CCNP Secure FAQ: Deploying VTI-Based Site-to-Site IPsec VPNs

CCNP Secure FAQ: Deploying VTI-Based Site-to-Site IPsec VPNs

Q1. The line protocol of a virtual tunnel interface depends on the state of which of the following?
a. Physical interface
b. Routing table
c. VPN tunnel
d. Peer’s VPN tunnel
e. Crypto map

Answer: C

Q2. The encapsulation on a virtual tunnel interface must be which of the following?
a. Frame Relay
b. ATM
c. AH or ESP

Answer: C

Q3. The IKE policy on both peers must match on all parameters except for which of the following?
a. Authentication
b. Encryption algorithm
c. Diffie-Hellman group
d. Pre-shared key value
e. ISAKMP lifetime

Answer: E

Q4. Industry best practices recommend that you use which hash algorithm and DH key length combination for IKE phase 1 policies?
a. SHA-1 and DH group 5
b. MD5 and DH group 1
c. AES-128 and IPsec
d. DES and RSA
e. 3DES and ISAKMP

Answer: A

Q5. Why should static point-to-point virtual tunnel interfaces use IP unnumbered addresses?
a. It makes static routing easier.
b. VTIs cannot have their own IPs and must use IP unnumbered addresses.
c. For a peer to find them.
d. To conserve IP address space.

Answer: D

6. The line protocol on a virtual tunnel interface goes up and down based upon which of the following?
a. Seeing its own Ethernet loopback packet return
b. Successful Layer 2 connectivity
c. The state of the IPsec SA negotiation
d. The network administrator not shutting the interface
e. None of these answers are correct.

Answer: C

7. Where are dynamic point-to-point VTI tunnels deployed?
a. On the hub router
b. On each spoke router
c. On the hub router and on each spoke router
d. On the VPN concentrator
e. None of these answers are correct.

Answer: A

8. The IP address of a virtual tunnel interface must be configured using which interface command?
a. ip address
b. ip address dhcp
c. ip address pppoe
d. ip unnumbered

Answer: D

Q9. One major benefit of using IPsec VTIs is that it is no longer required to apply a _____ to a physical interface.

Answer: crypto map
Figure: Basic IPsec VTI Tunnel

Q10. VTIs support native IPsec tunneling, including _____ with standards-based IPsec implementations of other vendors.

Answer: interoperability

Q11. IPsec VTIs support ____, such as voice and video.

Answer:  multicast traffic

Q12. IPsec _____ define the encapsulation (ESP or AH), the packet authentication/integrity algorithm (SHA-1 or MD5), and the IPsec mode (transport or tunnel) that is used with a VPN policy.

Answer: transform sets

Q13. Many of the _____ interface options that can be applied to physical interfaces can be applied to the IPsec virtual tunnel interface.

Answer: common

Q14. Cisco IOS Software IPsec _____ is not supported on VTIs.

Answer: stateful failover

Q15. In a VTI-based IPsec VPN, IPsec requests SA establishment as soon as the virtual tunnel interfaces (VTI) are _____.

Answer: fully configured.

Q16. _____ IP addressing is mandatory with DVTI tunnels.

Answer: Unnumbered

More Resources

About the author


Leave a Comment