Chapter 7 Flashcards
(27 cards)
Implementation Plan
- Deploy broadband connectivity
- Configure static routing
- Document and verify other services
- Implement and tune the IPsec VPN
- Configure GRE tunnels
DSL Variants
ADSL
(Asymmetric DSL) Asymmetric 8 Mbps / 1 Mbps
HDSL
(high bitrate DSL) Symmetric 2 Mbps / 2 Mbps
SDSL
(Symmetric DSL ) Symmetric 2 Mbps / 2 Mbps
SHDSL
(Single-pair high-speed DSL) Symmetric 2.3 Mbps / 2.3 Mbps
VDSL
(Very High bitrate DSL) Symmetric / Asymmetric 52 Mbps / 16 Mbps
The PPP connection is established between the ____ and ___.
The CPE device is configured with a _____ and ____
The core router authenticates the users using either a ____ or an _____ server.
CPE and the core router
username and password.
local database, external RADIUS AAA
Use the __________ command to debug the PPP session authentication.
debug ppp authentication
Verify ATM connectivity using the ____________ command.
debug atm events
Finally, check Layer 1 connectivity and discover the DSL
line status using the____________ command.
show dsl interface atm
Link the source IP addresses to the pool for dynamic address translation.
Router(config)#
ip nat inside source list BRANCH-NAT-ACL pool BRANCH-NAT-POOL
Link a source IP addresses to a pool for static translation.
Router(config)#
ip nat inside source static 192.168.1.254 209.165.200.254
Displays active NAT translations
Displays NAT statistics.
Displays NAT translations as they occur.
show ip nat translations
show ip nat statistics
debug ip nat
Clears all IP NAT translations.
Clears all NAT statistics.
clear ip nat translation *
clear ip nat statistics
Which three protocols are involved in the establishment of an IPsec VPN tunnel?
Encapsulating Security Protocol (protocol 50)
Authentication Header (protocol 51)
Internet Security Association and Key Management Protocol (UDP port 500)
UDP port 4500 (NAT-T)
Steps to Configuring an IPsec VPN
- Configure the initial key (ISAKMP policy) details.
- Configure the IPsec details.
- Configure the crypto ACL.
- Configure the VPN tunnel information.
- Apply the crypto map.
Contains authentication, encryption and the hashing method
commands that are first used to negotiate and exchange credentials
with a VPN peer.
ISAKMP Policy
Identifies an acceptable combination of security protocols, algorithms, and other settings.
IPsec Details
Is an extended IP ACL that identifies the traffic to be protected.
• A permit statement results in the traffic being encrypted, while a deny
statement sends traffic out in clear text.
• Both VPN peers must have reciprocating ACLs.
Crypto ACL
• Binds all tunnel information together.
• Identifies the IPsec transform set to use, the peer router, the ACL, and
other tunnel information.
VPN Tunnel Information
The named crypto map must be applied to the Internet-facing
interface to which the peering router will connect to.
Apply the Crypto Map
Displays display the specifics contained in a crypto map configuration.
Displays the status information of the active crypto sessions.
Displays the settings used by current SAs.
View real time IPsec events.
show crypto map
show crypto session
show crypto ipsec sa
debug crypto ipsec
Once in interface configuration mode, configure the tunnel
parameters including:
- IP address
- Tunnel source
- Tunnel destination
- Tunnel mode (type of tunnel)
Change the ACL and add the Internet link and GRE tunnel network to EIGRP on the Branch router.
access-list 110 permit gre host 209.165.200.242 host
209.165.200.226
VPN Headend Router Implementation Plan
- Allow IPsec traffic
- Define an address pool for connecting clients.
- Provide routing services for VPN subnets.
- Tune NAT for VPN traffic flows.
- Verify IPsec VPN configuration
To verify if the VPN configuration is functioning properly,
use the following commands:
- show crypto map
- show crypto isakmp sa
- show crypto sa
- show crypto engine connections active
What is a limitation of IPsec by design?
IPsec only forwards unicast traffic
How is NAT tuned to handle traffic that is sent through a VPN tunnel between a mobile worker and internalcorporate resources?
Traffic should bypass translation with a deny access list statement or route-map.
