CCNP Route FAQ: Routing over Branch Internet Connections

CCNP Route FAQ: Routing over Branch Internet Connections


Figure: Example Small, Medium, and Large Branch Designs

Q1. Router R1 sits at an Enterprise branch office, using the Internet for its only connectivity back to the rest of the Enterprise. Which of the following is not a benefit of using an IPsec tunnel for packets sent through the Internet, between R1 and the rest of the Enterprise?
a. Privacy
b. Authentication
c. Allows using an IGP between R1 and the Enterprise
d. Secure communications

Answer: C. IPsec tunnels make for more secure communications, including encryption and authentication. However, it does not support IGP communications across the tunnel.

Q2. Router R1 sits at an Enterprise branch office, using both the Internet and a leased line to another Enterprise router for its two connectivity options back into the rest of the Enterprise network. The engineer planning for this branch decided to use the leased line for all Enterprise traffic, unless it fails, in which case the Internet connection should be used to pass traffic to the Enterprise. Which of the following is most likely to be useful on the branch router? (Choose two.)
a. IPsec tunnel
b. GRE tunnel
c. Floating static route
d. An IGP

Answer: A and C. An IPsec tunnel would be useful to allow the packet to pass over the Internet and into the Enterprise. The GRE tunnel would only be needed if an IGP is also needed, and for this design, an IGP is not required. Instead, a floating static default route would work fine, with the static route sending traffic over the IPsec tunnel but only when the private leased line fails.

Q3. Router R1, a branch router, connects to the Internet using DSL. The engineer plans to use a configuration with a dialer interface. The answers list a feature and interface on which the feature could be configured. Which combinations accurately describe the interface under which a feature will be configured?
a. PPP on the ATM interface
b. VPI/VCI on the dialer interface
c. IP address on the ATM interface
d. CHAP on the dialer interface

Answer: D. The ATM details, like VPI/VCI, will be configured under the ATM interface. PPP (including CHAP) and Layer 3 details will be configured under the dialer interface.

Q4. Router R1, a branch router, connects to the Internet using DSL. Some traffic flows through a GRE and IPsec tunnel, over the DSL connection, and into the core of an Enterprise network. The branch also allows local hosts to communicate directly with public sites in the Internet over this same DSL connection. Which of the following answers defines how the branch NAT config avoids performing NAT for the Enterprisedirected traffic but does perform NAT for the Internet-directed traffic?
a. By not enabling NAT on the IPsec tunnel interface
b. By not enabling NAT on the GRE tunnel interface
c. By configuring the NAT-referenced ACL to not permit the Enterprise traffic
d. By asking the ISP to perform NAT in the cloud

Answer: C. The NAT configuration acts only on packets permitted by a referenced ACL. As a result, the ACL can permit packets destined for the Internet, performing NAT on those packets. The ACL also denies packets going to the Enterprise, meaning that the router does not apply NAT to those packets.

 

Q5. Router R1, a branch router, connects to the Internet using DSL. Some traffic flows through a GRE and IPsec tunnel, over the DSL connection, destined for an Enterprise network. Which of the following answers best describes the router’s logic that tells the router, for a given packet, to apply GRE encapsulation to the packet?
a. When the packet received on the LAN interface is permitted by the ACL listed on the tunnel gre acl command under the incoming interface
b. When routing the packet, matching a route whose outgoing interface is the GRE tunnel interface
c. When routing the packet, matching a route whose outgoing interface is the IPsec tunnel interface
d. When permitted by an ACL that was referenced in the associated crypto map

Answer: B. As for the correct answer, the process of routing a packet out a GRE tunnel interface triggers the GRE encapsulation action. As for the incorrect answers: There is no tunnel gre acl command. There is no IPsec tunnel interface. Finally, one answer refers to logic that would describe a router’s logic when determining whether to encapsulate a packet into an IPsec tunnel.

About the author

James Palmer

Leave a Comment