Chapter 7

Question 1

Implementation Plan

Answer 1

1. Deploy broadband connectivity
2. Configure static routing
3. Document and verify other services
4. Implement and tune the IPsec VPN
5. Configure GRE tunnels

Question 2

DSL Variants

Answer 2

ADSL
(Asymmetric DSL) Asymmetric 8 Mbps / 1 Mbps

HDSL
(high bitrate DSL) Symmetric 2 Mbps / 2 Mbps

SDSL
(Symmetric DSL ) Symmetric 2 Mbps / 2 Mbps

SHDSL
(Single-pair high-speed DSL) Symmetric 2.3 Mbps / 2.3 Mbps

VDSL
(Very High bitrate DSL) Symmetric / Asymmetric 52 Mbps / 16 Mbps

Question 3

The PPP connection is established between the ____ and ___.
The CPE device is configured with a _____ and ____
The core router authenticates the users using either a ____ or an _____ server.

Answer 3

CPE and the core router
username and password.
local database, external RADIUS AAA

Question 4

Use the __________ command to debug the PPP session authentication.

Answer 4

debug ppp authentication

Question 5

Verify ATM connectivity using the ____________ command.

Answer 5

debug atm events

Question 6

Finally, check Layer 1 connectivity and discover the DSL

line status using the____________ command.

Answer 6

show dsl interface atm

Question 7

Link the source IP addresses to the pool for dynamic address translation.

Answer 7

Router(config)#

ip nat inside source list BRANCH-NAT-ACL pool BRANCH-NAT-POOL

Question 8

Link a source IP addresses to a pool for static translation.

Answer 8

Router(config)#

ip nat inside source static 192.168.1.254 209.165.200.254

Question 9

Displays active NAT translations
Displays NAT statistics.

Displays NAT translations as they occur.

Answer 9

show ip nat translations
show ip nat statistics

debug ip nat

Question 10

Clears all IP NAT translations.

Clears all NAT statistics.

Answer 10

clear ip nat translation *

clear ip nat statistics

Question 11

Which three protocols are involved in the establishment of an IPsec VPN tunnel?

Answer 11

Encapsulating Security Protocol (protocol 50)
Authentication Header (protocol 51)
Internet Security Association and Key Management Protocol (UDP port 500)

UDP port 4500 (NAT-T)

Question 12

Steps to Configuring an IPsec VPN

Answer 12

1. Configure the initial key (ISAKMP policy) details.
2. Configure the IPsec details.
3. Configure the crypto ACL.
4. Configure the VPN tunnel information.
5. Apply the crypto map.

Question 13

Contains authentication, encryption and the hashing method
commands that are first used to negotiate and exchange credentials
with a VPN peer.

Answer 13

ISAKMP Policy

Question 14

Identifies an acceptable combination of security protocols, algorithms, and other settings.

Answer 14

IPsec Details

Question 15

Is an extended IP ACL that identifies the traffic to be protected.
• A permit statement results in the traffic being encrypted, while a deny
statement sends traffic out in clear text.
• Both VPN peers must have reciprocating ACLs.

Answer 15

Crypto ACL

Question 16

• Binds all tunnel information together.
• Identifies the IPsec transform set to use, the peer router, the ACL, and
other tunnel information.

Answer 16

VPN Tunnel Information

Question 17

The named crypto map must be applied to the Internet-facing

interface to which the peering router will connect to.

Answer 17

 Apply the Crypto Map

Question 18

Displays display the specifics contained in a crypto map configuration.
Displays the status information of the active crypto sessions.
Displays the settings used by current SAs.
View real time IPsec events.

Answer 18

show crypto map
show crypto session
show crypto ipsec sa
debug crypto ipsec

Question 19

Once in interface configuration mode, configure the tunnel

parameters including:

Answer 19

• IP address
• Tunnel source
• Tunnel destination
• Tunnel mode (type of tunnel)

Question 20

Change the ACL and add the Internet link and GRE tunnel network to EIGRP on the Branch router.

Answer 20

access-list 110 permit gre host 209.165.200.242 host

209.165.200.226

Question 21

VPN Headend Router Implementation Plan

Answer 21

1. Allow IPsec traffic
2. Define an address pool for connecting clients.
3. Provide routing services for VPN subnets.
4. Tune NAT for VPN traffic flows.
5. Verify IPsec VPN configuration

Question 22

To verify if the VPN configuration is functioning properly,

use the following commands:

Answer 22

• show crypto map
• show crypto isakmp sa
• show crypto sa
• show crypto engine connections active

Question 23

What is a limitation of IPsec by design?

Answer 23

IPsec only forwards unicast traffic

Question 24

How is NAT tuned to handle traffic that is sent through a VPN tunnel between a mobile worker and internalcorporate resources?

Answer 24

Traffic should bypass translation with a deny access list statement or route-map.

Question 25

Which three statements would help an end user develop a better understanding of DSL technology?

Answer 25

ADSL typically has a higher download bandwidth than available upload bandwidth.
DSL speeds can exceed the speeds available with a typical T1 line.
Transfer rates vary by the length of the local loop.

Question 26

Which three items can be specified by ISAKMP policy parameters?

Answer 26

Hashing, encryption, authentication

Question 27

GRE Portocal

Answer 27

47