QUESTION - ANSWERS

OSPF - 

1. What algorithm is used by OSPF if equal cost routes exist?

Ans. If equal cost routes exist, OSPF uses CEF load balancing.

2. What is the link-state retransmit interval, and what is the command to set it?

Ans. OSPF must send acknowledgment of each newly received link-state advertisement (LSA). It does this by sending LSA packets. LSAs are retransmitted until they are acknowledged. The link-state retransmit interval defines the time between retransmissions. You can use the command ip ospf retransmit-interval to set the retransmit interval. The default value is 5 seconds.

3. Which address-wild-mask pair should I use for assigning an unnumbered interface to an area?

Ans. When an unnumbered interface is configured, it references another interface on the router. When enabling OSPF on the unnumbered interface, use the address-wild-mask pair of interfaces to which the unnumbered interface is pointing.

4. Which address-wild-mask pair should I use for assigning an unnumbered interface to an area?

A. When an unnumbered interface is configured, it references another interface on the router. When enabling OSPF on the unnumbered interface, use the address-wild-mask pair of interfaces to which the unnumbered interface is pointing.

5. Why do I receive the "cannot allocate router id" error message when I configure Router OSPF One?

A. OSPF picks up the highest IP address as a router ID. If there are no interfaces in up/up mode with an IP address, it returns this error message. To correct the problem, configure a loopback interface.

6. When I issue the show ip ospf neighbor command, why do I only see FULL/DR and FULL/BDR, with all other neighbors showing 2-WAY/DROTHER?

A. To reduce the amount of flooding on broadcast media, such as Ethernet, FDDI, and Token Ring, the router becomes full with only designated router (DR) and backup designated router (BDR), and it shows 2-WAY for all other routers.

7. Do I need any special commands to run OSPF over BRI/PRI links?

A. In addition to the normal OSPF configuration commands, you should use the dialer map command. When using the dialer map command, use the broadcast keyword to indicate that broadcasts should be forwarded to the protocol address.

8. What does the clear ip ospf redistribution command do?

A. The clear ip ospf redistribution command flushes all the type 5 and type 7 link-state advertisements (LSAs) and scans the routing table for the redistributed routes. This causes a partial shortest path first algorithm (SPF) in all the routers on the network that receive the flushed/renewed LSAs. When the expected redistributed route is not in OSPF, this command may help to renew the LSA and get the route into OSPF.

9. Does OSPF form adjacencies with neighbors that are not on the same subnet?

A. The only time that OSPF forms adjacencies between neighbors that are not on the same subnet is when the neighbors are connected through point-to-point links. This may be desired when using the ip unnumbered command, but in all other cases, the neighbors must be on the same subnet.

10. How often does OSPF send out link-state advertisements (LSAs)?

A. OSPF sends out its self-originated LSAs when the LSA age reaches the link-state refresh time, which is 30 Minutes.

11. How do I stop individual interfaces from developing adjacencies in an OSPF network?

A. To stop routers from becoming OSPF neighbors on a particular interface, issue the passive-interface command at the interface.

12. When I have two type 5 link-state advertisements (LSAs) for the same external network in the OSPF database, which path should be installed in the IP routing table?

A. When you have two type 5 LSAs for the same external network in the OSPF database, prefer the external LSA that has the shortest path to the Autonomous System Boundary Router (ASBR) and install that into the IP routing table. Use the show ip ospf border-routers command to check the cost to the ASBR.

13. 

100. contiguous vs Dis-contiguous networks -  

Ans. Example of Contiguous Network with IP Subnet Addresses. Suppose you have a Classfull network with Subnets as follows,

192.168.0.0/24

192.168.1.0/24

192.168.2.0/24

192.168.3.0/24

See as I defined above this series of Classfull subnets can be summerized into a one classfull network 192.168.0.0/22

If it were non-contiguous (dis-contiguous) networks then you might have:

192.168.1.0/24

192.168.4.0/24

192.168.17.0/24

192.168.240.0/24

In this case you would not be able to summarize the networks without including other networks in the process. Using a network statement like 192.168.0.0/16 will include all of those networks but crucially it also includes all networks from 192.168.0.0 to 192.168.255.0.

So from above example we can define Discontiguous Network as A classfull network in which packets sent between at least one pair of subnets must pass through subnets of a different classfull network.

VPN - 

What is VPN?

Virtual Private Network (VPN) creates a secure network connection over a public network such as the internet. It allows devices to exchange data through a secure virtual tunnel. It uses a combination of security features like encryption, authentication, tunneling protocols, and data integrity to provide secure communication between participating peers.

What is IPSec VPN?

IP Security Protocol VPN means VPN over IP Security. It allows two or more users to communicate in a secure manner by authenticating and encrypting each IP packet of a communication session. IPsec provides data confidentiality, data integrity and data authentication between participating peers. IPsec works on unicast traffic.

What is Site to Site and Remote Access VPN?

A site-to-site VPN allows offces in multiple locations to establish secure connections with each other over a public network such as the Internet.

Remote Access VPN allows Remote users to connect to the Headquarters through a secure tunnel that is established over the Internet. The remote user is able to access internal, private web pages and perform various IP-based network tasks. There are two primary methods of deploying Remote Access VPN:-

1.Remote Access IPsec VPN.

2.Remote Access Secure Sockets Layer (SSL) VPN.

What are the three main security services that IPSec VPN provides?

IPsec offers the following security services:-

1.Peer Authentication.

2.Data confidentiality.

3.Data integrity.

What is Authentication, Integrity & Confidentiality ?

Authentication - Verifies that the packet received is actually from the claimed sender. It verifies the authenticity of sender. Pre-shared Key, Digital Certificate are some methods that can be used for authentication.

Integrity - Ensures that the contents of the packet has not been altered in between by man-in-middle. Hashing Algorithm includes MD5, SHA.

Confidentiality - Encrypts the message content through encryption so that data is not disclosed to unauthorized parties. Encryption algorithms include DES (Data Encryption Standard), 3DES (Triple-DES), AES (Advanced Encryption Standard).

What is the difference between Transport and Tunnel mode?

Tunnel mode - Protects data in network-to-network or site-to-site scenarios. It encapsulates and protects the entire IP packet—the payload including the original IP header and a new IP header (protects the entire IP payload including user data).

Transport mode - Protects data in host-to-host or end-to-end scenarios. In transport mode, IPsec protects the payload of the original IP datagram by excluding the IP header (only protects the upper-layer protocols of IP payload (user data)). IPSec protocols AH and ESP can operate in either transport mode and tunnel mode.

What are the 3 protocols used in IPSec?

1.Authentication Header (AH).

2.Encapsulating Security Payload (ESP).

3.Internet Key Exchange (IKE).

What is IKE?

It is a hybrid protocol that implements Oakley and SKEME key exchanges inside the Internet Security Association and Key Management Protocol (ISAKMP) framework. It defines the mechanism for creating and exchanging keys. IKE derives authenticated keying material and negotiates SAs that are used for ESP and AH protocols.

At what protocol does IKE works?

IKE uses UDP port 500.

Explain IPsec Protocol Headers?

1.Encapsulating Security Payload (ESP) - It is an IP-based protocol which uses port 50 for communication between IPsec peers. ESP is used to protect the confidentiality, integrity and authenticity of the data and offers anti-replay protection.

Drawback - ESP does not provide protection to the outer IP Header

2.Authentication Header (AH) - It is also an IP-based protocol that uses port 51 for communication between IPsec peers. AH is used to protect the integrity and authenticity of the data and offers anti-replay protection. Unlike ESP, AH provides protection to the IP header also. Drawback - AH does not provide confidentiality protection.

Explain how IKE/ISAKMP Works?

IKE is a two-phase protocol- Phase 1 & Phase 2

IKE phase 1 negotiates the following:-

1.It protects the phase 1 communication itself (using crypto and hash algorithms).

2.It generates Session key using Diffe-Hellman groups.

3.Peers will authenticate each other using pre-shared, public key encryption, or digital signature.

4.It also protects the negotiation of phase 2 communication.

There are two modes in IKE phase 1:-

Main mode - Total Six messages are exchanged in main mode for establishing phase 1 SA.

Aggressive mode - It is faster than the main mode as only three messages are exchanged in this mode to establish phase 1 SA. It is faster but less secure. At the end of phase 1, a bidirectional ISAKMP/IKE SA (phase 1 SA) is established for IKE communication.

Phase 2

IKE phase 2 protects the user data and establishes SA for IPsec.

There is one mode in IKE phase 2:-

Quick mode - In this mode three messages are exchanged to establish the phase 2 IPsec SA.

At the end of phase 2 negotiations, two unidirectional IPsec SAs (Phase 2 SA) are established for user data —one for sending and another for receiving encrypted data.

Explain the messages exchange between the peers in IKE/ISAKMP?

Phase 1 - Main Mode

MESSAGE 1: Initiator offers Policy proposal which includes encryption, authentication, hashing algorithms (like AES or 3DES, PSK or PKI, MD5 or RSA).

MESSAGE 2: Responder presents policy acceptance (or not).

MESSAGE 3: Initiator sends the Diffe-Helman key and nonce.

MESSAGE 4: Responder sends the Diffe-Helman key and nonce.

MESSAGE 5: Initiator sends ID, preshare key or certiffcate exchange for authentication.

MESSAGE 6: Responder sends ID, preshare key or certiffcate exchange for authentication.

Only First Four messages were exchanged in clear text. After that all messages are encrypted.

Phase 2 - Quick Mode

MESSAGE 7: Initiator sends Hash, IPSec Proposal, ID, nonce.

MESSAGE 8: Responder sends Hash, IPSec Proposal, ID, nonce.

MESSAGE 9: Initiator sends signature, hash, ID.

All messages in Quick mode are encrypted.

What is Diffe-Hellman?

DH is a public-key cryptography protocol which allows two parties to establish a shared secret over an insecure communications channel. Diffe-Hellman is used within IKE to establish session keys and is a component of Oakley.

How Diffe-Hellman works?

Each side have a private key which is never passed and a Diffe-Hellman Key (Public Key used for encryption). When both side wants to do a key exchange they send their Public Key to each other. for example Side A get the Public Key of Side B, then using the RSA it creates a shared key which can only be opened on Side B with Side B's Private Key So, even if somebody intercepts the shared key he will not be able to do reverse engineering to see it as only the private key of Side B will be able to open it.

What are Security Associations?

The SAs defne the protocols and algorithms to be applied to sensitive packets and specify the keying material to be used by the two peers. SAs are unidirectional and are established per security protocol (AH or ESP).

What is Transform set?

An IKE transform set is a combination of security protocols and algorithms. During the IPsec SA negotiation, the peers agree to use a particular transform set for protecting a particular data flow.

What are Crypto access lists?

Crypto access lists speciffes which IP traffic is protected by crypto and which traffic is not protected by crypto. To protect IP traffic "permit" keyword is used in an access list. If the traffic is not to be protected than "deny" keyword is used in access list.

What are Crypto map?

Crypto map is used to pull together the various parts used to set up IPsec SAs including:-

1.Which traffc should be protected by IPsec (crypto access list).

2.Where IPsec-protected traffic should be sent (remote IPsec peer).

3.What IPsec SA should be applied to this traffic (transform sets).

Multiple interfaces can share the same crypto map set in case we want to apply the same policy to multiple interfaces. If more than one crypto map is created for a given interface than use the sequence number of each map entry to rank the map entries, the lower the seq-num argument the higher the priority.

How do you check the status of the tunnel’s phase 1 & 2 ?

Use following commands to check the status of tunnel phases:-

Phase 1 - show crypto isakmp sa

Phase 2 - show crypto ipsec sa

What is PFS (Perfect forward secrecy) ?

PFS will ensure the same key will not be generated again, so forcing a new diffie-hellman key exchange. This would ensure if a hacker\criminal was to compromise a private key, they would only be able to access data in transit protected by that key and not any future data, as future data would not be associated with that compromised key.

What is IPsec Virtual Tunnel Interface?

IPSec VTI is the concept of using a dedicated IPsec interface called IPsec Virtual Tunnel Interface for highly scalable IPsec-based VPNs. IPsec VTI provides a routable interface for terminating IPsec tunnels. VTI also allows the encrypting of multicast traffic with IPsec.

What is the difference between Static Crypto Maps and Dynamic Crypto Maps?

Static Crypto Maps are used when peers are predetermined. It is basically used in IPSec site to site VPNs. Dynamic crypto maps are used with networks where the peers are not always predetermined. It is basically used in IPSEC Remote Access VPNs.

There are two types of IPsec VTI interfaces:

1.Static VTI (SVTI): This can be used for site-to-site IPsec-based VPNs.

2.Dynamic VTI (DVTI): DVTI replaces dynamic crypto maps. It can be used for remote-access VPNs

What is DMVPN?

DMVPN allows IPsec VPN networks to better scale hub-to-spoke and spoke-to-spoke topologies optimizing the performance and reducing latency for communications between sites. It offers following benefits:-

1. It Optimizes network performance.

2. It Reduces router conffguration on the hub.

3.Support for dynamic routing protocols running over the DMVPN tunnels.

4.Support for multicast tra􀃕c from hub to spokes.

5.The capability of establishing direct spoke-to-spoke IPsec tunnels for communication between sites without having the traffic to go through the hub.

Explain Next Hop Resolution Protocol (NHRP)?

It is a Layer 2 protocol which is used to map a tunnel IP address to an NBMA address. It functions similar to ARP. Hub maintains NHRP database of the public addresses for each spoke. When the spoke boots up, it registers its real address to the hub and queries the NHRP database for real addresses of other spokes so that they can build direct tunnels.

What is GRE?

Generic Routing Encapsulation Protocol is a tunneling protocol developed by Cisco designed to encapsulate IP unicast, multicast and broadcast packets. It uses IP protocol number 47.

What is SSL VPN? How it is different from IPsec VPN?

SSL VPN provides remote access connectivity from any internet enabled device through a standard web browser and its native SSL encryption. It does not require any special client software at a remote site.In IPsec VPN connection is initiated using a preinstalled VPN client software so it requires installation of a special client software. In SSL VPN connection is initiated through a web browser so it does not requires any special purpose VPN client software, only a web browser is required.

At which Layer does SSL VPN operates?

SSL is an Application layer (Layer 7) cryptographic protocol that provides secure communications over the Internet for web browsing, e-mail and other tra􀃕c. It uses TCP port 443.

What are different SSL VPN Modes?

SSL VPN can be deployed in one of the following three modes:-

1.Clientless mode - It works at Layer 7, Clientless mode provides secure access to web resources and webbased content. This mode can be used for accessing most content that you would expect to access in a web browser such as Internet, databases and online tools. Clientless mode also supports common Internet file system (CIFS). Clientless mode is limited to web-based content only. It does not provide access to TCP

connections such as SSH or Telnet.

2.Thin client mode - It works at Layer 7 and is also known as port forwarding. Thin client mode provides remote access to TCP-based services such as Telnet, Secure Shell (SSH), Simple Mail Transfer Protocol (SMTP), Internet Message Access Protocol (IMAP) and Post Office Protocol (POP3) applications. Thin client is delivered via a Java applet that is dynamically downloaded from the SSL VPN appliance upon session establishment.

3.Thick client mode - It works at Layer 3 and is also known as tunnel mode or full tunneling client. The thick client mode provides extensive application support through dynamically downloaded SSL VPN Client software or the Cisco AnyConnect VPN client software from the VPN server appliance. This mode delivers a lightweight, centrally conffgured, and easy-to-support SSL VPN tunneling client that provides full network layer (Layer 3) access to virtually any application.

Explain SSL Handshake?

1.Client initiates by sending a CLIENT HELLO message which contains SSL version that the client supports, in what order the client prefer the versions, Ciphersuits (Cryptographic Algorithms) supported by the client, Random Number.

2.Server will send back a SERVER HELLO message Which contains Version Number (Server selects SSL version that is supported by both the server and the client), Cipher Suits (selected by server the best cipher suite version that is supported by both of them), Session ID, Random Data.

3.Server also sends PKI certificate for authenticating himself signed and verified by Certificate Authority along with the public key for encryption.

4.Server will than send Server Hello Done indicating that the server has finished sending its hello message, and is waiting for a response from the client.

5.Client will sends its certificate if the server has also requested for client authentication in server hello message.

6.Client will sends Client Key Exchange message after calculating the premaster secret with the help of the random values of both the server and the client. This message is sent by encrypting it with the server's public key which was shared through the hello message.

Server will decrypt the premaster secret with its private key. Now both client and server will perform series of steps to generate session keys (symmetric) which will be used for encryption and decryption of data exchanges during SSL session and also to verify its integrity.

7.Client will send CHANGE CIPHER SUITE message informing the server that future messages will be encrypted using session key.

8.Client will send CLIENT FINISH (DONE) message indicating that client is done.

9.Server will also send CHANGE CIPHER SUITE message.

10.Client will also send CLIENT FINISH (DONE) message.

What is Cisco Easy VPN?

Remote Access VPN when implemented with IPsec is called Cisco Easy VPN. The Easy VPN is easy to set up, with minimal configuration required at the remote client site. Cisco Easy VPN allows us to define centralized security policies at the head-end VPN device (VPN Server) which are then pushed to the remote site VPN device upon connection.