Top 100+ Virtual Private Network (vpn) Interview Questions And Answers
Question 1. Can You List Some Items For A Vpn Checklist From Deciding Whether To Use, Then Selecting, Then Deploying, Then Maintaining Vpn?
Answer :
Well, IPSEC - actual IPSEC as it exists nowadays - remains morphing, but now not so much that one shouldn't require it as a foundation for a VPN.
So we might have:
IPSEC compliant (which includes ISAKMP/Oakley)
Interoperability with other IPSEC compliant vendors
Strong encryption, lengthy key length
If the VPN solution isn't always a part of the firewall, which is excellent, will it paintings with the firewall?
Does the VPN product work both with and without consider? (Remember, it requires working closely with the firewall.)
For an "add on" VPN, does it work together with the firewall, or does it clearly sidestep the firewall? (I'm not suggesting one way is ideal and the other horrific, however it could be some thing the safety supervisor cares about, and the answer must be known.)
Does the VPN assist computerized introduction of consumer-degree VPNs (for mobile customers)? In a totally massive corporation, the system manager in all likelihood could instead not have to manually create VPN accounts for every consumer.
Has the VPN been licensed by way of a identified employer? (The ICSA has a certification and checking out procedure for VPNs. Others possibly exist as nicely.)
Question 2. What Are Unreasonable Expectations For Vpn?
Answer :
With firewalls, we went from a totally small number of safety-clever groups the use of actual firewalls to firewalls turning into a "have to have" on a tick list. But come what may, having a firewall have become synonymous with "all my Internet security problems are solved!" VPNs and IPSEC have started out off that manner too. There has been a variety of "When we've IPSEC on the desk pinnacle we might not need firewalls." This is nonsense. VPNs can not put into effect security policies, they can not discover misuse or mistakes, and they can't alter access. VPNs can do what they have been supposed to do: preserve communications private.
Networking Interview Questions
Question 3. What Are Reasonable Expectations For A Vpn?
Answer :
Privacy from stop to cease. The cryptography used, typically speakme, is very good. Whatever you do, this is encrypted, may be very nicely hidden from sniffers at the net. Whatever isn't encrypted, you could as properly shout from the rooftops or post to your internet web page.
Question four. What Kind Of Resources (team of workers, Computational Muscle, Bandwidth, Etc.) Are Required For Vpn Deployment, Usage, Maintenance?
Answer :
VPNs are generally treated as just any other process with the aid of the community or machine administrator body of workers. Whoever is coping with the firewall today can without difficulty add VPN management to the plate because once a VPN is installation there may be little else to do on maximum implementations.
Networking Tutorial
Question five. What Firewall Issues Are Relevant To Vpn Selection And Deployment?
Answer :
Well, the perimeter security issues cited above, plus a firewall must give the option of VPN without or with agree with. For example, I might select all sessions among my firewall and my clients and enterprise partners to be encrypted - to be VPNs. But, I need all of them to run up against my firewall if they are trying to do something except what I allow. On the alternative hand, if I dial in from the speaker's living room at a conference, I would really like a personal connection (that is to mention, encrypted) that also seems and looks like a virtual "inner" connection, just as though I became sitting within the workplace.
Hyper-V Interview Questions
Question 6. What Is The Relationship Between Vpn And Firewalls?
Answer :
While VPNs were to be had earlier than firewalls thru encrypting modems and routers, they came into commonplace use strolling on or with firewalls. Today, most of the people would count on a firewall seller to provide a VPN alternative. (Even although the majority today don't use VPNs.) Also, they want it controlled thru the same firewall management interface. But then, customers today seem to need nearly everything at the firewall: mail server, name server, proxy servers for HTTP, FTP server, listing server, and so on. That's terrible and a subject in itself.
Question 7. Are There Applications Or Environments In Which Vpns Would Really Be Detrimental?
Answer :
Only the belongings you want anyone so that you can eavesdrop on. In preferred, the answer is "no," however if a VPN is in use from a machine behind a firewall to a gadget outdoor the firewall, the firewall can not enforce an business enterprise's safety policy beyond connection regulations.
Computer Network Security Interview Questions
Question eight. Are Vpns Used For Specific Kinds Of Applications Or Environments? If So, What Are Some Examples Of Where And Why Vpns Would Be Deployed?
Answer :
VPNs have to be used for all data exchange. I don't need to have to "go encrypted" whilst some thing secret is about to be despatched. I need the entirety to be encrypted. It have to be as commonplace as human beings sending postal mail in sealed envelopes. It can even make certain that the VPN mechanism is working.
Question 9. What Crypto Issues Are Relevant In The Vpn Context?
Answer :
Businesses who apprehend the usage of crypto for privacy in electronic files additionally recognize the want for the emergency healing of that records. Whether this is accomplished with the aid of saving an man or woman's private key records, encrypting it with a depended on 0.33 party's key, or saving all keys used to encrypt all files, it's far properly understood that a few mechanism is wanted for the recovery of encrypted files owned by using an person, via the character, or a organisation, by way of the agency for enterprise or regulation enforcement motives. Key recuperation of session keys used to encrypt a community connection is a requirement of law enforcement. VPNs must use the strongest crypto to be had and viable given the hardware on which it's miles being run. Weak cryptography (as an example, forty bit key duration) ought to be completely prevented.
Routing Protcol Interview Questions
Question 10. What Kind Of Performance Issues Does Vpn Raise?
Answer :
Encryption takes more horsepower than sending statistics within the clean. It really shows up on cellular PCs transmitting massive hunks of statistics - for example, a PowerPoint presentation - over a dial-up smartphone line. Firewalls and other server systems have to hire hardware crypto engines. With these there are not any performance problems. I anticipate that this functionality for cellular PCs will migrate to PC playing cards with crypto engines. When will this take place? Within the subsequent 18 months.
Question 11. Who Are The Major Players In The Market?
Answer :
Aventail is a pacesetter on this market. All the primary firewall carriers and router companies are in it as well. On the customer facet, Timestep and V-ONE are massive.
CWNA (Certified Wireless Network Administrator) Interview Questions
Question 12. What Are Some Of The Tough Questions To Pose To Vpn Product Vendors?
Answer :
Many providers claim to be IPSEC-compliant. The actual requirement ought to be "list the alternative products with which you could speak" Also, a patron ought to need to understand how automated the important thing change mechanism is In a super world - in an IPSEC international - it'd be computerized. If a Virtual Network Perimeter (VNP, not VPN) is used, how easy is it to set up the software program to cell PC users How a great deal does it interfere with everyday network operation from a cell PC.
Networking Interview Questions
Question 13. What Security Vulnerabilities Are Unique To Or Heightened By Vpn?
Answer :
Even though VPNs provide ubiquitous, perimeter protection, firewalls are nevertheless needed. Walls round cities went away as it have become less expensive to deliver them in towards character homes. Only a fringe enforcement mechanism can guarantee adherence to an business enterprise's security guidelines. However, as a part of policy enforcement, a firewall may need that allows you to examine the information in a packet. Encryption makes that instead difficult. VPNs - improperly deployed - do away with a firewall's capability to audit beneficial records, or to make decisions past the level of "who's allowed to talk to whom." There are approaches around this. The simplest manner is to make the firewall a trusted 1/3 member of the communication. People who fee privateness above the whole lot else chafe at this. But folks that fee the security of their corporation comprehend that this is a necessity.
Question 14. What Security Vulnerabilities Are Addressed By Vpn?
Answer :
VPNs immediately guard the privacy of a conversation, and in a roundabout way offer an authentication mechanism for a gateway, web page, computer, or man or woman. Whether you want privacy or now not is a function of your enterprise, the nature of what you speak electronically, and what sort of it's miles really worth to someone else. Authentication is a aspect impact, even without IPSEC, due to the fact if web site A knows it talks to website B over an encrypted channel, and a person else pretends to be site B, they will additionally must be able to talk encrypted to web site A, in view that site A expects it and will reciprocate. Typically, the secrets and techniques are sufficiently protected that no one ought to pretend to be site B and pull it off. Again, it comes right down to the danger, that is a characteristic of the information you are transmitting. The threats and vulnerabilities are there, in any case. It could be very clean to seize traffic on the Internet or for your cellphone line. Is it critical enough data to care? That is the question that the majority solution incorrect. It is my revel in that even as humans may also understand the value of what they've and they will understand the threat of dropping or compromising what they've, few recognize each on the identical time.
Question 15. Is Vpn A Long-term Solution Or A Short-time period Stop Gap Kind Of Thing?
Answer :
VPNs are lengthy-term solutions. VPNs may additionally become ubiquitous and transparent to the consumer, but they will no longer go away. Because the problem VPNs deal with - privacy over a public network - will no longer go away. VPNs will exist from the desktop to the server, and on the IP packet degree as well as the application records stage.
Border Gateway Protocol (BGP) Interview Questions
Question sixteen. Is There Market Penetration For These Products?
Answer :
Those agencies who have been early adopters of firewalls are the ones using VPNs today. VPNs are nonetheless early in the use cycle. Three years in the past, they rarely existed. Then firewall products commenced to consist of them - first ANS Interlock, then TIS Gauntlet. Soon, customers began disturbing VPN functionality of their firewalls, even though few of them simply used it. But the Security Architecture for Internet Protocol (IPSEC) trendy is changing that - with IPSEC-compliant off-the-shelf merchandise, the usage of encryption to protect the privacy of communications can be an automated choice. It can also take awhile. I predicted that 1998 will be the "Year of the VPN," however perhaps 1999 is extra sensible. Look, over 4 years after the well-known Internet password sniffing incident, most people nonetheless appear to be running with reusable passwords.
Question 17. What Is A Virtual Private Network (vpn)?
Answer :
The time period Virtual Private Network (VPN) approach "an encrypted connection from one point to some other over any network giving the phantasm of being a personal community." Originally, Marcus Ranum and I coined the term "virtual network perimeter," which in modern language approach a VPN with trust - i.E., a community safety perimeter extended to encompass other workplaces and faraway customers thru a VPN hyperlink plus common name area, protection guidelines, and management. Of route, networks aren't private until encryption is being hired. To placed it it appears that evidently, until you very own the space around each cord, fiber, or radio sign used in the verbal exchange route, your connection isn't always private except it's miles encrypted.
Enhanced Interior Gateway Routing Protocol (EIGRP) Interview Questions
Question 18. What Is Authentication, Confidentiality & Integrity?
Answer :
Authentication - Verifies that the packet received is honestly from the claimed sender. It verifies the authenticity of sender. Pre-shared Key, Digital Certificate are some techniques that can be used for authentication.
Integrity - Ensures that the contents of the packet has now not been altered in between by guy-in-center. Hashing Algorithm consists of MD5, SHA.
Confidentiality - Encrypts the message content via encryption so that facts is not disclosed to unauthorized parties. Encryption algorithms include DES (Data Encryption Standard), 3DES (Triple-DES), AES (Advanced Encryption Standard).
Hyper-V Interview Questions
Question 19. What Is Symmetric And Asymmetric Encryption?
Answer :
In symmetric encryption, a single secret is used both to encrypt and decrypt site visitors. It is also referred as shared key or shared mystery encryption. Symmetric encryption algorithms include DES, 3DES, AES.
In Asymmetric encryption keys are used to encrypt and decrypt site visitors, one for encryption and one for decryption. The most commonplace uneven encryption algorithm is RSA.
Question 20. What Is Ipsec Vpn?
Answer :
IP Security Protocol VPN means VPN over IP Security. It permits two or greater users to speak in a relaxed manner via authenticating and encrypting each IP packet of a communique consultation. IPsec gives facts confidentiality, records integrity and data authentication between participating peers.
Cisco Network Engineer Interview Questions
Question 21. At What Layer Ipsec Works?
Answer :
IPsec secures IP visitors on the Layer 3 (Network Layer) of the OSI version.
Question 22. Name A Major Drawback Of Ipsec?
Answer :
IPSec best supports unicast IP visitors.
Question 23. What Is The Difference Between Transport And Tunnel Mode?
Answer :
Tunnel mode - Protects information in community-to-community or website online-to-website online eventualities. It encapsulates and protects the entire IP packet—the payload consisting of the original IP header and a new IP header (protects the complete IP payload consisting of consumer statistics).
Transport mode - Protects statistics in host-to-host or quit-to-quit situations. In shipping mode, IPsec protects the payload of the original IP datagram through except the IP header (only protects the higher-layer protocols of IP payload (person records)).
IPSec protocols AH and ESP can perform in both transport mode and tunnel mode.
Multiprotocol Label Switching (MPLS) Interview Questions
Question 24. What Are The Three Main Security Services That Ipsec Vpn Provides?
Answer :
IPsec gives the following safety offerings:-
Peer Authentication.
Data confidentiality.
Data integrity.
Computer Network Security Interview Questions
Question 25. Define Digital Signatures?
Answer :
Digital signature is an attachment to an electronic message used for protection purposes. It is used to affirm the authenticity of the sender.
Question 26. What Is Authorization?
Answer :
Authorization is a protection mechanism used to decide user/patron privileges or get entry to tiers associated with network assets, together with firewalls, routers, switches and application features. Authorization is commonly preceded by means of authentication and during authorization, It’s device that verifies an authenticated consumer’s get admission to policies and either presents or refuses resource get admission to.
OSPF Interview Questions
Question 27. What Is Site To Site And Remote Access Vpn?
Answer :
A website online-to-site VPN permits workplaces in multiple places to establish secure connections with each different over a public network including the Internet.
Remote Access VPN permits Remote customers to hook up with the Headquarters thru a relaxed tunnel that is mounted over the Internet. The far flung person is able to get admission to inner, non-public net pages and carry out numerous IP-based network responsibilities.
There are two number one methods of deploying Remote Access VPN:-
Remote Access IPsec VPN.
Remote Access Secure Sockets Layer (SSL) VPN.
Routing Protcol Interview Questions
Question 28. What Are The three Protocols Used In Ipsec?
Answer :
Authentication Header (AH).
Encapsulating Security Payload (ESP).
Internet Key Exchange (IKE).
Question 29. Explain Ipsec Protocol Headers?
Answer :
1.Encapsulating Security Payload (ESP) - It is an IP-primarily based protocol which uses port 50 for verbal exchange among IPsec friends. ESP is used to defend the confidentiality, integrity and authenticity of the statistics and gives anti-replay safety.
Drawback - ESP does no longer offer safety to the outer IP Header
2.Authentication Header (AH) - It is likewise an IP-primarily based protocol that makes use of port 51 for verbal exchange between IPsec peers. AH is used to defend the integrity and authenticity of the information and gives anti-replay safety.
Unlike ESP, AH presents safety to the IP header also.
Drawback - AH does not provide confidentiality protection.
Voip Telephony Interview Questions
Question 30. How Esp & Ah Provides Anti-replay Protection?
Answer :
Both ESP and AH protocols offer an anti-respond safety based totally on collection numbers. The sender increments the series quantity after each transmission, and the receiver exams the collection quantity and reject the packet if it is out of series.
Question 31. What Is Ike?
Answer :
It is a hybrid protocol that implements Oakley and SKEME key exchanges within the Internet Security Association and Key Management Protocol (ISAKMP) framework. It defines the mechanism for creating and exchanging keys. IKE derives authenticated keying cloth and negotiates SAs which can be used for ESP and AH protocols.
Question 32. At What Protocol Does Ike Works?
Answer :
IKE uses UDP port 500.
Windows Troubleshooting Interview Questions
Question 33. Explain How Ike/isakmp Works?
Answer :
IKE is a -phase protocol:
Phase 1
IKE segment 1 negotiates the following:-
1.It protects the segment 1 verbal exchange itself (using crypto and hash algorithms).
2.It generates Session key the use of Diffie-Hellman companies.
3.Peers will authenticate each other the usage of pre-shared, public key encryption, or digital signature.
Four.It also protects the negotiation of section 2 communique.
There are modes in IKE section 1:-
Main mode - Total Six messages are exchanged in primary mode for setting up phase 1 SA.
Aggressive mode - It is quicker than the principle mode as handiest three messages are exchanged in this mode to set up segment 1 SA. It is faster however much less cozy.
At the cease of section 1, a bidirectional ISAKMP/IKE SA (phase 1 SA) is mounted for IKE communication.
Phase 2:
IKE section 2 protects the user statistics and establishes SA for IPsec.
There is one mode in IKE section 2:-
Quick mode - In this mode three messages are exchanged to set up the phase 2 IPsec SA.
At the cease of section 2 negotiations, unidirectional IPsec SAs (Phase 2 SA) are established for consumer information—one for sending and another for receiving encrypted statistics.
CWNA (Certified Wireless Network Administrator) Interview Questions
Question 34. Explain The Messages Exchange Between The Peers In Ike/isakmp?
Answer :
Phase 1 - Main Mode
MESSAGE 1: Initiator offers Policy proposal which includes encryption, authentication, hashing algorithms (like AES or 3DES, PSK or PKI, MD5 or RSA).
MESSAGE 2: Responder gives coverage attractiveness (or no longer).
MESSAGE 3: Initiator sends the Diffie-Helman key and nonce.
MESSAGE four: Responder sends the Diffie-Helman key and nonce.
MESSAGE five: Initiator sends ID, preshare key or certificates alternate for authentication.
MESSAGE 6: Responder sends ID, preshare key or certificates alternate for authentication.
Only First Four messages were exchanged in clean textual content. After that each one messages are encrypted.
Phase 2 - Quick Mode:
MESSAGE 7: Initiator sends Hash, IPSec Proposal, ID, nonce.
MESSAGE eight: Responder sends Hash, IPSec Proposal, ID, nonce.
MESSAGE nine: Initiator sends signature, hash, ID.
All messages in Quick mode are encrypted.
Question 35. What Is Diffie-hellman?
Answer :
DH is a public-key cryptography protocol which allows two events to establish a shared mystery over an insecure communications channel. Diffie-Hellman is used within IKE to set up session keys and is a component of Oakley.
Question 36. How Diffie-hellman Works?
Answer :
Each facet have a non-public key which is never surpassed and a Diffie-Hellman Key (Public Key used for encryption). When both facet wants to do a key exchange they ship their Public Key to each different. For instance Side A get the Public Key of Side B, then the usage of the RSA it creates a shared key that may best be opened on Side B with Side B's Private Key So, despite the fact that someone intercepts the shared key he's going to no longer be able to do opposite engineering to see it as best the personal key of Side B can be able to open it.
Border Gateway Protocol (BGP) Interview Questions
Question 37. What Are Security Associations?
Answer :
The SAs define the protocols and algorithms to be carried out to sensitive packets and specify the keying material to be used by the 2 friends. SAs are unidirectional and are mounted per security protocol (AH or ESP).
Question 38. What Is Transform Set?
Answer :
An IKE transform set is a aggregate of safety protocols and algorithms. During the IPsec SA negotiation, the friends agree to use a specific remodel set for shielding a specific data go with the flow.
Question 39. What Are Crypto Access Lists?
Answer :
Crypto access lists specifies which IP traffic is covered by crypto and which traffic isn't included by means of crypto. To protect IP traffic "allow" key-word is utilized in an get right of entry to listing. If the traffic is not to be protected than "deny" keyword is utilized in get admission to list.
Question 40. What Are Crypto Map?
Answer :
Crypto map is used to pull together the various parts used to installation IPsec SAs inclusive of:-
Which visitors must be included by way of IPsec (crypto get admission to listing).
Where IPsec-covered traffic have to be sent (far flung IPsec peer).
What IPsec SA have to be implemented to this visitors (transform sets).
Multiple interfaces can proportion the identical crypto map set in case we need to use the identical coverage to more than one interfaces.
If a couple of crypto map is created for a given interface than use the collection quantity of every map entry to rank the map entries, the decrease the seq-num argument the higher the concern.
Enhanced Interior Gateway Routing Protocol (EIGRP) Interview Questions
Question forty one. Explain Ssl Handshake?
Answer :
Client initiates via sending a CLIENT HELLO message which contains SSL version that the patron helps, in what order the customer decide upon the versions, Ciphersuits (Cryptographic Algorithms) supported via the purchaser, Random Number.
Server will send back a SERVER HELLO message Which includes Version Number (Server selects SSL version that is supported through both the server and the patron), Cipher Suits (decided on by server the high-quality cipher suite model this is supported with the aid of each of them), Session ID, Random Data.
Server also sends PKI certificates for authenticating himself signed and proven via Certificate Authority along with the general public key for encryption.
Server will than send Server Hello Done indicating that the server has finished sending its hiya message, and is watching for a reaction from the consumer.
Client will sends its certificate if the server has additionally requested for consumer authentication in server hi there message.
Client will sends Client Key Exchange message after calculating the premaster mystery with the assist of the random values of both the server and the client. This message is sent by encrypting it with the server's public key which turned into shared via the hiya message.
Server will decrypt the premaster mystery with its personal key. Now both consumer and server will carry out collection of steps to generate session keys (symmetric) on the way to be used for encryption and decryption of facts exchanges in the course of SSL consultation and additionally to affirm its integrity.
Client will send CHANGE CIPHER SUITE message informing the server that destiny messages might be encrypted the use of session key.
Client will ship CLIENT FINISH (DONE) message indicating that patron is completed.
Server may also send CHANGE CIPHER SUITE message.
Client will even ship CLIENT FINISH (DONE) message.
Question 42. What Are Different Ssl Vpn Modes?
Answer :
SSL VPN may be deployed in one of the following 3 modes:-
1.Clientless mode - It works at Layer 7, Clientless mode affords cozy access to internet sources and net-based content. This mode can be used for gaining access to maximum content material that you might count on to get right of entry to in a web browser consisting of Internet, databases and on-line gear. Clientless mode additionally supports not unusual Internet document gadget (CIFS). Clientless mode is limited to web-based content material best. It does not offer get entry to to TCP connections including SSH or Telnet.
2.Thin patron mode - It works at Layer 7 and is likewise referred to as port forwarding. Thin purchaser mode affords faraway access to TCP-based services which includes Telnet, Secure Shell (SSH), Simple Mail Transfer Protocol (SMTP), Internet Message Access Protocol (IMAP) and Post Office Protocol (POP3) applications. Thin client is delivered via a Java applet that is dynamically downloaded from the SSL VPN appliance upon session status quo.
3.Thick customer mode - It works at Layer three and is also called tunnel mode or full tunneling patron. The thick consumer mode provides enormous application aid through dynamically downloaded SSL VPN Client software or the Cisco AnyConnect VPN consumer software program from the VPN server equipment. This mode promises a lightweight, centrally configured, and clean-to-assist SSL VPN tunneling consumer that offers full community layer (Layer three) access to really any utility.
Cisco Network Engineer Interview Questions
Question forty three. At Which Layer Does Ssl Vpn Operates?
Answer :
SSL is an Application layer (Layer 7) cryptographic protocol that provides secure communications over the Internet for web surfing, e-mail and other visitors. It makes use of TCP port 443.
Question 44. What Is Ssl Vpn? How It Is Different From Ipsec Vpn?
Answer :
SSL VPN provides remote get admission to connectivity from any net enabled device via a popular web browser and its local SSL encryption. It does not require any special purchaser software program at a far flung website online.In IPsec VPN connection is initiated using a preinstalled VPN consumer software so it calls for set up of a special patron software program. In SSL VPN connection is initiated via an internet browser so it does now not calls for any unique reason VPN purchaser software program, simplest an internet browser is required.
Question 45. Name A Major Drawback Of Both Gre & L2tp?
Answer :
No encryption.
Question forty six. What Is Gre?
Answer :
Generic Routing Encapsulation Protocol is a tunneling protocol developed by way of Cisco designed to encapsulate IP unicast, multicast and broadcast packets. It makes use of IP protocol range forty seven.
Question forty seven. Explain Next Hop Resolution Protocol (nhrp)?
Answer :
It is a Layer 2 protocol that's used to map a tunnel IP cope with to an NBMA cope with. It features similar to ARP. Hub keeps NHRP database of the public addresses for each spoke. When the spoke boots up, it registers its real address to the hub and queries the NHRP database for real addresses of other spokes so we can construct direct tunnels.
Question forty eight. What Are The Three Phases Of Dmvpn?
Answer :
Phase 1 - In segment 1 we use NHRP so that spokes can check in themselves with the hub. Only Hub uses a multipoint GRE interface, all spokes may be the usage of normal point-to-point GRE tunnel interfaces which means that there will be no direct spoke-to-spoke conversation, all traffic has to go through hub.
The best benefit of the segment I setup is the reality the hub router’s configuration is a good deal simpler. Summarization is possible in section 1.
Phase 2 - In section 2 all spokes routers also use multipoint GRE tunnels so we do have direct spoke to spoke tunneling. When a spoke router wants to communicate to any other spoke it will send an NHRP resolution request to the hub to locate the NBMA IP address of the alternative spoke. Summarization isn't feasible in segment 2.
Full Process
1.Spoke 1 forwards a packet with a next hop which is another spoke (spoke 2). There is not any NHRP map entry for this spoke so an NHRP resolution request is despatched to the hub.
2.The request from spoke 1 incorporates the tunnel IP address of the spoke 2 so the hub relays the request to spoke 2.
Three.Spoke 2 gets the request, adds its personal address mapping to it and sends it as an NHRP respond directly to spoke 1.
4.Spoke 2 then sends its very own NHRP decision request to the hub that relays it to spoke 1.
5.Spoke 1 receives the request from spoke 2 via the hub and replies with the aid of including its own mapping to it and sending it immediately to spoke 2.
Spoke to Spoke tunnel is hooked up.
Phase 3 - In segment three NHRP redirect configured at the hub tells the initiator spoke to search for a better direction to the vacation spot spoke. On receiving the NHRP redirect message the spokes communicate with each different over the hub and they have their NHRP replies for the NHRP Resolution Requests that they despatched out.
NHRP Shortcut configured at the spoke updates the CEF table. It essentially modifications the following-hop price for a far off spoke from the preliminary hub tunnel IP address to the NHRP resolved tunnel IP address of faraway spoke.
Summarization is feasible in segment three.
Question 49. What Is Dmvpn?
Answer :
DMVPN allows IPsec VPN networks to higher scale hub-to-spoke and spoke-to-spoke topologies optimizing the performance and lowering latency for communications among web sites.
It gives following blessings:-
It Optimizes community performance.
It Reduces router configuration at the hub.
Support for dynamic routing protocols walking over the DMVPN tunnels.
Support for multicast site visitors from hub to spokes.
The capability of setting up direct spoke-to-spoke IPsec tunnels for verbal exchange among websites while not having the site visitors to go through the hub.
Question 50. What Is Cisco Easy Vpn?
Answer :
Remote Access VPN when carried out with IPsec is known as Cisco Easy VPN. The Easy VPN is easy to set up, with minimal configuration required on the remote consumer website online. Cisco Easy VPN permits us to outline centralized protection policies at the head-stop VPN device (VPN Server) that are then driven to the faraway web site VPN tool upon connection.
Question fifty one. What Is The Difference Between Static Crypto Maps And Dynamic Crypto Maps?
Answer :
Static Crypto Maps are used when friends are predetermined. It is largely used in IPSec web page to web site VPNs.
Dynamic crypto maps are used with networks wherein the friends aren't continually predetermined. It is essentially utilized in IPSEC Remote Access VPNs.
There are kinds of IPsec VTI interfaces:
Static VTI (SVTI): This may be used for web site-to-website IPsec-based totally VPNs.
Dynamic VTI (DVTI): DVTI replaces dynamic crypto maps. It can be used for far off-get right of entry to VPNs.
Question fifty two. What Is Ipsec Virtual Tunnel Interface?
Answer :
IPSec VTI is the idea of the usage of a committed IPsec interface called IPsec Virtual Tunnel Interface for quite scalable IPsec-based VPNs. IPsec VTI affords a routable interface for terminating IPsec tunnels. VTI additionally lets in the encrypting of multicast visitors with IPsec.
Question 53. How Do You Check The Status Of The Tunnel’s Phase 1 & 2 ?
Answer :
Use following commands to check the popularity of tunnel stages:-
Phase 1 - display crypto isakmp sa
Phase 2 - display crypto ipsec sa
