# interface tunnel 0

Question 8

Is it possible to use a virtual interface for a GRE tunnel source?

Answer 8

Yes. Loopbacks are valid tunnel source interfaces.

Question 9

Imagine a scenario of four routers connected in series, i.e. RT1 - RT2 - RT3 - RT4, and a GRE tunnel is established between RT1 and RT4 (skipping RT3 and RT4). How many hops show if you traceroute the two tunnel endpoints?

Answer 9

1 hop. GRE endpoints seem to be separated by 1 hop regardless of how many routers are in between.

Question 10

T/F: is it possible for a router to support multiple tunnels on a single interface?

Answer 10

True. mGRE, Multi-point GRE makes this possible.

Question 11

What protocol is used by DMVPN to discover the IP address at the far end of a tunnel so that a tunnel can be dynamically formed?

Answer 11

NHRP. Next Hop Resolution Protocol.

Question 12

T/F: DMVPN uses mGRE instead of GRE.

Answer 12

False. DMVPN uses both. In a hub and spoke model, mGRE is used by the hubs to establish tunnels to all the spokes and GRE is used by the spokes to establish a tunnel back to the Hub.

Question 13

T/F: GRE tunnels support unicast and multicast but not broadcast.

Answer 13

False. GRE tunnels support unicast, multicast and broadcast.

Question 14

T/F: NHRP uses a a client server model.

Answer 14

True. Hub router acts as a server the spokes act as clients.

Question 15

T/F: In NHRP, Spokes register with the hub and share their virtual tunnel interface IP.

Answer 15

False. Spokes register with the Hubs and share their physical IP.

Question 16

T/F: In NHRP, Spokes register with Hubs and share a logical IP that is assigned to their virtual tunnel interface.

Answer 16

True.

Question 17

T/F: Hubs build a table of virtual to virtual IP mappings to connect both sides of the tunnels.

Answer 17

False. The mapping table is a physical to virtual IP address mapping table.

Question 18

T/F: Public, routable IP addresses can be assigned to Loopback address.

Answer 18

True.

Question 19

T/F: NHRP queries are sent by the Hub to the spoke asking what physical IP to map to a virtual tunnel IP.

Answer 19

False. NHRP queries are sent TO the Hub BY the spoke asking what physical IP to map to a virtual tunnel IP. The spoke is acting a the client in the client-server model. The hub responds with the mapping and a new dynamic tunnel is setup.

Question 20

In the command, sh ip nhrp, what does the authoritative flag indicate?

Answer 20

The authoritative flag indicates that the information shown was provided by a router.

Question 21

What information does the ‘sh ip nhrp’ command show?

Answer 21

It shows the IP-NBMA address cache, with the tunnel interface name and how long since tunnel was created.

Question 22

What information does the ‘sh ip nhrp’ command show?

Answer 22

It shows the IP-NBMA address cache, with the tunnel interface name and how long since tunnel was created .

Question 23

What suite of protocols provides security to DMVPN?

Answer 23

IPsec is a collection of protocols that provide the security functionality to GRE tunnels.

Question 24

T/F: IPsec provides Confidentiality, Integrity, Authentication and Anti-replay.

Answer 24

True. Confidentiality from encryption, Integrity ensures data is not modified in flight by hashing or checksum, Authentication allows verification of remote router identity, and Anti-replay ensures packets are not duplicates by using sequence numbers.

Question 25

What does IKE stand for?

Answer 25

Internet Key Exchange protocol. IKE allows for manual configuration of keys and provides encryption between authenticated peers using these encryption keys.

Question 26

What does ISAKMP stand for?

Answer 26

Internet Security Association and Key Management Protocol.

Question 27

In which phase of an IPsec tunnel establishment process is the ISAKMP session established?

Answer 27

Phase 1.

Question 28

What are transform sets? What are they configuring?

Answer 28

They are part of IKE Phase 1 ISAKMP tunnel negotiations. They define the encryption and authentication protocols.

Question 29

In which phase of an IPsec tunnel establishment sequence is the hash method defined?

Answer 29

Phase 1. This is part of the ISAKMP negotiations.

Question 30

T/F: A security association (an SA) is the set of all parameters required for a tunnel.

Answer 30

True.

Question 31

T/F: ISAKMP security associations are bidirectional.

Answer 31

True. This is why the command ‘sh cry isakmp sa’ only shows one per tunnel. The same key exchange is used for data flowing across the tunnel in either direction.

Question 32

T/F: Phase 2 of the IPsec tunnel establishment sequence happens within the protection of the IKE Phase 1 tunnel.

Answer 32

True. Once the IKE Phase 1 tunnel is up all data is protected.

Question 33

T/F: IKE Phase 2 establishes the IPsec tunnel.

Answer 33

True.

Question 34

T/F: IPsec SA negotiations are unidirectional, I.e. each data flow uses a separate key exchange.

Answer 34

True. This is why the command ‘sh cry ipsec sa” shows two lines for each session.

Question 35

What do AH and ESP stand for?

Answer 35

Authentication Header protocol (IP protocol 50) and Encapsulating Security Payload protocol (IP protocol 51). IPsec relies on AH and ESP for integrity.

Question 36

What is the difference between AH and ESP?

Answer 36

ESP encrypts and AH does not. For this reason ESP is widely used and AH is not.

Question 37

What are the two modes that AH and ESP operate in?

Answer 37

Transport mode and Tunnel mode.

Question 38

What is the difference between Transport mode and Tunnel mode?

Answer 38

Transport mode uses the original IP header so the packet size is not increased and is used in client VPN software. Tunnel mode encapsulates the entire packet with an IPsec header. The new header has SA/DA of the VPN endpoint devices. Site to Site VPNs use Tunnel mode.

Question 39

With two endpoints using an IPsec tunnel, what is the difference between ‘interesting traffic’ and other traffic with respect to the tunnel?

Answer 39

Only interesting traffic is encrypted and sent through the tunnel. Other traffic can still flow between the hosts but will traverse outside of the tunnel.

Question 40

T/F: The IPsec SA will be torn down if there is no interesting traffic.

Answer 40

True.

Question 41

Which of the following is a valid design consideration for a hybrid VPN?

a. You cannot encapsulate an encrypted packet.
b. You cannot encrypt an encapsulated packet.
c. You might need to decrease the MTU size for frames on an interface.
d. You might need to increase the MTU size for frames on an interface.

Answer 41

C. A hybrid VPN uses more than one VPN technology. While you can encrypt a packet that has already been encapsulated by a VPN technology, and while you can encapsulate a packet that has already been encrypted, you might need to decrease the MTU for a frame on an interface configured for tunneling. The reason for the MTU decrease is that additional header information is added for each VPN technology you use. As a result, the maximum amount of data contained in a frame is reduced.

Question 42

In a Layer 3 MPLS VPN, with what does a CE router form a neighborship?

a. A PE in the MPLS network.
b. A CE at a remote location.
c. No neighborship is formed, because the MPLS network acts as a logical switch.
d. No neighborship is formed, because IP multicast traffic cannot be sent across an MPLS network.

Answer 42

A. In a Layer 3 MPLS VPN, a customer edge (CE) router forms a neighborship with a provider edge (PE) router (or an edge label switch router [ELSR]) in an MPLS network. In a Layer 2 MPLS VPN, the MPLS network acts as a Layer 2 switch. IP multicast traffic can flow across an MPLS network with no issue.

Question 43

You want to interconnect two remote sites with a VPN tunnel. The tunnel needs to support IP unicast, multicast, and broadcast traffic. Additionally, you need to encrypt traffic being sent over the tunnel. Which of the following VPN solutions meets the design requirements?

a. Use a GRE tunnel.
b. Use an IPsec tunnel.
c. Use a GRE tunnel inside of an IPsec tunnel.
d. Use an IPsec tunnel inside of a GRE tunnel.

Answer 43

C. A GRE tunnel can encapsulate any Layer 3 protocol, including IP unicast, multicast, and broadcast traffic. However, a GRE tunnel does not offer encryption.
An IPsec tunnel does offer encryption, but it can only transmit unicast IP traffic. Therefore, to meet the design requirements in this question, you could encapsulate the IP unicast, multicast, and broadcast traffic inside of a GRE tunnel. Because a GRE packet is a unicast IP packet, you could encapsulate the GRE packets inside of an IPsec tunnel, thus providing the required encryption.

Question 44

Identify technologies required for a DMVPN network. (Choose three.)

a. NHRP
b. IPsec
c. MPLS
d. mGRE

Answer 44

A, B, and D. A DMVPN network uses mGRE to dynamically form GRE tunnels between two sites needing a direct tunnel. NHRP is used by mGRE to discover the IP address of the device at the remote side of the tunnel. IPsec is used to secure the GRE packets. However, MPLS is not a requirement.

Question 45

Which of the following are characteristics of multipoint GRE? (Choose two.)

a. mGRE supports a wide variety of protocols.
b. A single mGRE interface can service multiple tunnels.
c. An mGRE interface is created for each tunnel.
d. mGRE only transports unicast IP packets.

Answer 45

A and B. Like traditional GRE, mGRE can transport a wide variety of protocols (for example, IP unicast, multicast, and broadcast traffic). Also, a single mGRE interface can service multiple tunnels.

Question 46

Which of the following are true for NHRP? (Choose two.)

a. The hub router is configured with the IP addresses of the spoke routers.
b. The spoke routers are configured with the IP address of the hub router.
c. Spoke routers query the hub router asking what tunnel interface IP address corresponds to a known physical interface IP address.
d. Spoke routers query the hub router asking what physical interface IP address corresponds to a known tunnel interface IP address.

Answer 46

B and D. NHRP (Next Hop Resolution Protocol) spokes are configured with the IP address of an NHRP hub, but the hub is not configured with the IP addresses of the spokes. When the spokes come online, they inform the hub of both the physical IP address (assigned to a physical interface) and the logical IP address (assigned to a virtual tunnel interface) that are going to be used for their tunnels. With the hub’s database populated, a spoke can query the hub to find out the IP address of a physical interface that corresponds to a specific tunnel interface’s IP address.

Question 47

Which IPsec feature primarily performs encryption?

a. Integrity
b. Confidentiality
c. Antireplay
d. Authentication

Answer 47

B. Data confidentiality is provided by encrypting data. Data integrity ensures that data is not modified in transit. Data authentication allows parties involved in a conversation to verify that the other party is the party it claims to be. IPsec uses antireplay protection to ensure that packets being sent are not duplicate packets.