Ch 16: Overlay Tunnels Flashcards

Question

Write the config for R1 and R2 so that: * OSPF is enabled on the LAN (10.0.0.0/8) * R1 ID of 1.1.1.1 - Area 1 * R2 ID of 2.2.2.2 - Area 2 * OSPF is enabled on the GRE tunnel (192.168.100.0/24) (Area 0) * Default routes for R1 and R2 point to their respective ISPs * Use Tunnel 100, BW=4Kbps, IPs of tunnels = .1 and .2, MTU=1400, keepalives should be sent every 5 seconds with 3 retries, Tunnel source and destination should be G0/1 on both routers.

Answer 1

Example 16-2 provides a GRE tunnel configuration for R1 and R2, following the steps for GRE configuration listed earlier in this section. OSPF is enabled on the LAN (10.0.0.0/8) and GRE tunnel (192.168.100.0/24) networks. With this configuration, R1 and R2 become direct OSPF neighbors over the GRE tunnel and learn each other’s routes. The default static routes are pointing to their respective ISP routers.

Answer 2

The state of a GRE tunnel can be verified with the command: * **show interface tunnel** *number*. Example 16-3 shows output from this command. Notice that the output includes the tunnel source and destination addresses, keepalive values (if any), the tunnel line protocol state, and the fact that the tunnel is a GRE/IP tunnel.

Answer 3

Notice that from R1’s perspective, the 10.2.2.2 network is only one hop away. The traceroute does not display all the hops in the underlay. In the same fashion, the packet’s time-to-live (TTL) is encapsulated as part of the payload. The original TTL decreases by only one for the GRE tunnel, regardless of the number of hops in the transport network.

Answer 4

During GRE encapsulation, the default GRE TTL value is 255. The interface parameter command **tunnel ttl** *\<1-255\>* is used to change the GRE TTL value.

Answer 5

* **Recursive Routing:** This happens when a routing protocol is used carelessly on a network tunnel. Care must be taken not to include the externally facing interface IP in the advertisement across the tunnel! If a router tries to reach the remote router’s encapsulating interface (transport IP address) via the tunnel (overlay network), problems will occur. Recursive routing problems are remediated by preventing the tunnel endpoint address from being advertised across the tunnel network. * **Outbound Interface Selection:** This is simply the wrong interface sends traffic. A very common error.

Answer 6

The syslog messages indicates a recursive routing issue is occurring on the tunnel. This will repeat endlessly. For the issue shown in Example 16-6, removing the tunnel endpoint interfaces (Internet-facing interfaces) from OSPF would stabilize the topology.

Answer 7

1. Data Encryption Standard (DES)Data confidentiality 2. Triple DES (3DES) (Data confidentiality 3. MD5 (HMAC function, Data Integrity, MitM attack mitigation)

Answer 8

Hash Message Authentication Code (HMAC). HMAC functions: 1. Message Digest 5 (MD5) algorithm 2. Secure Hash Algorithm (SHA-1) NOTE: The use of MD5 is not recommended. These are used for: * Data integrity * Prevents man-in-the-middle (MitM) attacks by ensuring that data has not been tampered with during its transit across an unsecure network.

Answer 9

1. Data Encryption Standard (DES) 2. Triple DES (3DES) 3. Advanced Encryption Standard (AES) Note: The use of DES and 3DES is not recommended. These standards protect data from eavesdropping attacks through encryption algorithms. Changes plaintext into encrypted ciphertext.

Answer 10

1. Pre-Shared Key (PSK) 2. Digital certificates Verifies the identity of the VPN peer through authentication.

Answer 11

Prevents MitM attacks where an attacker captures VPN traffic and replays it back to a VPN peer with the intention of building an illegitimate VPN tunnel. Every packet is marked with a unique sequence number. A VPN device keeps track of the sequence number and does not accept a packet with a sequence number it has already processed.

Answer 12

1. Authentication header 2. Encapsulating Security Payload (ESP)

Answer 13

* The IP authentication header provides data integrity, authentication, and protection from hackers replaying packets. * The authentication header ensures that the original data packet (before encapsulation) has not been modified during transport on the public network. * It creates a digital signature similar to a checksum to ensure that the packet has not been modified, using protocol number 51 located in the IP header. * **The authentication header does not support encryption (data confidentiality) and NAT traversal (NAT-T)**, and for this reason, its use is not recommended, unless authentication is all that is desired.

Answer 14

Encapsulating Security Payload (ESP) provides data confidentiality, authentication, and protection from hackers replaying packets. Typically, payload refers to the actual data minus any headers, but in the context of ESP, the payload is the portion of the original packet that is encapsulated within the IPsec headers. ESP ensures that the original payload (before encapsulation) maintains data confidentiality by encrypting the payload and adding a new set of headers during transport across a public network. ESP uses the protocol number 50, located in the IP header. Unlike the authentication header, ESP does provide data confidentiality and supports NAT-T.

Answer 15

**Tunnel mode:** Encrypts the entire original packet and adds a new set of IPsec headers. These new headers are used to route the packet and also provide overlay functions. **Transport mode:** Encrypts and authenticates only the packet payload. This mode does not provide overlay functions and routes based on the original IP headers.

Answer 16

**Data Encryption Standard (DES):** A 56-bit symmetric data encryption algorithm that can encrypt the data sent over a VPN. This algorithm is very weak and should be avoided. **Triple DES (3DES):** A data encryption algorithm that runs the DES algorithm three times with three different 56-bit keys. Using this algorithm is no longer recommended. The more advanced and more efficient AES should be used instead.

Answer 17

**Advanced Encryption Standard (AES):** A symmetric encryption algorithm used for data encryption that was developed to replace DES and 3DES. AES supports key lengths of 128 bits, 192 bits, or 256 bits and is based on the Rijndael algorithm.

Answer 18

**Message Digest 5 (MD5):** A one-way, 128-bit hash algorithm used for data authentication. Cisco devices use MD5 HMAC, which provides an additional level of protection against MitM attacks. Using this algorithm is no longer recommended, and SHA should be used instead.

Answer 19

**Secure Hash Algorithm (SHA):** A one-way, 160-bit hash algorithm used for data authentication. Cisco devices use the SHA-1 HMAC, which provides additional protection against MitM attacks.

Answer 20

**Diffie-Hellman (DH):** An asymmetric key exchange protocol that enables two peers to establish a shared secret key used by encryption algorithms such as AES over an unsecure communications channel. **A DH group refers to the length of the key** (modulus size) to use for a DH key exchange. For example, group 1 uses 768 bits, group 2 uses 1024, and group 5 uses 1536, where the larger the modulus, the more secure it is. The purpose of DH is to generate shared secret symmetric keys that are used by the two VPN peers for symmetrical algorithms, such as AES. The DH exchange itself is asymmetrical and CPU intensive, and the resulting shared secret keys that are generated are symmetrical. Cisco recommends avoiding DH groups 1, 2, and 5 and instead use DH groups 14 and higher.

Answer 21

RSA signatures: A public-key (digital certificates) cryptographic system used to mutually authenticate the peers.

Answer 22

Pre-Shared Key: A security mechanism in which a locally configured key is used as a credential to mutually authenticate the peers.

Answer 23

A transform set is a combination of security protocols and algorithms. During the IPsec SA negotiation, the peers agree to use a particular transform set for protecting a particular data flow. When such a transform set is found, it is selected and applied to the IPsec SAs on both peers.

Answer 24

**esp-aes 256**: ESP with the 256-bit AES encryption algorithm **esp-sha-hmac:** ESP with the SHA (HMAC-Hash Method Authentication Code variant) authentication algorithm

Answer 25

**Internet Key Exchange (IKE)** is a protocol that performs authentication between two endpoints to establish security associations (SAs), also known as IKE tunnels. These security associations, or tunnels, are used to carry control plane and data plane traffic for IPsec. There are two versions of IKE: IKEv1 (specified in RFC 2409) and IKEv2 (specified in RFC 7296). IKEv2 was developed to overcome the limitations of IKEv1 and provides many improvements over IKEv1’s implementation. For example, IKEv2 supports EAP (certificate-based authentication), has anti-DoS capabilities, and needs fewer messages to establish an IPsec SA. Understanding IKEv1 is still important because some legacy infrastructures have not yet migrated to IKEv2 or have devices or features that don’t support IKEv2.

Answer 26

Short answer = IKE, in Cisco-speak. **Internet Security Association Key Management Protocol (ISAKMP)** is a framework for authentication and key exchange between two peers to establish, modify, and tear down SAs. It is designed to support many different kinds of key exchanges. ISAKMP uses UDP port 500 for communication between peers. IKE is the implementation of ISAKMP using the Oakley and Skeme key exchange techniques. Oakley provides perfect forward secrecy (PFS) for keys, identity protection, and authentication; Skeme provides anonymity, repudiability, and quick key refreshment. **For Cisco platforms, IKE is analogous to ISAKMP, and the two terms are used interchangeably.**

Answer 27

IKEv1 defines two phases of key negotiation for IKE and IPsec SA establishment: **Phase 1:** Establishes _one bidirectional_ SA between two IKE peers, known as an ISAKMP SA. Because the SA is bidirectional, once it is established, either peer may initiate negotiations for phase 2. **Phase 2:** Establishes _two unidirectional_ IPsec SAs, leveraging the ISAKMP SA established in phase 1 for the negotiation.

Answer 28

Phase 1 negotiation can occur using main mode (MM) or aggressive mode (AM). The peer that initiates the SA negotiation process is known as the **initiator**, and the other peer is known as the **responder**.

Answer 29

These are almost in the right order. Number 6 and number 2 were reversed. **MM1:** This is the first message that the initiator sends to a responder. One or multiple SA proposals are offered, and the responder needs to match one of the them for this phase to succeed. The SA proposals include different combinations of the following: * Hash algorithm: MD5 or SHA * Encryption algorithm: DES (bad), 3DES (less bad...), or AES (best) * Authentication method: Pre-Shared Key or digital certificates * Diffie-Hellman (DH) group: Group 1, 2, 5, and so on * Lifetime: How long until this IKE Phase 1 tunnel should be torn down (default is 24 hours). This is the only parameter that does not have to exactly match with the other peer to be accepted. If the lifetime is different, the peers agree to use the smallest lifetime between them. **MM2:** This message is sent from the responder to the initiator with the SA proposal that it matched. **MM3:** In this message, the initiator starts the DH key exchange. This is based on the DH group the responder matches in the proposal. **MM4:** The responder sends its own key to the initiator. At this point, encryption keys have been shared, and encryption is established for the ISAKMP SA. **MM5:** The initiator starts authentication by sending the peer router its IP address. **MM6:** The responder sends back a similar packet and authenticates the session. At this point, the ISAKMP SA is established.

Answer 30

True. When main mode is used, the identities of the two IKE peers are hidden. Although this mode of operation is very secure, it takes longer than aggressive mode to complete the negotiation. These are the three aggressive mode messages: **AM1:** In this message, the initiator sends all the information contained in MM1 through MM3 and MM5. **AM2:** This message sends all the same information contained in MM2, MM4, and MM6. **AM3:** This message sends the authentication that is contained in MM5.

Answer 31

Phase 2 uses the existing bidirectional IKE SA to securely exchange messages to establish one or more IPsec SAs between the two peers. Unlike the IKE SA, which is a single bidirectional SA, a single IPsec SA negotiation results in two unidirectional IPsec SAs, one on each peer. The method used to establish the IPsec SA is known as quick mode.

Answer 32

Quick mode uses a 3-message exchange, like a 3-way handshake: QM1: The initiator (which could be either peer) can start multiple IPsec SAs in a single exchange message. This message includes agreed-upon algorithms for encryption and integrity decided as part of phase 1, as well as what traffic is to be encrypted or secured. QM2: This message from the responder has matching IPsec parameters. QM3: After this message, there should be two unidirectional IPsec SAs between the two peers.

Answer 33

Perfect Forward Secrecy (PFS) is an additional function for phase 2 that is recommended but is optional because it requires additional DH exchanges that require additional CPU cycles. The goal of this function is to create greater resistance to crypto attacks and maintain the privacy of the IPsec tunnels by deriving session keys independently of any previous key. This way, a compromised key does not compromise future keys.

Answer 34

Based on the minimum number of messages that aggressive, main, and quick modes may produce for IPsec SAs to be established between two peers, the following can be derived: Main mode uses six messages, and quick mode uses three, for a total of **nine** messages. Aggressive mode uses three messages, and quick mode uses three, for a total of **six** messages.

Answer 35

True. One of the major changes has to do with the way the SAs are established. In IKEv2, communications consist of request and response pairs called exchanges and sometimes just called request/response pairs.

Answer 36

In IKEv2, the first exchange, IKE\_SA\_INIT, negotiates cryptographic algorithms, exchanges nonces, and performs a Diffie-Hellman exchange. This is the equivalent to IKEv1’s first two pairs of messages MM1 to MM4 but done as a single request/response pair. **nonce:** A word or expression coined for one-time use.

Answer 37

In IKEv2, the second exchange, IKE\_AUTH, authenticates the previous messages and exchanges identities and certificates. Then it establishes an IKE SA and a child SA (the IPsec SA). This is equivalent to IKEv1’s MM5 to MM6 as well as QM1 and QM2 but done as a single request/ response pair.

Answer 38

False. Since the IKEv2 SA exchanges are completely different from those of IKEv1, they are incompatible with each other. Table 16-5 illustrates some of the major differences between IKEv1 and IKEv2.

Answer 39

**Extensible Authentication Protocol (EAP):** The addition of EAP made IKEv2 the perfect solution for remote-access VPNs. **EAP is an authentication framework**, not a specific authentication mechanism. EAP is not a wire protocol; instead it only defines the information from the interface and the formats. Each protocol that uses EAP defines a way to encapsulate by the user EAP messages within that protocol's messages. EAP is in wide use. For example, in IEEE 802.11 (WiFi) the WPA and WPA2 standards have adopted IEEE 802.1X (with various EAP types) as the canonical authentication mechanism.

Answer 40

**Asymmetric authentication**: IKEv2 removes the requirement to negotiate the authetication method and introduces the ability to specify the authentication method in the IKE\_AUTH exchange. As a result, each peer is able to choose its method of authentication. This allows for asymmetric authentication to occur, so the peers can use different authentication methods.

Answer 41

Simplifies configuration for hub-and-spoke and spoke-to-spoke VPNs. It accomplishes this by combining multipoint GRE (mGRE) tunnels, IPsec, and Next Hop Resolution Protocol (NHRP).

Answer 42

**Cisco Group Encrypted Transport VPN (GET VPN)** was developed specifically for enterprises to build any-to-any tunnel-less VPNs (where the original IP header is used- i.e. transport mode) across service provider MPLS networks or private WANs. It does this without affecting any of the existing MPLS private WAN network services (such as multicast and QoS). Moreover, encryption over private networks addresses regulatory-compliance guidelines such as those in the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley Act, the Payment Card Industry Data Security Standard (PCI DSS), and the Gramm-Leach-Bliley Act (GLBA).

Answer 43

**FlexVPN is Cisco’s implementation of the IKEv2 standard**, featuring a unified VPN solution that combines site-to-site, remote access, hub-and-spoke topologies and partial meshes (spoke-to-spoke direct). FlexVPN offers a simple but modular framework that extensively uses virtual access interfaces while remaining compatible with legacy VPN implementations using crypto maps.

Answer 44

Remote Access VPN access allows remote users to securely VPN into a corporate network. It is supported on IOS with FlexVPN (IKEv2 only) and on ASA 5500-X and FirePOWER firewalls.

Answer 45

True. Figure 16-4 illustrates a comparison of GRE packet encapsulation and IPsec tunnel mode with a VTI.

Answer 46

Crypto maps should not be used for tunnel protection because they have many limitations that are resolved with IPsec profiles, including the following: * Crypto maps cannot natively support the use of MPLS. * Configuration can become overly complex. * Crypto ACLs are commonly misconfigured. * Crypto ACL entries can consume excessive amounts of TCAM space.

Answer 47

The steps to enable a VTI over IPsec are very similar to those for GRE over IPsec configuration using IPsec profiles. The only difference is the addition of the command: **tunnel mode ipsec** *{ipv4 | ipv6}* under the GRE tunnel interface to enable VTI on it and to change the packet transport mode to tunnel mode. To revert to GRE over IPsec, the command **tunnel mode gre** *{ip | ipv6}* is used.

Answer 48

crypto isakmp policy 10 authentication pre-share hash sha256 encryption aes group 14 ! crypto isakmp key CISCO123 address 100.64.2.2 ! crypto ipsec transform-set AES\_SHA esp-aes esp-sha-hmac mode transport ip access-list extended GRE\_IPSEC\_VPN permit gre host 100.64.1.1 host 100.64.2.2 ! crypto map VPN 10 ipsec-isakmp match address GRE\_IPSEC\_VPN set transform AES\_SHA set peer 100.64.2.2 ! interface GigabitEthernet0/1 ip address 100.64.1.1 255.255.255.252 crypto map VPN ! interface Tunnel100 bandwidth 4000 ip address 192.168.100.1 255.255.255.0 ip mtu 1400 tunnel source GigabitEthernet0/1 tunnel destination 100.64.2.2 router ospf 1 router-id 1.1.1.1 network 10.1.1.1 0.0.0.0 area 1 network 192.168.100.1 0.0.0.0 area 0

Answer 49

The rapid growth of the default-free zone (DFZ), also known as the Internet routing table, led to the development of the **Cisco Location/ID Separation Protocol (LISP)**. **LISP is a routing architecture and a data and control plane protocol that was created to address routing scalability problems on the Internet:** * **Aggregation issues:** Many routes on the Internet routing table are provider-independent routes that are non-aggregable, and this is part of the reason the Internet routing table is so large and still growing. * **Traffic engineering:** A common practice for ingress traffic engineering into a site is to inject more specific routes into the Internet, which exacerbates the Internet routing table aggregation/scalability problems. * **Multihoming:** Proper multihoming to the Internet requires a full Internet routing table (785,000 IPv4 routes at the time of writing). If a small site requires multihoming, a powerful router is needed to be able to handle the full routing table (with large memory, powerful CPUs, more TCAM, more power, cooling, and so on), which can be cost-prohibitive for deployment across small sites. * **Routing instability:** Internet route instability (also known as route churn) causes intensive router CPU and memory consumption, which also requires powerful routers.

Answer 50

Following are the definitions for the LISP architecture components illustrated in Figure 16-5. **Endpoint identifier (EID):** An EID is the IP address of an endpoint within a LISP site. EIDs are the same IP addresses in use today on endpoints (IPv4 or IPv6), and they operate in the same way. **LISP site:** This is the name of a site where LISP routers and EIDs reside. **Ingress tunnel router (ITR):** ITRs are LISP routers that LISP-encapsulate IP packets coming from EIDs that are destined outside the LISP site. **Egress tunnel router (ETR):** ETRs are LISP routers that de-encapsulate LISP- encapsulated IP packets coming from sites outside the LISP site and destined to EIDs within the LISP site. **Tunnel router (xTR):** xTR refers to routers that perform ITR and ETR functions (which is most routers). **Proxy ITR (PITR):** PITRs are just like ITRs but for non-LISP sites that send traffic to EID destinations. **Proxy ETR (PETR):** PETRs act just like ETRs but for EIDs that send traffic to destinations at non-LISP sites. **Proxy xTR (PxTR):** PxTR refers to a router that performs PITR and PETR functions. **LISP router:** A LISP router is a router that performs the functions of any or all of the following: ITR, ETR, PITR, and/or PETR. **Routing locator (RLOC):** An RLOC is an IPv4 or IPv6 address of an ETR that is Internet facing or network core facing. **Map server (MS):** This is a network device (typically a router) that learns EID-to-prefix mapping entries from an ETR and stores them in a local EID-to-RLOC mapping database. **Map resolver (MR):** This is a network device (typically a router) that receives LISP-encapsulated map requests from an ITR and finds the appropriate ETR to answer those requests by consulting the map server. **Map server/map resolver (MS/MR):** When MS and the MR functions are implemented on the same device, the device is referred to as an MS/MR.

Answer 51

Now that the basic terminology has been described, the following three LISP main components are explained: 1. LISP routing architecture 2. LISP control plane protocol 3. LISP data plane protocol

Answer 52

In traditional routing architectures, an endpoint IP address represents the endpoint’s identity and location. If the location of the endpoint changes, its IP address also changes. **LISP separates IP addresses into endpoint identifiers (EIDs) and routing locators (RLOCs).** This way, endpoints can roam from site to site, and the only thing that changes is their RLOC; the EID remains the same.

Answer 53

The control plane operates in a very similar manner to the Domain Name System (DNS). Just as DNS can resolve a domain name into an IP address, LISP can resolve an EID into an RLOC by sending map requests to the MR (Map Resolver), as illustrated in Figure 16-6. This makes it a very efficient and scalable on-demand routing protocol because it is based on a pull model, where only the routing information that is necessary is requested (as opposed to the push model of traditional routing protocols, such as BGP and OSPF, that push all the routes to the routers— including unnecessary ones).

Answer 54

Locator/ID Separation Protocol (LISP) (RFC 6830) is a "map-and-encapsulate" protocol which is developed by the Internet Engineering Task Force LISP Working Group. The basic idea behind the separation is that the Internet architecture combines two functions, routing locators (where a client is attached to the network) and identifiers (who the client is) in one number space: the IP address. LISP supports the separation of the IPv4 and IPv6 address space following a network-based map-and-encapsulate scheme (RFC 1955). In LISP, both identifiers and locators can be IP addresses or arbitrary elements like a set of GPS coordinates or a MAC address.

Answer 55

True. ITRs (Ingress Tunnel Routers) LISP(Locator/Identifier Separation Protocol)-encapsulate IP packets received from EIDs(Endpoint IDentifiers) in an outer IP UDP(User Datagram Protocol) header with source and destination addresses in the RLOC(Resource LOCator) space; in other words, they perform IP-in-IP/UDP encapsulation. The original IP header and data are preserved; this is referred to as the inner header. Between the outer UDP header and the inner header, a LISP shim header is included to encode information necessary to enable forwarding plane functionality, such as network virtualization. Figure 16-7 illustrates the LISP packet frame format.

Answer 56

This field is a 24-bit value that is used to provide device and path level network virtualization. In other words, it enables VRF and VPNs for virtualization and segmentation much as VPN IDs do for MPLS networks. This is useful in preventing IP address duplication within a LISP site or just as a secure boundary between multiple organizations.

Answer 57

True. Because EIDs and RLOCs can be either IPv4 or IPv6 addresses, the LISP data plane supports the following encapsulation combinations: * IPv4 RLOCs encapsulating IPv4 EIDs * IPv4 RLOCs encapsulating IPv6 EIDs

Answer 58

False. When setting up LISP, the ETR(Egress Tunnel Router) routers need to be configured with the EID(EndPoint IDentifier) prefixes within the LISP site that will be registered with the MS (Map Server).

Answer 59

VXLAN, Virtually Extensible LAN, is an overlay data plane encapsulation scheme that was developed to address the various issues seen in traditional Layer 2 networks. It extends Layer 2 and Layer 3 overlay networks over a Layer 3 underlay network, using MAC-in-IP/UDP tunneling. Each overlay is termed a VXLAN segment.

Answer 60

The Internet Assigned Numbers Authority (IANA) assigned to VXLAN the UDP destina- tion port **4789**; the default UDP destination port used by Linux is **8472**. The reason for this discrepancy is that when VXLAN was first implemented in Linux, the VXLAN UDP desti- nation port had not yet been officially assigned, and Linux decided to use port 8472 since many vendors at the time were using UDP destination port 8472. Later, IANA assigned port 4789 for VXLAN, and to avoid breaking existing deployments, Linux distributions decided to leave port 8472 as the default value. Figure 16-13 illustrates the VXLAN packet format.

Answer 61

Unlike the VLAN ID, which has only 12 bits and allows for 4000 VLANs, VXLAN has a **24-bit** VXLAN network identifier (VNI), which allows for up to **16 million** VXLAN segments (more commonly known as overlay networks) to coexist within the same infrastructure.

Answer 62

The 24-bit VNI(Virtual Network Identifier) field is located in the VXLAN shim header that encapsulates the original inner MAC frame originated by an endpoint. The VNI is used to provide segmentation for Layer 2 and Layer 3 traffic.

Answer 63

**VTEPs are entities that originate or terminate VXLAN tunnels.** They map Layer 2 and Layer 3 packets to the VNI to be used in the overlay network. Each VTEP has two interfaces: 1. **Local LAN interfaces:** These interfaces on the local LAN segment provide bridging between local hosts. 2. **IP interface:** This is a core-facing network interface for VXLAN. The IP interface’s IP address helps identify the VTEP in the network. It is also used for VXLAN traffic encapsulation and de-encapsulation. Figure 16-14 illustrates the VXLAN VTEP with the IP interface and the local LAN interface.

Answer 64

True. The VXLAN standard defines VXLAN as a data plane protocol, but it does not define a VXLAN control plane; it was left open to be used with any control plane. Currently four different VXLAN control and data planes are supported by Cisco devices: 1. VXLAN with Multicast underlay 2. VXLAN with static unicast VXLAN tunnels 3. VXLAN with MP-BGP EVPN control plane 4. VXLAN with LISP control plane MP-BGP EVPN and Multicast are the most popular control planes used for data center and private cloud environments. For campus environments, VXLAN with a LISP control plane is the preferred choice.

Answer 65

**Cisco Software Defined Access (SD-Access)** is an example of an implementation of VXLAN with the LISP control plane. As illustrated in Figure 16-15, LISP encapsulation is only capable of performing IP-in-IP/ UDP encapsulation, which allows it to support Layer 3 overlays only, while VXLAN encapsulation is capable of encapsulating the original Ethernet header to perform MAC-in-IP encapsulation, which allows it to support Layer 2 and Layer 3 overlays.

Answer 66

**interface** **tunnel** *tunnel-number*

Answer 67

**keepalive** *[seconds [retries]]*

Answer 68

**crypto map** *map-name seq-num* **[ipsec-isakmp]**

Answer 69

**crypto map** *map-name*

Answer 70

**crypto ipsec profile** *ipsec-profile-name*

Answer 71

**tunnel protection** *ipsec profile profile-name*

Answer 72

**tunnel mode ipsec {ipv4 | ipv6}**

Answer 73

**tunnel mode gre {ip | ipv6}**

Answer 74

**show crypto isakmp sa**

Answer 75

**show crypto ipsec sa**

Ch 16: Overlay Tunnels Flashcards

(100 cards)