Chapter 20: Quiz – Securing DMVPN Tunnels (Answers) CCNPv8 ENARSI

1. What are the three elements of secure data transport? (Choose three.)

  • confidentiality
  • integrity
  • availability
  • authorization
  • scalability
  • accountability

Explanation: The three elements of data security are as follows:

  • Confidentiality, which ensures data is viewable to only authorized users
  • Integrity, which ensures data can only be modified by authorized users and has not been changed
  • Availability, which ensures that the network is always available to allow secure transport of data

2. What is a characteristic of the IP authentication header?

  • the assurance that the original data packet has not been modified during transport
  • the provision for data confidentiality, integrity, and authentication
  • the use of protocol number 50 located in the IP header
  • the encryption of data to ensure it is viewable by only authorized users

Explanation: IPsec uses two protocols to provide data integrity and confidentiality, the IP Authentication Header (AH) and the Encapsulating Security Payload (ESP). AH, which is IP protocol 51, provides integrity and authentication but does not provide encryption. AH can ensure that the original data packet has not been modified during transport but it does not encrypt data to ensure it is viewable only by authorized users. ESP encrypts the data in the packet for data confidentiality.

3. What is a characteristic of the IPsec ESP tunnel mode?

  • It encrypts the entire original packet.
  • It encrypts and authenticates only the original packet payload.
  • It uses the original IP header to route packets.
  • It encrypts both the IPsec and ESP headers.

Explanation: There are two modes of ESP operation, tunnel mode and transport mode. In ESP tunnel mode the entire original packet is encrypted and a new IPsec header is added which is used to route the packet.

4. What is the first configuration step required to create pre-shared keys for IPsec protected DMVPN networks?

  • creating an IKEv2 keyring
  • creating a peer name
  • identifying the IP address of peer routers
  • defining the pre-shared keys

Explanation: There are four components of pre-shared key configuration:

  • IKEv2 keyring
  • IKEv2 profile
  • IPsec transform set
  • IPsec profile

The first step is to create the IKEv2 keyring. This keyring is referenced in the IKEv2 profile configuration.

5. What function does the IKE protocol provide to IPsec VPNs?

  • encapsulation methods
  • data integrity hashing
  • data authorization procedures
  • secure key-exchange methods

Explanation: Internet key exchange (IKE) provides IPsec with the functionality for encryption key generation, key distribution, key exchange, and key storage.

6. What security mechanism is used to provide origin authentication for data transported through a secure DMVPN tunnel?

  • preshared keys
  • encryption algorithms
  • hashing algorithms
  • security associations

Explanation: Integrating IPsec with DMVPN tunnels provides data confidentiality, authentication, and protection. Authentication of origin is accomplished through preshared keys or certificate-based authentication.

7. Which IPsec function uses hashing algorithms to ensure packets are not modified in transit?

  • data integrity
  • data confidentiality
  • replay detection
  • origin authentication

Explanation: Data integrity, through the use of hashing algorithms, ensures data can only be modified by authorized users and that it has not been modified in transit.

8. Which protocol is used by IPsec to transport keys securely across insecure networks?

  • IKE
  • SSL
  • SSH

Explanation: Key management is the process of generating, distributing, and storing encryption keys. IPsec uses the Internet Key Exchange (IKE) protocol by default for key management.

9. How much overhead is added to unencrypted DMVPN packets by the GRE flags and header?

  • 8 bytes
  • 12 bytes
  • 24 bytes
  • 48 bytes

Explanation: Unencrypted DMVPN packets have an extra 20 bytes of overhead for the GRE header and an extra 4 bytes of overhead for the GRE flags field.

10. What is the Cisco recommended IPsec replay window-size?

  • 32 packets
  • 64 packets
  • 128 packets
  • 1024 packets

Explanation: Cisco recommends using the largest window size possible which is 1024 packets.

11. What IPsec service verifies that the data was not altered during transmission?

  • authorization
  • confidentiality
  • encapsulation
  • encryption
  • integrity

Explanation: IPsec uses hashing algorithms to provide data integrity which ensures that the data has not been altered or modified in transit.

12. What are three characteristics of IPsec? (Choose three.)

  • data integrity
  • encapsulation of a number of network layer protocols
  • implementation at the transport layer
  • origin authentication
  • data confidentiality
  • forwarding of duplicated packets

Explanation: IPsec is implemented at the internet layer, not at the transport layer. GRE can encapsulate a number of network layer protocols, whereas IPsec only encapsulates IP packets. IPsec provides anti-replay protection which drops late and duplicated packets.


Inline Feedbacks
View all comments
Would love your thoughts, please comment.x