CCNP ENARSI v8 Chapters 18 – 20: VPNs Test Online

Hint

The show ip vrf interfaces command will show each interface that is assigned to a VRF as well as the IP address assigned to the interface, and whether the interface is up.

Hint

When the ping command is issued, the VRF instance must be specified, otherwise the global routing table is used and the ping will fail.

Hint

The data plane of a LSR consists of an IP forwarding table (FIB) and a label forwarding table (LFIB). The FIB makes forwarding decisions for unlabeled packets. The LFIB makes forwarding decision for labeled packets.

Hint

When an IP packet arrives at the ingress PE router, it attaches both the VPN and the LDP label.

Hint

The data plane of a LSR consists of a IP forwarding table (FIB) and a label forwarding table (LFIB). The FIB makes forwarding decisions for unlabeled packets. The LFIB makes forwarding decision for labeled packets.

Hint

With penultimate hop popping, the last provider (P) router, which is router R4 in this example, removes (pops) the label off packets before they reach the provider edge (PE) router, R5.

Hint

CE, or customer edge, routers do not run MPLS. They also are unaware of labels and VRF instances. CE routers are connected to the provider edge (PE) routers of the MPLS service provider.

Hint

The PE routers, R2 and R5, learn routes from the CE routers, R1 and R6, and redistribute the routes into MP-BGP so they can be exchanged with other PE routers. The P routers, R3 and R4, and the customer (CE) routers do not participate in MP-BGP.

Hint

Provider MPLS-enabled routers use labels attached to IP packets to forward traffic through the MPLS domain.

Hint

The PE routers, R2 and R5, learn routes from the CE routers. The PE routers label packets from the CE routers and forward the labeled packets to the P routers, R4 and R5.

Hint

There are three DMVPN phase models: Phase 1, Phase 2, and Phase 3. The first DMVPN implementation is Phase 1. Phase 1 supports only spoke-to-hub tunnels. Traffic between spokes must traverse the hub. Phases 2 and 3 support not only spoke-to-hub tunnels, but also direct spoke-to-spoke tunnels. Only Phase 2 supports spoke-to-spoke communication between DMVPN networks or regions.

Hint

NHRP registration requests are sent by the spoke every NHRP timeout period. If an NHRP registration reply is not received, the spoke will make three additional attempts. If after the third additional attempt a reply is not received, the NHS is declared “down”.

Hint

Because IPv6 routing protocols use IPv6 link-local addresses for neighbor discovery, IPv6 DMVPN configuration must assign IPv6 link-local addresses on the tunnel interfaces.

Hint

The Phase 3 DMVPN configuration for spoke routers uses the ip nhrp shortcut command on the tunnel interface.

Hint

There are three DMVPN phase models: Phase 1, Phase 2, and Phase 3. The first DMVPN implementation is Phase 1. Phase 1 only supports spoke-to-hub tunnels. Traffic between spokes must traverse the hub. Phases 2 and 3 support not only spoke-to-hub tunnels, but also direct spoke-to-spoke tunnels.

Hint

• resolution – locates and provides address information of remote spoke
• redirect – informs router of more optimal path to a destination
• registration – informs hubs of spoke NBMA information
• purge – removes cached NHRP entries

Hint

A front door VRF instance occurs when the VRF instance is associated with the DMVPN transport network. It allows the interface associated with the transport network to be associated with a transport VRF that is a different VRF instance from the DMVPN tunnel.

Hint

The GRE tunnel creates an overlay network through the provider network. The provider routers, SP1 and SP2, do not participate in the routing protocol connecting the two GRE edge routers CE1 and CE2. From the perspective of router CE1, the 10.0.0.0/24 network is only 1 hop away.

Hint

NHRP entries in the NHRP cache stay valid for 7200 seconds (2 hours) by default. This hold time can be modified using the ip nhrp holdtime command. It is recommended that the hold time for valid entries be modified to 600 seconds.

Hint

The three elements of data security are as follows:

• Confidentiality, which ensures data is viewable to only authorized users
• Integrity, which ensures data can only be modified by authorized users and has not been changed
• Availability, which ensures that the network is always available allowing the secure transport of the data

Hint

The three elements of data security are as follows:

• Confidentiality, which ensures data is viewable to only authorized users
• Integrity, which ensures data can only be modified by authorized users and has not been changed
• Availability, which ensures that the network is always available allowing the secure transport of the data

Hint

Hashing algorithms ensure data integrity by using a checksum to compare the transported data with the original data.

Hint

With perfect forward secrecy each session key is derived independently of the previous key so that a compromise of one key does not mean compromise of future keys.

Hint

IPsec uses two protocols to provide data integrity and confidentiality, the IP Authentication Header (AH) and the Encapsulating Security Payload (ESP). AH, which uses IP protocol number 51, provides integrity and authentication but does not provide encryption. ESP provides data confidentiality, integrity, and authentication. ESP ensures confidentiality by encrypting the payload and adding a new set of headers during transport across a public network.

Hint

There are two modes of ESP operation, tunnel mode and transport mode. In ESP tunnel mode the entire original packet is encrypted and a new IPsec header is added which is used to route the packet.

Hint

There are two modes of DMVPN IPsec operation, tunnel mode and transport mode. In ESP tunnel mode the entire original packet and the GRE IP header are encrypted and a new IPsec IP header is added which is used to route the packet.

Hint

The IPsec framework uses various protocols and algorithms to provide data confidentiality, data integrity, authentication, and secure key exchange. Two popular algorithms that are used to ensure that data is not intercepted and modified (data integrity) are MD5 and SHA. AES is an encryption protocol and provides data confidentiality. DH (Diffie-Hellman) is an algorithm that is used for key exchange. RSA is an algorithm that is used for authentication.

Hint

Data confidentiality and integrity can be accomplished by adding IPsec encryption to DMVPN tunnels that use the Internet as a transport.

Hint

The Advanced Encryption Standard (AES) and the Galois Counter Mode (GCM) encryption algorithms are used to provide encryption for IPsec ESP.

Hint

IPsec uses two protocols to provide data integrity and confidentiality, the IP Authentication Header (AH) and the Encapsulating Security Payload (ESP). AH provides integrity and authentication but does not provide encryption. AH can ensure that the original data packet has not been modified during transport but it does not encrypt data to ensure it is viewable only by authorized users. ESP provides confidentiality, integrity, and authentication.