Config Router

You are here: Home / Cisco / CCNP Secure FAQ: Deploying High Availability in Tunnel-Based IPsec VPNs

CCNP Secure FAQ: Deploying High Availability in Tunnel-Based IPsec VPNs

by

CCNP Secure FAQ: Deploying High Availability in Tunnel-Based IPsec VPNs

Q1. What can be used to mitigate device failure?
a. Single ISP transport networks
b. Multiple ISP transport networks
c. Multiple devices at a site
d. Redundant interfaces on a VPN device

Answer: C

Q2. What can be done to provide high availability when the cost of redundant devices cannot be justified?
a. Use single ISP transport networks
b. Use multiple ISP transport networks
c. Use redundant interfaces
d. Use multiple devices at a site

Answer: C

Q3. When a transport network is not under organizational control, it might be necessary to choose which of the following?
a. A different VPN technology
b. Traditional WAN circuits
c. Point-to-multipoint topology
d. Redundant routers
e. Multiple independent transport networks

Answer: E

Q4. Which interface command can be used to choose the best path when deploying the dynamic routing protocol OSPF?
a. ip ospf cost
b. ip ospf tuning
c. ip ospf path
d. ip ospf router
e. None of these answers are correct.

Answer: A

Q5. In a VTI-based IPsec VPN, traffic that should be protected by the VPN tunnel should be routed how?
a. Carefully
b. Redundantly
c. Dynamically
d. Statically

Answer: D

Q6. What should be used to provide a virtual gateway for clients at the spoke site?
a. IPsec
b. DHCP
c. HSRP
d. AAA
e. None of these answers are correct.

Answer: C

Q7. IPsec shared SAs are enabled with what command?
a. tunnel protection ipsec profile shared
b. ipsec dual SA
c. ip split sa
d. crypto ipsec sa redundant
e. None of these answers are correct.

Answer: A

Q8. Which high-availability scenario provides the highest level of redundancy because it mitigates failures of devices, interfaces, access links, and transport networks?
a. Static VTI-based VPN
b. Single DMVPN
c. Dual DMVPN
d. Dual ISPs

Answer: C

Q9. In the case of redundant DMVPNs with multiple GRE tunnels establishing between the same spokes, it is necessary to use _____ for IPsec SAs to establish properly.

Answer: shared IPsec SAs
ccnp-secure-faq-deploying-high-availability-tunnel-based-ipsec-vpns
Figure: Redundancy with Dual DMVPNs

Q10. The routing protocol detects both device and path failures using its _____.

Answer: keepalives

Q11. You should design the VPN to meet an organization’s requirements for availability. The design should provide a level of high availability that is commensurate with the _____ of meeting availability needs.

Answer: cost 

Q12. If _____ are needed, you should either deploy a completely redundant network path that is under the control of local administration or use multiple-transport networks (two ISPs) and connect them to either redundant interfaces or redundant VPN devices.

Answer: complete redundant paths

Q13. _____ will automatically detect peer failures and path failures and then automatically reroute around the failure if redundant paths and devices are in place.

Answer: Dynamic routing protocols

Q14. In a VTI-based IPsec VPN topology, an interior routing protocol will see the VTIbased VPN tunnel as a _____ link.

Answer: point-to-point

Q15. An interior routing protocol will view a _____ as either point-to-multipoint (for strict hub-and-spoke DMVPNs) or as a broadcast network (partial or full mesh DMVPNs).

Answer: DMVPN 

Q16. To provide redundancy for a DMVPN topology, it is recommended to create two separate DMVPN networks by using _____ and one or two spoke routers at remote sites.

Answer: two hub routers

Q17. Routing protocols can detect both _____ and _____.

Answer: path failures , VPN device failures.

More Resources