Overlay Technologies

Question 1

What is an overlay network

Answer 1

is a logical/virtual network built on top of a physical (underlay) network.

Question 2

What are the most popular overlay technologies

Answer 2

GRE
IPsec
LISP
VXLAN
MPLS

Question 3

What is one of the most common problems with overlay tunnels

Answer 3

Recursive routing - the tunnel destination was learnt through the tunnel itself via IGP. this is solved by removing the internet facing interface from the IGP routing protocol.

Question 4

What is a VPN

Answer 4

When 2 private networks are connected across an unsecure network. to send secure traffic across an unsecure network IPsec is used as an encryption framework suite of protocols.

Question 5

What is GRE and what are its uses

Answer 5

Generic routing encapsulation is a protocol used to encapsulate traffic across an IP network.

Uses:
Initially used to route non IP traffic across IP networks.
used to tunnel traffic through a firewall
Connect discontiguous networks together
duct tape bad routing designs
VPNs

Question 6

What protocol number does GRE use

Answer 6

47

Question 7

Why define bandwidth on a GRE tunnel

Answer 7

For routing protocol metric calculations and QoS.

Question 8

By default the line protocol on a GRE tunnel is down if there is no route to the destination in the RIB.

True or False

Answer 8

True

Question 9

What is IPsec

Answer 9

It is a series of standards for creating secure VPNs

Question 10

What are the main security services provided by IPsec

Answer 10

Peer authentication - using PSK/ certificates
Data confidentiality - Encryption (AES,DES)
Data integrity - Hashing (MD5,SHA-1)
Relay detection - packet sequencing

Question 11

What are the 2 types of IPsec headers

Answer 11

Authentication header
Encapsulating Service Payload (ESP)

Question 12

What is the major drawback of authentication header

Answer 12

encryption is not supported

Question 13

What protocol number does authentication header use

Answer 13

number 51

Question 14

What are the 2 modes for ESP and what is the difference

Answer 14

Tunnel mode - encrypts the entire packet by placing IPsec header on to the packet. the IPsec header is used to route.

Transport mode - encrypts only packet payload it will use the original IP header to route across the network.

Question 15

What protocol number does ESP use

Answer 15

50

Question 16

What is Diffie-Hellman (DH)

Answer 16

DH is an asymmetric key exchange protocol that allows 2 peers to exchange secret keys. It is done by exchanging public keys and using there own private key 2 keys are made independently that are the same and encrypt the data the same so it can be de-crypted the same.

Question 17

What DH groups should not be used and which should be used

Answer 17

bad - 1,2 & 5
good - 14 and above

Question 18

What is an RSA signature

Answer 18

is a public key that is used to mutually authenticate peers. (digital certificate)

Question 19

What is a transform set

Answer 19

it is a configured attribute that defines the security parameters for the IPsec SA negotiation including: security protocol, encryption & authentication algorithms.

Question 20

What is IKE

Answer 20

Is a protocol used to establish a secure authenticated session between 2 endpoints and use the session to negotiate session keys and parameters for an IPsec tunnel

Question 21

How many versions of IKE are there and what is the main differences

Answer 21

2

V1 is used in legacy network infrastructure.

v2 supports EAP has anti-DOS capabilities and requires fewer messages to establish an SA.

Question 21

In IKE what is Phase 1 & Phase 2

Answer 21

Phase 1 - start of the negotiation, the 2 end points are agree on SA (authentication, hash, etc..) and authenticate against each other.

Phase 2 - In this phase the endpoints will agree on the SAs for the bulk data transfer.

Phase 1 takes longer to build and once built remains however a phase 2 tunnel will only be built if interesting traffic is required to be sent.

Question 22

In IKEv1 what are the 2 methods for building the phase 1 tunnel (IKE-SA)

Answer 22

Main Mode (MM)
Aggressive Mode (AM)

Question 23

What is the difference in IKEv1 MM and AM

Answer 23

MM uses 6 messages to form IKE-SA
AM uses 3 messages to form IKE-SA

MM is slower but a lot more secure due to the IKE peers identity been hidden.

AM is faster and more efficient but less secure.

Question 24

In IKE v1 MM what are the different messages for

Answer 24

MM1 - initiator sends SA parameters to match against.
MM2 - responder responds to MM1 with SA parameters that it has matched.
MM3 - DH key exchange
MM4 - DH key response
MM5 - authentication session started, IP revealed.
MM6 - authentication session completed. IKE-SA formed

Question 25

IN IKEv1 what are the messages used in AM

Answer 25

AM1- message includes all SA parameters and starts authentication session.

AM2 - DH key exchange completed and authentication completed.

AM3 - Authentication completed

Question 26

In IKEv1 Phase 2 what messages are sued to establish the IPsec-SA tunnel

Answer 26

QM1 - initiator confirms agreed SAs in phase 1 then sends SAs for bulk traffic to e sent.

QM2 - response matching the IPsec SA parameters.

QM3 - After this message IPsec SA is complete.

Question 27

What is Perfect Forward Secrecy (PFS)

Answer 27

Where the DH keys are derived independently of the previous keys to prevent further keys been computed if compromised.

Question 28

IKEv2 main difference is that SA’s are established through request/response message pairs.

True / False

Answer 28

True.

Question 29

What are the different request / response pairs

Answer 29

IKE_SA_INIT - SA proposals matched and DH keys exchanged.
IKE_SA_AUTH - Session authenticated. following this IKE-SA & Child SA are created.

Question 30

What is the minimum amount of messages for IKEv1 (MM), IKEv1 (AM) & IKEv2

Answer 30

9,6,4

Question 31

What port and transport mechanism does IKE use

Answer 31

UDP 500

Question 32

What are the different types of VPN configurations

Answer 32

Site-to-site
Cisco DMVPN - hub to spoke set up
Cisco GET VPN - any-to-any tuneless vpn
Cisco FLEX VPN - cisco version of IKEv2
Cisco remote VPN

Question 33

What are the 2 site-to-site VPN configuration methods called

Answer 33

site-to-site GRE over IPsec
Static virtual interfaces (VTI) over IPsec

Question 34

What is the main difference between site-to-site GRE over IPsec and Static VTI VPNs

Answer 34

site-to-site GRE over IPsec uses crypto maps and ACLs

Static VTI VPN uses IPsec policy (ISKAMP profile)

Question 35

Why are crypto maps bad

Answer 35

complex config
Does not support MPLS natively
ACl’s often misconfigured
Maps often consume a lot of TCAM space.

Question 36

When configuring crypto IPsec profiles what is the only difference in config between the site to site and static VTI

Answer 36

use command tunnel mode ipsec ipv4/ipv6 under tunnel interface.

Question 37

What is CISCO LISP

Answer 37

Is a routing architecture that separates the Identity of a host and there location into 2 separate IP’s. The EID is the identity of the host, the RLOC is the location of the router to which the EID is attached.

Question 38

What was LISP brought in to solve

Answer 38

Large routing tables on the internet cause:

Aggregation issues - due to most routes on the internet been provider independent they are not aggregated on the internet.

Traffic engineering - traffic engineering injects more specific routes.

Multi-homing - requires full internet routing table.

Route instability - constant change causes ‘churn’ of routes.

Question 39

Why is LISP better than traditional routing like OSPF, EIGRP, BGP?

Answer 39

Tradtional routing protocols rely on a push model where the routes are pushed onto the routers.

LISP works on a pull model it asks for specific routes that it requires.

resulting in less bandwidth usage.

Question 40

What port does LISP use

Answer 40

UDP 4341

Question 41

What is a Ingress/ egress tunnel router (I/ETR)

Answer 41

A router that encapsulates/de-encapsulates the IP packet.

Question 42

What is a Map server (MS)

Answer 42

Learns and stores EID to RLOC associations

Question 43

What is a Map resolver (MR)

Answer 43

receives and resolves LISP requests.

Question 44

What is the process for a new LISP registration

Answer 44

ETR sends a map register message to the MS to register associated EID and prefix to the RLOC.

MS sends a notify message to ETR to confirm map registry has been received and processed.

Question 45

What is VXLAN

Answer 45

a tunnelling protocol that encapsulates layer 2 ethernet traffic over a layer 3 IP network.

Question 46

What is a VNI

Answer 46

VXLAN Network Identifier, it identifies the VXLAN segment similar to a VLAN.

24-bit number that has over 16 million VXLAN’s

Question 47

What is a VTEP

Answer 47

VXLAN Tunnel endpoint, is a device responsible for encapsulating/de-encapsulating layer 2 ethernet traffic.

This device is the connection between the underlay and overlay network.

Question 48

VTEPs can either be software based (using hyper visors)

or Hardware based

True or False

Answer 48

True

Question 49

What are the 2 VTEP interfaces used for

Answer 49

VTEP IP interface - connects the VTEP to the underlay netwrok, this interface encapsulates and de-encapsulates traffic.

VNI Interface - a virtual interface that keeps traffic separated from the physical interface (Similar to a SVI)

Question 50

What are the VXLAN control plane operation methods

Answer 50

Multicast underlay
static unicast VXLAN tunnels
MP-BGP EVPN
LISP