Overlay Tunnels Theory

Question 1

What is the protocol number for GRE?

Answer 1

Protocol 47

Question 2

When a router encapsulates a packet for GRE, what is added to the packet?

Answer 2

A GRE header and GRE flags are added to the packet. The GRE header contains the remote endpoint IP address as the destination.

Question 3

When configuring a point to point GRE tunnel, what 4 configuration elements are required?

Answer 3

1. Tunnel interface id
2. Tunnel IP address
3. Tunnel source
4. Tunnel destination

Question 4

Why might you need to adjust the MTU size for the tunnel interface?

Answer 4

GRE encapsulation adds 24 bytes (minimum) to the packet size. It may be desired to control packet fragmentation.

Question 5

What is IPSec?

Answer 5

IPsec is a framework of open standards for creating highly secure virtual private networks (VPNs) using various protocols and technologies for secure communication across unsecure networks, such as the Internet.

Question 6

What four security services does IPSec Provide?

Answer 6

1. Peer Authentication (Certificates, Pre-shared Key)
2. Data Confidentiality (Encryption)
3. Data Integrity - Hashing to prevent MitM attacks
4. Replay detection - marking packets with sequence numbers to prevent MitM attacks

Question 7

What protocol number identifies the IPSec Authentication header?

Answer 7

Protocol 51

Question 8

What protocol number identifies the IPSec Encapsulating Security Payload (ESP)

Answer 8

Protocol 50

Question 9

What Security Services are provided by the IPSec Authorization Header?

Answer 9

Data integrity, authentication, replay detection

Question 10

What additional Security Services are provided by IPSec ESP?

Answer 10

Encryption of payload and headers (confidentiality). Support for encryption over NAT.

Question 11

What is the difference between IPSec Transport Mode and Tunnel Mode?

Answer 11

Tunnel mode encrypts the entire packet including the packet headers. Transport mode only encrypts the packet’s payload.

Question 12

List the encryption, hashing, and keyring methods supported by IPSec

Answer 12

• Data Encryption Standard (DES)
• Triple DES (3DES)
• Advanced Encryption Standard (AES)
• Message Digest 5 (MD5)
• Secure Hash Algorithm (SHA)
• Diffie Helman (DH)
• RSA Signatures
• Pre-Shared Key

Question 13

What is ISAKMP?

Answer 13

Internet Security Association Key Management Protocol (ISAKMP) is a framework for authentication and key exchange between two peers to establish, modify, and tear down SAs.

Question 14

What improvements does IKEv2 make over IKEv1?

Answer 14

• Reduces the number of messages that need to be exchanged
• Uses Elliptical Curve Digital Signature Algorithm (ECDSA-SIG) instead of public keys
• Extensible Authentication Protocol (EAP)
• Next Generation Encryption
• Asymmetric Authentication
• Anti-DoS

Question 15

Name the VPN Types that are supported on a Cisco Router

Answer 15

• Site-to-Site IPSec VPN
• Cisco DMVPN (Dynamic Multipoint)
• Cisco Group Encrypted Transport (GET) VPN
• Cisco FlexVPN
• Remote VPN (FlexVPN)

Question 16

Why should IPSec profiles be used instead of Crypto Maps when configuring IPSec tunnels?

Answer 16

Crypto Maps have limitations such as:
- Cannot natively support MPLS
- Can become overly complex
- Crypto ACLs are easily misconfigured
- Cryto ACL entries consume too much memory

Question 17

What is LISP?

Answer 17

Locator ID Separation Protocol - a Cisco routing architecture and data control plane that was created to address routing scalability over the Internet.

Question 18

What two networking entities are separated by LISP?

Answer 18

• Location (Subnet)
• Identity (IP Address)

You can take a subnet and physically spread it across multiple Layer 2 switches.

Question 19

What port is used by LISP?

Answer 19

UDP Port 4341

Question 20

In LISP what are the terms ETR, ITR and xTR.

Answer 20

Egress Tunneling router (end of the LISP tunnel), Ingress Tunneling Router, Tunnel Router (xTR). An xTR is a general term for both an ETR and an ITR.

Question 21

In LISP what are the MS and the MR?

Answer 21

Map Server - This is a network device (typically a router) that learns EID-to-prefix mapping entries from an ETR and stores them in a local EID-to-RLOC mapping database.

Map Resolver - This is a network device (typically a router) that receives LISP-encapsulated map requests from an ITR and finds the appropriate ETR to answer those requests by consulting the map server.

MS/MR - when both roles are on the same device

Question 22

In LISP what are the PITR, PETR, and xPTR?

Answer 22

xPRT - Proxy Tunnel router - a LISP router that connects to a non-LISP external envrionment
PITR - Proxy Ingress Tunnel Router
PETR - Proxy Egress Tunnel Router

Question 23

In LISP what are the EID and RLOC?

Answer 23

EID - Endpoint Identifier - the IP address of the LISP endpoint (ITR). In most cases this is a subnet for a LISP domain attached network.

RLOC - Routing Locator - the IP address of the LISP ETR

Question 24

What headers are added to an IP packet when its encapsulated with LISP?

Answer 24

Additional Destination IP Address header (RLOC), UDP port (4341), LISP header -> original packet header/payload

Question 25

What device sends a “map register” message and what happens within the LISP domain when the map register is sent?

Answer 25

The map register is sent from the ETR advertising an attached subnet (RLOC). The message is sent to the Map Server which then records an EID to RLOC mapping in its database.

Question 26

When an ITR sends a map request, describe the order of events that follow.

Answer 26

1.) ITR sends map request to Map Resolver (MR)
2.) Map Resolver sends request to Map Server (MS)
3.) Map Server forwards the map request to ETR
4.) ETR sends a map reply to the ITR

Question 27

What happens when an ITR sends a map request and the Map Server does not have EID to RLOC mapping in its database for the network prefix?

Answer 27

The Map Server responds with a “negative” message and the ITR will then send the packet to the Proxy Tunnel Router.

Question 28

What is VXLAN?

Answer 28

Virtual Extensible Local Area Network - a tunneling protocol that functions at Layer 2

Question 29

What scalability issues does VXLAN set out to resolve?

Answer 29

• Limited number of VLANs
• Segmentation with Private VLANs
• Reliance on STP

Question 30

How many possible VLANs are possible with VXLAN?

Answer 30

Over 16 million

Question 31

What are the size of the additional VXLAN headers that need to be considered when adjusting for Max MTU?

Answer 31

Outer IP Header - 20 bytes
UDP Header - 8 bytes
VXLAN Header - 8 bytes
Encapsulated (original) Ethernet header - 14 bytes + 4 bytes VLAN tag

Total: 54 bytes

Note: VLAN tag (4 bytes) can be placed into VXLAN header to reduce it to 50 bytes

Question 32

in VXLAN, what is a VTEP?

Answer 32

Virtual Tunnel Endpoint - entities that originate or terminate a VXLAN tunnel.

Question 33

Which two Cisco solutions leverage VXLAN?

Answer 33

Software Defined Access (SDA) and Application Centric Infrastructure (ACI)