CCNP Secure FAQ: Deploying VTI-Based Site-to-Site IPsec VPNs
Q1. The line protocol of a virtual tunnel interface depends on the state of which of the following?
a. Physical interface
b. Routing table
c. VPN tunnel
d. Peer’s VPN tunnel
e. Crypto map
Q2. The encapsulation on a virtual tunnel interface must be which of the following?
a. Frame Relay
b. ATM
c. AH or ESP
d. ISAKMP
e. HDLC
Q3. The IKE policy on both peers must match on all parameters except for which of the following?
a. Authentication
b. Encryption algorithm
c. Diffie-Hellman group
d. Pre-shared key value
e. ISAKMP lifetime
Q4. Industry best practices recommend that you use which hash algorithm and DH key length combination for IKE phase 1 policies?
a. SHA-1 and DH group 5
b. MD5 and DH group 1
c. AES-128 and IPsec
d. DES and RSA
e. 3DES and ISAKMP
Q5. Why should static point-to-point virtual tunnel interfaces use IP unnumbered addresses?
a. It makes static routing easier.
b. VTIs cannot have their own IPs and must use IP unnumbered addresses.
c. For a peer to find them.
d. To conserve IP address space.
6. The line protocol on a virtual tunnel interface goes up and down based upon which of the following?
a. Seeing its own Ethernet loopback packet return
b. Successful Layer 2 connectivity
c. The state of the IPsec SA negotiation
d. The network administrator not shutting the interface
e. None of these answers are correct.
7. Where are dynamic point-to-point VTI tunnels deployed?
a. On the hub router
b. On each spoke router
c. On the hub router and on each spoke router
d. On the VPN concentrator
e. None of these answers are correct.
8. The IP address of a virtual tunnel interface must be configured using which interface command?
a. ip address
b. ip address dhcp
c. ip address pppoe
d. ip unnumbered
Q9. One major benefit of using IPsec VTIs is that it is no longer required to apply a _____ to a physical interface.
Q10. VTIs support native IPsec tunneling, including _____ with standards-based IPsec implementations of other vendors.
Q11. IPsec VTIs support ____, such as voice and video.
Q12. IPsec _____ define the encapsulation (ESP or AH), the packet authentication/integrity algorithm (SHA-1 or MD5), and the IPsec mode (transport or tunnel) that is used with a VPN policy.
Q13. Many of the _____ interface options that can be applied to physical interfaces can be applied to the IPsec virtual tunnel interface.
Q14. Cisco IOS Software IPsec _____ is not supported on VTIs.
Q15. In a VTI-based IPsec VPN, IPsec requests SA establishment as soon as the virtual tunnel interfaces (VTI) are _____.
Q16. _____ IP addressing is mandatory with DVTI tunnels.
More Resources