Chapter 20: Quiz – Securing DMVPN Tunnels (Answers) CCNPv8 ENARSI

1. What are the three elements of secure data transport? (Choose three.)

  • confidentiality
  • integrity
  • availability
  • authorization
  • scalability
  • accountability

Explanation: The three elements of data security are as follows:

  • Confidentiality, which ensures data is viewable to only authorized users
  • Integrity, which ensures data can only be modified by authorized users and has not been changed
  • Availability, which ensures that the network is always available to allow secure transport of data

2. What is a characteristic of the IP authentication header?

  • the assurance that the original data packet has not been modified during transport
  • the provision for data confidentiality, integrity, and authentication
  • the use of protocol number 50 located in the IP header
  • the encryption of data to ensure it is viewable by only authorized users

Explanation: IPsec uses two protocols to provide data integrity and confidentiality, the IP Authentication Header (AH) and the Encapsulating Security Payload (ESP). AH, which is IP protocol 51, provides integrity and authentication but does not provide encryption. AH can ensure that the original data packet has not been modified during transport but it does not encrypt data to ensure it is viewable only by authorized users. ESP encrypts the data in the packet for data confidentiality.

3. What is a characteristic of the IPsec ESP tunnel mode?

  • It encrypts the entire original packet.
  • It encrypts and authenticates only the original packet payload.
  • It uses the original IP header to route packets.
  • It encrypts both the IPsec and ESP headers.

Explanation: There are two modes of ESP operation, tunnel mode and transport mode. In ESP tunnel mode the entire original packet is encrypted and a new IPsec header is added which is used to route the packet.

4. What is the first configuration step required to create pre-shared keys for IPsec protected DMVPN networks?

  • creating an IKEv2 keyring
  • creating a peer name
  • identifying the IP address of peer routers
  • defining the pre-shared keys

Explanation: There are four components of pre-shared key configuration:

  • IKEv2 keyring
  • IKEv2 profile
  • IPsec transform set
  • IPsec profile

The first step is to create the IKEv2 keyring. This keyring is referenced in the IKEv2 profile configuration.

5. What function does the IKE protocol provide to IPsec VPNs?

  • encapsulation methods
  • data integrity hashing
  • data authorization procedures
  • secure key-exchange methods

Explanation: Internet key exchange (IKE) provides IPsec with the functionality for encryption key generation, key distribution, key exchange, and key storage.

6. What security mechanism is used to provide origin authentication for data transported through a secure DMVPN tunnel?

  • preshared keys
  • encryption algorithms
  • hashing algorithms
  • security associations

Explanation: Integrating IPsec with DMVPN tunnels provides data confidentiality, authentication, and protection. Authentication of origin is accomplished through preshared keys or certificate-based authentication.

7. Which IPsec function uses hashing algorithms to ensure packets are not modified in transit?

  • data integrity
  • data confidentiality
  • replay detection
  • origin authentication

Explanation: Data integrity, through the use of hashing algorithms, ensures data can only be modified by authorized users and that it has not been modified in transit.

8. Which protocol is used by IPsec to transport keys securely across insecure networks?

  • IKE
  • SSL
  • SSH

Explanation: Key management is the process of generating, distributing, and storing encryption keys. IPsec uses the Internet Key Exchange (IKE) protocol by default for key management.

9. How much overhead is added to unencrypted DMVPN packets by the GRE flags and header?

  • 8 bytes
  • 12 bytes
  • 24 bytes
  • 48 bytes

Explanation: Unencrypted DMVPN packets have an extra 20 bytes of overhead for the GRE header and an extra 4 bytes of overhead for the GRE flags field.

10. What is the Cisco recommended IPsec replay window-size?

  • 32 packets
  • 64 packets
  • 128 packets
  • 1024 packets

Explanation: Cisco recommends using the largest window size possible which is 1024 packets.

11. What IPsec service verifies that the data was not altered during transmission?

  • authorization
  • confidentiality
  • encapsulation
  • encryption
  • integrity

Explanation: IPsec uses hashing algorithms to provide data integrity which ensures that the data has not been altered or modified in transit.

12. What are three characteristics of IPsec? (Choose three.)

  • data integrity
  • encapsulation of a number of network layer protocols
  • implementation at the transport layer
  • origin authentication
  • data confidentiality
  • forwarding of duplicated packets

Explanation: IPsec is implemented at the internet layer, not at the transport layer. GRE can encapsulate a number of network layer protocols, whereas IPsec only encapsulates IP packets. IPsec provides anti-replay protection which drops late and duplicated packets.

“Do I Know This Already?” Quiz Answers:

1. In an MPLS Layer 3 VPN WAN model, data is protected on the SP network because of which mechanism?

  • Data confidentiality is protected because MPLS Layer 3 VPNs include encryption on the SP network.
  • Data integrity is maintained because MPLS Layer 3 VPNs include checksums on the SP network.
  • Data integrity is not protected on the SP network.
  • Data confidentiality is dependent on the SP’s processes.

Explanation: MPLS Layer 3 VPNs do not add encryption or checksums as part of their server. Data confidentiality is dependent on the SP’s processes to ensure that data does not leak from one customer to a different one.

2. Which IPsec security mechanism ensures that if a hacker gains access to a session key, that person cannot maintain access to that session indefinitely?

  • Replay detection
  • Periodic rekey
  • Perfect forward secrecy
  • Encapsulating Security Payload

Explanation: Perfect forward secrecy ensures that new session keys are derived independently of a previous key to ensure that the compromise of one key does not mean compro-mise of future keys.

3. True or false: The IKEv2 keyring functionality allows for the pre-shared key to be set on a neighbor-by-neighbor basis.

  • True
  • False

Explanation: There can be multiple peers and associated IP addresses in the IKEv2 keyring.

4. True or false: Enabling IPsec tunnel encryption involves the configuration of the IKEv2 profile and its association to a tunnel interface.

  • True
  • False

Explanation: IPsec tunnel encryption involves the association of an IPsec profile to an tunnel interface. The IPsec profile consists of an IKEv2 profile and a transform set.

5. Which command enables IPsec encryption on an tunnel interface?

  • tunnel protection ipsec profile profile-name
  • ipsec protection profile profile-name
  • crypto map map-name ipsec-isakmp interface interface-id
  • crypto map map-name tunnel tunnel-id ipsec-isakmp

Explanation: The command tunnel protection ipsec profile profile-name [shared] associates an IPsec profile to an interface.

6. A router has just been configured with IPsec DMVPN tunnel protection and needs to have the IPsec packet replay feature set the number of packets to 64. Which command should be used?

  • crypto ipsec security-association replay window-size 64
  • ipsec security-replay window-size 64
  • ipsec window-size 64
  • None. The command is not needed.

Explanation: The default tunnel replay window is set to 64 packets.

Notify of

Inline Feedbacks
View all comments
Would love your thoughts, please comment.x