[CCNA]
List the Layers of OSI Model? Application Layer, Presentation Layer, Session Layer, Transport Layer, Network Layer, Data Link Layer, Physical Layer. What are the Functions of Transport, Network and Data Link Layer? Transport layer 1.It segments and reassemble data from upper-layer applications and combine it into the same data stream. 2.It provides end-to-end data transport services. 3.Establishes logical connection between the sending host and destination host on an internetwork. 4.It ensures Data integrity at the Transport layer by maintaining flow control. cont rol. Network layer 1.The Network layer (layer 3) manages device addressing. 2.It tracks the location of devices on the network. 3.It determines the best way to move data between devices that are not locally attached. 4.Routers Functions at the Network layer to provide the routing services s ervices within an internetwork. Data link layer 1.The Data Link layer is responsible for physical transmission of the data. 2.It handles error notification, flow control. 3.Data Link layer ensures that messages are delivered to the proper device on a LAN using mac addresses. 4.It translates messages from the Network layer into bits for the Physical layer to transmit. 5.The Data Link layer formats the message into data frame, and adds a customized header containing the hardware destination and source address. Which Layer Transport Layer
is
responsible
for
Reliable
connection?
What are the different protocols works at each of the layers of OSI Model? Physical Layer ISDN (Integrated Services Digital Network), ADSL (Asymmetric Digital Subscriber Line), Universal Serial Bus, Bluetooth, Controller Area Network, Ethernet. Data Link layer Spanning Tree Protocol, VLan Trunking Protocol, Dynamic Trunking Protocol, HDLC, PPP, Frame Relay, Token Ring.
Network ICMP, IGMP, IPV4, IPV6, IPSEC, OSPF, EIGRP, RIP, BGP.
Layer
Transport TCP, UDP, GRE.
Layer
Session NFS (Network File System).
Layer
Presentation Data encryption/decryption, Data compression, Data Conversion Protocols
Layer
Application DNS, DHCP, FTP, HTTP, NTP, SNMP, SMP, TELNET, TFTP, SSH.
Layer
What is a port number and give some examples? TCP & UDP must use port numbers to communicate with upper layers because these are what keep track of different conversations crossing the network simultaneously.
PROTOCOLS
PORT NUMBERS
FTP
20, 21
TELNET
23
SMTP
25
DNS
53
DHCP
67 (DHCP Server) 68 (DHCP Client)
TFTP
69
HTTP
80
POP3
110
NTP
123
IMAP4
143
SNMP
161
BGP
179
HTTPS
443
RIP
520
Network ICMP, IGMP, IPV4, IPV6, IPSEC, OSPF, EIGRP, RIP, BGP.
Layer
Transport TCP, UDP, GRE.
Layer
Session NFS (Network File System).
Layer
Presentation Data encryption/decryption, Data compression, Data Conversion Protocols
Layer
Application DNS, DHCP, FTP, HTTP, NTP, SNMP, SMP, TELNET, TFTP, SSH.
Layer
What is a port number and give some examples? TCP & UDP must use port numbers to communicate with upper layers because these are what keep track of different conversations crossing the network simultaneously.
PROTOCOLS
PORT NUMBERS
FTP
20, 21
TELNET
23
SMTP
25
DNS
53
DHCP
67 (DHCP Server) 68 (DHCP Client)
TFTP
69
HTTP
80
POP3
110
NTP
123
IMAP4
143
SNMP
161
BGP
179
HTTPS
443
RIP
520
What Well Registered Open Ports
is
the Known Ports - 49152 to 65535
Range Ports
Of
Port 0 1024
-
Numbers to to
? 1023 1023 49151
What is a Protocol Number and give some examples? In IPV4 There is a Field called Protocol to identify the Next Level Protocol. In IPV6 this Field is called "Next Header" Field. PROTOCOL
PROTOCOL NUMBER
ICMP
1
IGMP
2
IPV4
4
TCP
6
EGP
8
IGP
9
UDP
17
IPV6
41
GRE
47
EIGRP
88
OSPF
89
VRRP
112
Define Unicast, Multicast and Broadcast? Broadcast is the term used to describe communication where a piece of information is sent to all nodes on the network. Multicast is the term used to describe communication where a piece of information is sent from a single source and transmitted to many devices but not all devices. Unicast is the term used to describe communication where a piece of information is sent to a single destination host. What is the difference between Half-duplex and Full-duplex? Half Duplex - Data can Flow in both Direction but not simultaneously. At a time Data can flow only in one direction Example HUB. Full Duplex - Data can Flow in both Direction Simultaneously Example - Switch. What It is It
a
12
is Digits 48 Bit Consists
(6
Byte) of
the Hardware
address two
MAC written in
Hexadecimal parts
format? Format. -
The First 24 Bits OUI (Organizationally The Last 24 Bits is Manufacturer-assigned Code.
Unique
Identifier)
is
assigned
by
IEEE.
What is a Frame? The Data Link layer formats the message into pieces, each called a data frame, and adds a customized header containing the hardware source and destination address. What is TCP/IP Model? TCP/IP is four layer standard model. The four layers of TCP/IP model are Application layer, Transport layer, Internet layer, Network access layer What are the protocols that are included by each layer of TCP/IP model? Layers of TCP/IP model
Protocols
Application Layer
DNS, DHCP, FTP, TFTP, SMTP, HTTP, Telnet, SSH
Transport Layer
TCP, UDP
Internet layer Layer
IP, ICMP, IGMP
Network access layer
Ethernet, Token Ring, FDDI, X.25, Frame Relay, ARP, RARP
What is ARP? Address Resolution Protocol (ARP) is a network protocol, which is used to map a network layer protocol address (IP Address) to a data link layer hardware address (MAC Address). ARP basically resolves IP address to the corresponding MAC address. ARP works at which layer and Why? ARP works at data link layer (Layer 2). ARP is implemented by the network protocol driver and its packets are encapsulated by Ethernet headers and transmitted. Explain the use of ARP? If a host in an Ethernet network wants to communicate with another host, it can communicate only if it knows the MAC address of other host. ARP is used to get the Mac address of a host from its IP address. What is an ARP Table (cache)? ARP maintains a table that contains the mappings between IP address and MAC address. This Table is called ARP Table. What ARP
is
the
Source
&
Destination
IP
address
in
ARP
Request
and
ARP
Reply
packet? Request
Source - Mac Address of Host which transmitted the ARP Request packet. (Senders MAC address) Destination - FF:FF:FF:FF:FF:FF Broadcast ARP Source Mac address of Host replying Destination - Mac Address of Host which generated the ARP Request packet. What is the Size of an ARP Request The size of an ARP request or ARP reply packet is 28 bytes.
and
for
ARP
ARP
Reply
Reply Request.
packet?
How can we differentiate between a ARP Request packet and a ARP Reply packet? We can differentiate ARP request packet from an ARP reply packet using the 'operation' field in the ARP packet. For ARP Request it is 1 and for ARP Reply it is 2. What is Proxy ARP? Proxy ARP is the process in which one system responds to the ARP request for the another system. Example - Host A sends an ARP request to resolve the IP address of Host B. Instead of Host B, Host C responds to this ARP request. What is Gratuitous ARP? Why it is used? When a Host sends an ARP request to resolve its own IP address, it is called Gratuitous ARP. In the ARP request packet, the Source IP address and Destination IP address are filled with the Same Source IP address itself. The Destination MAC address is the Broadcast address (FF:FF:FF:FF:FF:FF). Gratuitous ARP is used by the Host after it is assigned an IP address by DHCP Server to check whether another host in the network does not have the same IP address. If the Host does not get ARP reply for a gratuitous ARP request, It means there is no another host which is configured with the same IP address. If the Host gets ARP reply than it means another host is also configured with the same IP address. What is Reverse Reverse ARP is used to obtain Device's IP address when its MAC address is already Known.
ARP?
What is Inverse Inverse ARP dynamically maps local DLCIs to remote IP addresses when Frame Relay is configured.
ARP?
IP Addressing Interview Questions and Answers
What is IP address and it's format ? An IP address is a is a software address assigned to each machine on an IP network. It specifies the location of a device on the network. It allows hosts on one network to communicate with a host on a different network. It is a 32 bits of information. These 32 bits are divided into four sections referred to as octets or bytes. Each octet contains 1 byte (8 bits). An IP address can be depicted using one of three methods:
1. Dotted 2. Binary 3. Hexadecimal - AC.10.1E.38
-
decimal, -
example 172.16.30.56 10101100.00010000.00011110.00111000
What are the different Classes of IP address and give the range of each class? There are five classes of IP addresses:Class A 1 to 127 (127 cannot be used as it is Loopback Address) Class B 128 to 191 Class C 192 to 223 Class D 224 to 239 (MULTICAST ADDRESSES) Class E - 240 to 255 (RESEARCH & DEVELOPMENT) Class A address 127.0.0.0 to 127.255.255.255 are reserved for loopback addresses. What are Private addresses and Give range of Private Addresses? These addresses can be used only on private network. They cannot be routed through the Internet. Private IP addresses are designed for security and they also saves valuable IP address space. Class A 10.0.0.0 to 10.255.255.255 Class B 172.16.0.0 to 172.31.255.255 Class C - 192.168.0.0 to 192.168.255.255 What is subnet mask? A subnet mask is a 32-bit value that allows the recipient of IP packets to distinguish the network ID portion of the IP address from the host ID portion of the IP address. ICMP Interview Questions and Answers
What is the Internet Control Message Protocol? ICMP is basically a management protocol and messaging service provider for IP. It can provide Hosts with information about network problems. ICMP works It works at Network Layer.
at
which
layer?
Which two fields in the ICMP header is used to identify the intent of ICMP message? Type and Code. What 1. 2.Buffer 3.Hops/Time 4.Ping. 5.Traceroute.
are
various Destination
ICMP
messages? Unreachable. Full. Exceeded.
How Traceroute works? 1. Firstly, Traceroute creates a UDP packet from the source to destination with a TTL value of 1. 2. Packet reaches the first router where the router decrements the value of TTL by 1, mak ing packet’s TTL value 0 because of which the packet gets dropped. 3. As the packet gets dropped, it sends an ICMP message [Hop/Time exceeded] back to the source. 4. This is how Traceroute comes to know the first router’s address and the time taken for the round-trip. 5. It sends two more packets in the same way to get average round-trip time. First round-trip takes longer than the other two due to the delay in ARP finding the physical address, the address stays in the ARP cache during the second and the third time and hence the process speeds up. 6. These steps Takes place again and again until the destination has been reached. The only change that happens is that the TTL is incremented by 1 when the UDP packet is to be sent to next router/host. 7. Once the destination is reached, Time exceeded ICMP message is NOT sent back this time because the destination has already been reached. 8. But, the UDP packet used by Traceroute specifies the destination port number that is not usually used for UDP. So, when the destination verifies the headers of the UDP packet, the packet gets dropped because of improper port being used and an ICMP message [Destination Unreachable] is sent back to the source. 9. When Traceroute encounters this message, it understands that the destination is reached. Also, The destination is reached 3 times to get the average round-trip time. Why there are three columns in traceroute results? Three probes (change with -q flag) are sent at each ttl setting and a line ***is printed showing the ttl, address of the gateway and round trip time of each probe( so three * ). Which ICMP message Destination Unreachable Message
confirms
the
traceroute
is
completed?
IP Header Interview Questions and Answers
Which is the importance of identification field in the IP packet? This is used to identify each fragmented packet so that destination device can rearrange the whole communication in order. Which device can reassemble This is done only by the ultimate destination of the IP message.
the
packet?
What is IP datagram? IP datagram can be used to describe a portion of IP data. Each IP datagram has set of fields arranged in order. IP datagram has following fields Version, Header length, Type of service, Total length, checksum, flag, protocol, Time to live, Identification, Source IP Address and Destination Ip Address, Padding, Options and Payload.
What is MTU (Maximum Transmission Unit) ? The maximum transmission unit (MTU) of an interface tells Cisco IOS the largest IP packet that can be forwarded out on that interface. What is Fragmentation ? Fragmentation is a process of breaking the IP packets into smaller pieces (fragments). Fragmentation is required when the datagram is larger than the MTU. Each fragment than becomes a datagram in itself and transmitted independently from source. These datagrams are reassembled by the destination. How the packet is reassembled? 1.When a host receives an IP fragment, it stores this fragment in a reassembly buffer based on its fragment offset field. 2.Once all the fragments of the original IP datagram are received, the datagram is processed. 3.On receiving the first fragment, a reassembly timer is started. 4.If this reassembly timer expires before all the fragments are received than datagram is discarded. What is the importance of DF, MF flag? Don’t fragment bit If DF bit is set, fragmentation is not allowed. when a router needs to forward a packet larger than the outgoing interface’s MTU, the router either fragments the packet or discards it. If the IP header’s Do Not Fragment (DF) bit is set, means fragmentation is not allowed and the router discards the packet. If the DF bit is not set, means Fragmentation is allowed and the router can perform Layer 3 fragmentation on the packet. More fragments bit If MF Bit is set to 1 means more fragments are coming. If it is set to 0 means This is the Last Fragment. All fragments that belong to an IP datagram will have more fragments bit set except for the final fragment. The final fragment does not have the more fragment bit set indicating that this is the last fragment. This is how the End hosts comes to know that it has collected all the fragments of the IP datagram. What is the purpose It is used to define the Size of each Fragmented Packet.
of
fragment
offset?
What is the importance of TTL value? It defines how long a packet can travel in the network. It is the number of hops that the IP datagram will go through before being discarded. At every hop TTL value is decremented by 1. When this field becomes zero, the data gram is discarded. This behavior helps prevent routing loops. The typical value for a TTL field is 32 or 64. What does the protocol field determines in the IP packet? The Protocol field is an 8-bit field that identifies the next level protocol. It Indicates to which upper-layer protocol this datagram should be delivered. Example - TCP, UDP.
TCP Interview Questions and Answers (Transmission Control Protocol)
What is TCP? Transmission Control Protocol is a connection oriented protocol. This means that before any data transfer can take place , Certain Parameters has to be negotiated in order to establish the connection. Explain TCP Three Way Handshake process? For Reliable connection the Transmitting device first establishes a connection-oriented (reliable) session with its peer system, which is called three way handshake. Data is then transferred. When the Data transfer is finished, connection is terminated and virtual circuit is teared down. 1.In the First Part of Three way Handshake, Source sends a TCP SYN Segment with the initial sequence number X indicating the desire to open the connection. ————————————————— 2.In Second Part, When Destination receives TCP SYN, It acknowledges this with Ack (X+1) as well as its own SYN Y (It informs Source what sequence number it will start its data with and will use in further messages). This response is called SYN/ACK. ————————————————— 3.In Third Part, Source Sends an ACK (ACK = Y+1) Segment to the destination indicating that the connection is set up. Data transfer can then begin. During this 3 way Handshake, Devices are negotiating parameters like Window Size etc. What does Window Size indicate? It is 16-bit Window field which indicates the number of bytes a sender will send before receiving an acknowledgment from the receiver. What is the purpose When the connection Is not allowed by destination connection is reset.
of
RST
bit?
What are TCP Flags? TCP Flags are used to influence the Flow of Data across a TCP Connection. 1.PUSH (PSH) - It Pushes the Buffered data to the receivers application. If data is to be send on immediate Basis we will push it. 2.Reset (RST) It Resets the connection. 3.Finish (FIN) - It finishes the session. It means No More Data from the Sender. 4.Urgent (URG) - It is use to set the priority to tell the receiver that this data is important for you. 5.Acknowledgement (ACK) - All packets after SYN packet sent by Client should have this Flag Set. ACK=10 means Host has received 0 through 9 and is expecting Byte 10 Next. 6.Synchronize (SYN) - It Initiates a Connection. It Synchronizes the sequence number.
What is the difference between PUSH and URG flag? The PSH flag in the TCP header informs the receiving host that the data should be pushed up to the receiving application immediately. The URG flag is used to inform a receiving station that certain data within a segment is urgent and should be prioritized. What is the importance of Sequence Number and Acknowledgement Number? Sequence Number is a 32-bit field which indicates the amount of data that is sent during a TCP session. By Sequence Number sender can be assured that the receiver received the data because the receiver uses this sequence number as the acknowledgment number in the next segment it sends to acknowledge the received data. When the TCP session starts, the initial sequence number can be any number in the range 0 – 4,294,967,295. Acknowledgment number is used to acknowledge the received data and is equal to the received sequence number plus 1.
ACL Interview Questions and Answers
What is ACL? Access Control List is a packet filtering method that filters the IP packets based on source and destination address. It is a set of rules and conditions that permit or deny IP packets to exercise control over network traffic. What are There are 1.Standard 2.Extended Access List.
two
different main
Types types Access
of Access
of
ACL? lists:List.
Explain Standard Access List? Standard Access List examines only the source IP address in an IP packet to permit or deny that packet. It cannot match other field in the IP packet. Standard Access List can be created using the access-list numbers 199 or in the expanded range of 1300-1999. Standard Access List must be applied close to destination. As we are filtering based only on source address, if we put the standard access-list close to the source host or network than nothing would be forwarded from source. Example:R1(config)# access-list R1(config)# R1(config-if)# ip access-group 10 in
10
deny int
host
192.168.1.1 fa0/0
Explain Extended Access List? Extended Access List filters the network traffic based on the Source IP address, Destination IP address, Protocol Field in the Network layer, Port number field at the Transport layer. Extended Access List ranges from 100 to 199, In expanded range 2000-2699. Extended Access List should be placed as close to s ource as
possible. Since extended access list filters the traffic based on specific addresses (Source IP, Destination IP) and protocols we don’t want our traffic to traverse the entire network just to be denied wasting the bandwidth. Example:R1(config)# access-list 110 R1(config)# R1(config-if)# ip access-group 110 in
deny
tcp
any
host
192.168.1.1
eq
int
23 fa0/0
Explain Named ACL and its advantages over Number ACL? It is just another way of creating Standard and Extended ACL. In Named ACL names are given to identify access-list. It has following advantage over Number ACL - In Name ACL we can give sequence number which means we can insert a new statement in middle of ACL. Example:R1(config)# ip access-list extended CCNA R1(config)# 15 permit tcp host 10.1.1.1 host 20.1.1.1 eq 23 R1(config)# exit This will insert above statement at Line 15. R1(config)# int fa0/0 R1(config-if)# ip access-group ccna in What is Wildcard Mask? Wildcard mask is used with ACL to specify an individual hosts, a network, or a range of network. Whenever a zero is present, it indicates that octet in the address must match the corresponding reference exactly. Whenever a 255 is present, it indicates that octet need not to be evaluated. Wildcard Mask is completely opposite to subnet mask. Example:For /24 Subnet Mask 255.255.255.0 Wildcard Mask - 0.0.0.255 How to permit 1.Using a Example:2.Using Example:- Host 192.168.1.1 In which directions We can apply IN OUT - ip access-group 10 out
or
deny wildcard
specific
192.168.1.1
Host mask 0.0.0.0
in
keyword
we access ip
can
apply
list access-group
an in
Access two 10
ACL? "0.0.0.0" or "Host"
List? direction:in
Difference between Inbound Access-list and Outbound Access-list? When an access-list is applied to inbound packets on interface, those packets are first processed through ACL
and than routed. Any packets that are denied won’t be routed. When an access -list is applied to outbound packets on interface, those packets are first routed to outbound interface and than processed through ACL.
Difference between #sh access-list command and #sh access-list shows number #sh run access-list does not show number of Hit Counts.
#sh
run of
access-list Hit
command? Counts.
How many Access Lists can be applied to an interface on a Cisco router? We can assign only one access list per interface per protocol per direction which means that when creating an IP access lists, we can have only one inbound access list and one outbound access list per interface. Multiple access lists are permitted per interface, but they must be for a different protocol. How Access Lists are processed? Access lists are processed in sequential, logical order, evaluating packets from the top down, one statement at a time. As soon as a match is made, the permit or deny option is applied, and the packet is not evaluated against any more access list statements. Because of this, the order of th e statements within any access list is significant. There is an implicit “deny” at the end of each access list which means that i f a packet doesn’t match the condition on any of the lines in the access list, the packet will be discarded. What is at the end of each Access List? At the end of each access list, there is an implicit deny statement denying any packet for which the match has not been found in the access list. Key Information
Any access list applied to an interface without an access list being created will not filter traffic. Access lists only filters traffic that is going through the router. They will not filter the traffic that has originated from the router. If we will remove one line from an access list, entire access-list will be removed. Every Access list should have at least one permit statement or it will deny all traffic.
NAT Interview Questions and Answers (Network Address Translation)
What is NAT? Network Address Translation translates the private addresses into public addresses before packets are routed to public network. It allows a network device such as Router to translate addresses between the private and public network. What are the Situations where NAT is required? 1.When we need to connect to internet and our hosts doesn't have globally unique IP addresses.
2.When we want to hide internal IP addresses from outside for 3.A company is going to merge in another company which uses same address space.
security
What are the advantages of 1.It conserves legally registered IP 2.It prevents address 3.Provides security by hiding internal (private) IP 4.Eliminates address renumbering as a network evolves. What are different There are mainly 1.Static 2.Dynamic 3.Port Address Translation (Overloading)
types three
of types
of
purpose.
Nat? addresses. overlapping. addresses.
NAT? NAT:NAT NAT
What is Static NAT? Static NAT allows for one to one mapping that is it translates one Private IP address to one Public IP address. R1(config)# ip nat inside source static 10.1.1.1 15.36.2.1 R1(config)# int fa0/0 R1(config-if)# ip nat inside (It identifies this interface as inside interface) R1(config)# int fa0/1 R1(config-if)# ip nat outside (It identifies this interface as outside interface) In ip nat inside source command we can see that the command is referencing the inside interface as source or starting point of the translation. What is Dynamic NAT? It maps an unregistred IP address to a registered IP address from out of a pool of registered Ip addresses. R1(config)# ip nat pool CCNA 190.1.1.5 190.1.1.254 netmask 255.255.255.0 R1(config)# ip nat inside source list 10 pool CCNA R1(config)# int fa0/0 R1(config-if)# ip nat inside (It identifies this interface as inside interface) R1(config)# int fa0/1 R1(config-if)# ip nat outside (It identifies this interface as outside interface) R1(config)# access-list 10 permit 192.168.1.0 0.0.0.255 (To specify which unregistered addresses needs to be translated) What is Port Address Translation (Overloading)? It maps multiple unregistred IP address to single registered IP address using different port numbers. PAT allows thousands of users to connect to internet using one pulic address only. R1(config)# ip nat pool CCNA 190.1.1.5 190.1.1.254 netmask 255.255.255.0 R1(config)# ip nat inside source list 10 pool CCNA overload R1(config)# int fa0/0 R1(config-if)# ip nat inside (It identifies this interface as inside interface)
R1(config)# int fa0/1 R1(config-if)# ip nat outside (It identifies this interface as outside interface) R1(config)# access-list 10 permit 192.168.1.0 0.0.0.255 (To specify which unregistered addresses needs to be translated) What are Inside Local, Inside Global, Outside Local, Outside Global address? Inside local address is an IP address of Host before translation. Inside Global address is the public IP address of Host after translation. Outside Local address is the address of router interface connected to ISP. Outside Global address is the address of outside destination (ultimate destination).
Routing Basic Interview Questions and Answers
What is The function of Routing is to Route packets between networks that are not locally attached.
Routing?
What is a Router? A Router is a networking device that performs routing that is it routes packets between devices that are on different networks. Router is a Layer 3 device. What are the different types of memory in router? RAM Running configuration file: running-config is stored in RAM NVRAM Start up Configuration file: startup-config is stored in NVRAM Flash Memory IOS is stored in Flash Memory ROM - Instructions for POST, Bootstrap program, Mini-IOS is stored in ROM What are FLASH and TFTP Server.
the
possible
locations
of
IOS
image?
What is ROM Monitor? If the Bootstrap program is not able to find a valid IOS image, it will act as ROM Monitor. ROM Monitor is capable of performing certain configuration task such as:1.Recovering a lost password 2.Changing the configuration register value etc. 3.Downloading IOS image using TFTP What 1.User 2.Privilege
are
the
different Mode Mode
modes
in
Router? > #
3.Global Configuration Each Mode has access to different set of IOS commands. What is > enable
the
command
What is the command # configure terminal What # reload
is
What is # copy flash tftp
to
the
the
What is the # show running-config
to
enter
PRIVILEGE
mode
enter
Global
Configuration
mode
command
command
What is the command # copy running-config startup-config command
Mode
to
to
to
to
display
from
from
USER
mode?
PRIVILEGE
Mode?
a
Router?
to
TFTP
server?
running-config
to
startup
config?
the
running
backup
copy
#(Config)
Reboot
IOS
current
configuration?
Define static routing? In Static routing routes are manually configured on the router by a network administrator. Static routing has the following Advantages 1.There is no overhead on the router CPU. 2.There is no bandwidth usage between routers. 3.It is secure as the administrator can choose to allow routing access to certain networks only. Static routing has the following Disadvantages 1.The administrator must really understand the internetwork and how each router is connected in order to configure routes correctly. 2.It is not feasible in large networks because maintaining it is a full-time job. What is Default Route? A default route specifies a path that the router should take if the destination is unknown. All the IP datagrams with unknown destination address are sent to the default route. What is a Dynamic Routing? In Dynamic routing, routes are learned by using a routing protocol. Routing protocols will learn about routes from other neighboring routers running the same routing protocol. Example - OSPF, EIGRP, RIP. What is a Routed Protocol? A Routed Protocol carries data from one network to another network. Routed Protocol carries user traffic such as file transfers, web traffic, e-mails etc. Example:- IP (Internet Protocol), IPX (Internetwork Packet Exchange) and AppleTalk.
What is Routing Protocol? Routing Protocols learn the routes and provide the best routes from one network to another network. Example - RIP (Routing Information Protocol) , EIGRP (Enhanced Interior Gateway Routing Protocol) and OSPF (Open Shortest Path First). What is IGP? An Interior Gateway Protocol refers to a routing protocol that handles routing within a single autonomous system. Example - RIP, IGRP, EIGRP, and OSPF. What is EGP? An Exterior Gateway Protocol refers to a routing protocol that handles routing between different Autonomous Systems (AS). Example:- Border Gateway Protocol (BGP). What is an Autonomous An Autonomous System (AS) is a group of networks under a single administrative control.
System?
What is Administrative Distance (AD)? Administrative Distance is the trust worthiness of a routing protocol. Routers use AD value to select the best path when there are two or more different routes to the same destination learned through two different routing protocols. What 0 to Routing Directly Static EIGRP OSPF RIP
are 255, where Protocol Connected route
the 0
is
Range of the Best and Administrative
255
AD is the Distance
values? worst. Value 0 1 90 110
120
What is Distance-Vector Routing Protocol? Distance vector routing protocols use the distance or hops as metric to find paths to destinations. Example:- Routing Information Protocol (RIP), Interior Gateway Routing Protocol (IGRP) What is Link-State Routing Protocol? Each router running a link state routing protocol originates information about the router, its directly connected links, and the state of those links. This information is sent to all the routers in the network as multicast messages. Link-state routing always try to maintain full networks topology by updating itself incrementally only when network topology changes. Example:- Open Shortest Path First (OSPF) What is Hybrid Routing Protocol? A Hybrid Routing protocol takes the advantages of both Distance Vector and Link State Routing protocols.
1.It sends traditional Distance Vector updates. 2.It has Link State characteristics also which means it synchronizes routing tables between neighbors at startup, and then it sends specific updates when network topology changes. Example:- Enhanced Interior Gateway Routing Protocol (EIGRP) What is a Route metric? Routing Protocol uses Route Metric value to find the best path when there are two or more different routes to the same destination. Different routing protocols use Route Metric to compute the distance to destination. RIP - Hop Count, OSPF - Cost, EIGRP - Bandwidth, Delay, Reliability, Load, MTU. What is Hop Count? Hop count is the number of routers from the source through which data must pass to reach the destination network. What is 1.Bandwidth 2.Delay 3.Reliability 4.Load 5.MTU - Maximum medium.
Bandwidth, Delay, Reliability, Load ? It is the Data capacity of a link in Kbps. It is the time takes to reach the destination. The path with the least amount of errors or downtime. It is the amount of utilization of a path. transmission unit (MTU) defines the maximum Layer 3 packet that can be sent over a
What is Cost? Cost is the inverse proportion of bandwidth of the links. What is CDP? Cisco Discovery Protocol is a CISCO proprietary protocol to help administrators in collecting information about both locally attached and remote devices.
RIP Interview Questions and Answers
What is RIP? RIP is a Distance-Vector Routing protocol. It is a Classful routing protocol (Classful routing protocols do not send subnet mask information with their routing updates). It does not support VLSM (Variable Length Subnet Masking). RIP uses Hop count as its metric to determine the best path to a remote network and it supports maximum hop count of 15. Any router farther than 15 hops away is considered as unreachable. It sends its complete routing table out of all active interfaces every 30 seconds.
What are the four timers in RIP? Route update timer 30 seconds - It is the time interval between periodic routing updates in which the router sends a complete copy of its routing table out to all neighbors. Route invalid timer 180 seconds - It is the time interval before a router determines that a route has become invalid. Route will become invalid if it hasn’t heard any updates about a particular route for that period. Hold down timer 180 seconds - It is the amount of time during which routing information is suppressed. Routes will enter into the holddown state when an update packet is received that indicated the route is unreachable. This continues either until an update packet is received with a better metric or until the holddown timer expires. Route flush timer 240 seconds - It is the time between a route becoming invalid and its removal from the routing table. Before it's removed from the table, the router notifies its neighbors of that invalid route. The value of the route invalid timer must be less than that of the route flush timer. What is the difference between RIPV1 & RIPV2? RIPV1
RIPV2
RIPV1 is a classful protocol.
RIPV2 is a classless protocol.
RIPV1 use broadcasts for updates.
RIPv2 uses multicasts for updates.
RIPV1 broadcasts updates every 30 seconds.
RIPv2 supports triggered updates (when a change occurs).
RIPV1 does not support variable VLSM.
RIPV2 supports VLSM.
RIPV1 does not supports authentication.
RIPV2 supports authentication.
Explain Load-Balancing in RIP? RIP can perform load balancing over upto six equal-cost paths. Explain Split Horizon? The Split Horizon feature prevents a route learned on one interface from being advertised back out of that same interface. What is route poisoning? With route poisoning, when a distance vector routing protocol notices that a route is no longer valid, the route is advertised with an infinite metric, signifying that the route is bad. In RIP, a metric of 16 is used to signify infinity. How do you stop RIP updates from propagating out an interface on a router? Sometimes we dont want RIP updates to propagate across the network, wasting v aluable bandwidth. For this purpose, we can use passive-interface command to stop RIP updates from propagating out an interface. Which port number and protocol RIP use? RIP uses UDP (user datagram protocol) port number 520.
What is the administrative distance of RIP? RIP has an administrative distance of 120. What is the multicast address of RIP? 224.0.0.9 How do we configure RIP? Router(config)# router rip Router(config-router)# network 192.168.1.0 Router(config-router)# version 2 (to convert it into RIPV2) What is the difference between RIPng and RIP? RIPng is for IPv6 and RIP is for IPv4
EIGRP Interview Questions and Answers
Explain EIGRP Routing Protocol? Enhanced Interior Gateway Routing Protocol (EIGRP Protocol) is an enhanced distance vector routing protocol which Uses Diffused Update Algorithm (DUAL) to calculate the shortest path. It is also considered as a Hybrid Routing Protocol because it has characteristics of both Distance Vector and Link State Routing Protocols. EIGRP supports classless routing and VLSM, route summarization, incremental updates, load balacing and other features. What are the requirements for neighborship in EIGRP? The following fields in a hello packet must match for routers to become neighbors 1.Autonomous System number. 2.K-values. 3.Authentication. 4.Primary address should be used. 5.If static neighborship than should be define on both sides. What tables does EIGRP routers maintain? EIGRP router stores routing and topology information in three tables: 1. Neighbor table - Stores information about EIGRP neighbors. 2. Topology table - Stores routing information which is learned from neighbor routers. 3. Routing table - Stores the best paths to all networks. Why no auto-summary command is used in EIGRP? By default, EIGRP behaves like a classfull routing protocol which means it does not advertises the subnet mask information along with the routing information. No auto-summary command will ensure that EIGRP sends the subnet mask information along with the routing information.
What metric does EIGRP use? EIGRP calculates its metric by using Bandwidth, Load, Delay, Reliability and MTU. What are the EIGRP Hello and Hold timer? Hello Time - Router will send a hello to its neighbor every 5 seconds (Hello time). Hold Time - If a Router does not receive hello for 15 seconds (Hold time) than it will assume that link is down and it will drop the neighborship. What are the default values EIGRP Hello and Hold timer? Hello Time - 5 seconds Hold Time - 15 seconds What is Successor? Successor is the best path to reach to a destination in the topology table. What is Feasible successor? Feasible successor is the second best path to reach a destination after Successor. It acts as backup for the Successor. What is Feasible distance? Feasible distance is the distance (metric) to reach destination network. What is Advertised Distance/Reported Distance? Advertised distance is the distance (Metric) of a neighbor router to destination network. This is the metric of a destination network as reported by a neighbor. What Authentication does EIGRP supports? EIGRP supports Only MD5. Give the Formula EIGRP uses to calculate Metric? ((10^7/least bandwidth of link) + cumulative delay)*256 What is the Different Administrative Distance that EIGRP use? 1.Internal - 90 2.External - 170 3.Summary - 5 What multicast address does EIGRP use? EIGRP routers use the multicast address of 224.0.0.10 How we configure EIGRP? Router(config)# router eigrp 100 Router(config-router)# network 172.16.1.0 0.0.0.255
Router(config-router)# network 10.16.1.0 0.0.0.255 Router(config-router)# no auto-summary Give some commands to troubleshoot EIGRP? #show ip route - It shows full Routing Table. #show ip route eigrp - It shows only EIGRP routes (routes learned through EIGRP protocol) in the routing table. #show ip eigrp neighbors - It shows EIGRP Neighbor Table. #show ip eigrp topology - It shows EIGRP Topology Table.
OSPF Interview Questions and Answers (Open Shortest Path First)
What is OSPF Routing protocol? Open shortest path first is an Open Standard Link State routing protocol which works by using Dijkastra algorithm to initially construct the shortest paths and follows that by populating the routing table with resulting best paths. Mention some characteristics of OSPF? 1.OSPF is a classless routing protocol that supports VLSM and CIDR. 2.It allows for creation of areas and autonomous system. 3.OSPF uses cost as its metric, which is computed based on the bandwidth of the link. 4.It has no hop-count limit. It supports unlimited Hop count. 5.OSPF supports both IPV4 & IPV6. 6.OSPF routes have an administrative distance of 110. What is the need for dividing the autonomous system into various areas? we would divide the autonomous system into various areas to keep route updates to a minimum to conserve resources and to keep problems from propagating throughout the network. What is the benefit of dividing the The following are benefits of dividing the 1.Decrease routing 2.Speed up 3.Confine network instability to single areas of the network.
entire entire
network into areas? network into areas overhead. convergence.
What is Backbone Area? While configuring multi-area OSPF, one area must be called area 0, referred to as backbone area. All other areas must connect to backbone area as inter-area traffic is send through the backbone area. Explain Area Border Router(ABR)? It is the router that connects other areas to the backbone area within an autonomous system. ABR can have its interfaces in more than one area.
What is Autonomous System It is the Router that connects different Autonomous Systems.
Border
Router
(ASBR)?
What is OSPF Router ID? Router Id is used to identify the Router. Highest IP address of the router's loopback interfaces is chosen as the Router ID, If no loopback is present than highest IP address of the router's physical interfaces will be chosen as Router ID What Parameters must match for two routers to become neighbors? The following parameters must be the same on both routers in order for routers to become neighbors:1.Subnet 2.Area id 3.Hello and Dead interval time 4.Authentication How OSPF DR & BDR is elected? • The router with the highest priority becomes the DR and router with second highest priority becomes the BDR. If there is a tie in priority, router with the highest Router ID will become DR. • By default priority on Cisco routers is 1. We can manually change it. • If the Router priority is set to 0 (Zero), that router will not participate in DR/BDR election. • DR election process is not preemptive. If a router with a higher priority is added to the network, it will not become DR untill we clear OSPF process and DR/BDR election takes p lace again. Command to change the priority on an interface router(config)# interface fa0/0 router(config-if)# ip ospf priority 100 Why DR and BDR are elected in OSPF? All OSPF routers will form adjacencies with the DR and BDR. If link-state changes, the update will be sent only to the DR, which then forwards it to all other routers. This greatly reduces the flooding of LSAs therefore conserving the bandwidth. Explain the various OSPF states? OSPF routers need to go through several states before establishing a neighbor relationship:1.Down No Hello packets have been received on the interface. 2.Attempt - In Attempt state neighbors must be configured manually. It applies only to nonbroadcast multiaccess (NBMA) networks. 3.Init state - Router has received a Hello message from the other OSFP router. 4.2way state - The neighbor has received the Hello message and replied with a Hello message of his own. Bidirectional Communication has been established. In Broadcast network DR -BDR election can occur after this point. 5.Exstart state – DR & BDR establish adjacencies with each router in the network. Master-slave election will takes place (Master will send its DBD first). 6.Exchange state – Routing information is exchanged using DBD (Database Descriptor) packets, Link-State
Request (LSR). Link-State Update packets may also be sent. 7.Loading state – LSRs (Link State Requests) are send to neighbors for every network it doesn't know about. The Neighbor replies with the LSUs (Link State Updates) which contain information about requested networks. The requested information have been received, other neighbor goes through the same process 8.Full state - All neighbor routers have the synchronized database and adjacencies has been established. Explain OSPF LSA, LSU and LSR? The LSAs (Link-State Advertisements) are used by OSPF routers to exchange routing and topology information. When two neighbors decide to exchange routes, they send each other a list of all LSA in their respective topology database. Each router then checks its topology database and sends Link State Request (LSR) message requesting all LSAs that was not found in its topology table. Other router responds with the Link State Update (LSU) that contains all LSAs requested by the neighbor. What are the steps required to change Neighborship into adjacency? 1.Two-way communication (using Hello Protocol) 2.Database Synchronization which means exchange of Database Description (DD) packets, Link State Request (LSR) packets, Link State Update (LSU) packets. 3.After Database synchronization is complete, the two routers are considered adjacent. Explain OSPF timers? Hello interval - This defines how often OSPF router will send the hello packet to other OSPF router. Dead interval - This defines how long a router will wait for hello packets before it declares the neighbor dead. What is the The default Hello Interval for OSPF is 10 seconds.
default
What is the default The Dead Interval is four times the Hello Interval. By default it is 40 seconds. What multicast address OSPF use the multicast address of 224.0.0.5 & 224.0.0.6. Tables maintained Router participating in OSPF routing protocol 1.Neighbor table Stores information command to see # sh 2.Topology table Stores the topology command to see # sh 3.Routing table Stores the best routes command to see # sh ip route ospf
does
Hello
Interval?
Dead
Interval?
OSPF
use?
by OSPF? maintains three OSPF tables:about OSPF neighbors. ip ospf neighbor structure of a network. ip ospf topology to all known networks.
What are different OSPF LSA types ? 1. Router LSA (Type1) - Each router generates a Type 1 LSA that lists its active interfaces, IP addresses, neighbors and the cost. LSA Type 1 is flooded only with in an area.
2. Network LSA (Type2) - Type 2 LSA is sent out by the designated router (DR) and lists all the routers on the segment it is adjacent to. Type 2 LSA are flooded only within an area. It contains the information about DR's. 3. Summary LSA (Type3) - Type 3 LSAs are generated by Area Border Routers (ABRs) to advertise networks from one area to the rest of the areas in Autonomous System. It contains the information about inter-area routes. 4. Summary ASBR LSA (Type4) - It is generated by the ABR and contain routes to ASBRs. 5. External LSA (Type5) - External LSAs are generated by ASBRs and contain routes to networks that are external to current AS. 6. Not-So-Stubby Area LSA (Type7) - Stub areas do not allow Type 5 LSAs. A Not So Stubby Area (NSSA) allows advertisement of Type 5 LSA as Type 7 LSAs. Type LSA is generated by an ASBR inside a Not So Stubby Area (NSSA) to describe routes redistributed into the NSSA. How do we configure OSPF Routing Protocol? router(config)# router ospf 10 router(config-router)# network 12.1.1.0 0.0.0.255 area 0 router(config-router)# network 23.1.0.0 0.0.255.255 area 1 router(config-router)# exit • Router ospf 10 command enables the OSPF process. Here “10” indicates the OSPF process ID and can be different on neighbor routers. Process ID allows multiple OSPF processes to run on the same router. • Second command configures 12.1.1.0/24 network in area 0. • Third command configures 23.1.0.0/16 network in area 1.
Switching Interview Questions and Answers
What is The function of Switching is to Switch data packets between devices on the same network.
Switching?
What is Switch? A Switch is a device which is used to connect multiple devices inside Local Area Network (LAN). Unlike hubs, switches examine each packet and process it accordingly rather than simply repeating the signal to all ports. Switches operate at Layer Two (Data Link Layer) of the OSI model. What is the difference between a HUB, Switch & Router? Hub is designed to connect hosts to each other with no understanding of what it is transferring. When a Hub receives a packet of data from a connected device, it broadcasts that data packet to all other ports regardless of destination port. HUB operates at Layer 1 (Physical Layer). Switch also connects hosts to each other like a hub. Switch differs from a hub in the way it handles packets. When a switch receives a packet, it determines what hosts the packet i s intended for and sends it to that hosts only. It does not broadcast the packet to all the hosts as a hub does which means bandwidth is not shared and makes the network more efficient. Switch operates at Layer 2 (Data Link Layer). Router is different from a switch or hub since its function is to route data packets to other networks, instead of just the local network. Routers operates at Layer 3 (Network Layer).
What are the The Switch performs 1.Address 2.Packet 3.Loop avoidance by Spanning Tree Protocol.
functions
of three
a major
Switch? functions:learning. forwarding/filtering.
What is Sub Interface? To support ISL or 802.1Q routing on a Fast Ethernet interface, the router’s interface is divided into logical interfaces—one for each VLAN. These are called subinterfaces. What is a Broadcast Domain and a Collision Domain? Broadcast Domain - Broadcast is a type of communication, where the sending device send a single copy of data and that copy of data will be delivered to every other device in the network segment. A Broadcast Domain consists of all the devices that will receive every broadcast packet originating from any device within the network segment. All ports on a hub or a switch are by default in the same broadcast domain. All ports on a router are in the different broadcast domains and routers don't forward broadcast. Collision Domain - is a network scenario where one particular device sends a packet on a network segment forcing every other device on that same segment to pay attention to it. At the same time, if a different device tries to transmit simultaneously, it will lead to a collision after which both devices must retransmit, one at a time. This situations is often in a hub environment, because each port on a hub is in the same collision domain. By contrast, Each port on a bridge, a switch or router is in a seperate collision domain. Compare HUB and Switch with respect to broadcast and collision In Hub there is one collision domain and one broadcast In Switch there is multiple collision domain and one broadcast domain.
domain? domain.
What is a MAC address Table and how a Switch will build a MAC table? To switch frames between LAN ports efficiently, the switch maintains an address table called MAC address Table or CAM Table (Content Addressable Memory Table). When the switch receives a frame, source MAC address is learned and recorded in the CAM table along with the port of arrival, VLAN and time stamp. The switch dynamically builds the MAC address table by using the Source MAC address of the frames received. Than this table is used by switch to determine where to forward traffic on a LAN. How Switch Learns Mac Address? When a frame reaches to the port of a switch, the switch reads the MAC address of the source device from Ethernet frame and compares it to its MAC address table (also known as CAM (Content Addressable Memory) table). If the switch does not find a corresponding entry in MAC address table, the switch will add the address to the table with the port number at which the Ethernet frame is received. If the MAC address is already available in the MAC address table, the switch compares the incoming port with the port already available in the MAC table. If the port numbers are different, the switch updates the MAC address table with the new port number. How does Switch performs Forwarding function? When a Layer2 Ethernet frame reaches a port on the Switch, it not only reads the source MAC address of the
Ethernet frame as a part of learning function, but also reads the destination MAC address as a part of forwarding function. The destination MAC address is important to determine the port which the destination device is connected to. As the destination MAC address is found on the MAC address table, the switch forwards the Ethernet frame via the corresponding port of the MAC address. Explain Flooding? If the destination MAC address is not found in the MAC address table, the switch forwards the frame out all of its ports except the port on which the frame was received. This is known as flooding.
VLAN Interview Questions and Answers
What is a VLAN and how it will reduce the broadcast traffic? A VLAN is a logical grouping of network users and resources connected to administratively defined ports on a switch. VLAN divides the Broadcast Domain So, the frames that will be broadcasted onto the network are only switched between the ports logically grouped within the same VLAN. What is the difference between an access port and a trunk port? Access port - Access Port belongs to and carries the traffic of only one VLAN. Anything arriving on an access port is simply assumed to belong to the VLAN assigned to the port. Any device attached to an access link is unaware of a VLAN membership as switches remove any VLAN information from the frame before it’s forwarded out to an access-link device. Access-link devices can’t communicate with devices outside their VLAN unless the packet is routed. Trunk Ports - Trunk Port can carry the traffic of multiple VLANs from 1 to 4094 VLans at a time. Normally Trunk link is used to connect switches to other switches or to routers. Trunk ports supports tagged and untagged traffic simultaneously. What is Frame Tagging and different types of Frame Tagging? Frame tagging method uniquely assigns a VLan ID to each frame. It is used to identify the VLAN that the Frame belongs to. There are mainly two types of Frame Tagging Method:1.Inter-Switch Link (ISL) 2.802.1Q These are also known as Frame Encapsulation Protocols. Explain difference between 802.1Q and ISL ? 802.1Q - It is an open standard created by the Institute of Electrical and Electronics Engineers (IEEE). To Identify to which VLAN a frame belongs to, a field is inserted into the frame's header. It is a Light Weighted Protocol & adds only 4 Byte within Frame's Header. ISL (Inter-Switch Link) - This protocol is Cisco proprietary which means unlike 802.1Q, it can be used only between Cisco switches. ISL works by adding Header (26 Bytes) and Trailer(4 Bytes) with Original Ethernet Frame.
What is a Native VLAN and What type of traffic will go through Native VLAN? The Trunk port is assigned a default VLAN ID for a VLAN that all untagged traffic will travel on. This VLAN is called the Native VLAN and is always VLAN 1 by default (but can be changed to any VLAN number). Similarly, any untagged or tagged traffic with unassigned VLAN ID is assumed to belong to the Native VLAN. What is Inter-Vlan Routing? VLANs divide broadcast domains in a LAN environment So, by default only Hosts that are members of the same VLAN can communicate. Whenever hosts in one VLAN need to communicate with hosts in another VLAN, the traffic must be routed between them. This is known as Inter-VLAN routing. This can be done by two methods - Router-On-Stick & Switch Virtual Interfaces (SVI) Give the commands to create VLAN? Switch(config)# vlan 10 Switch(config-vlan)# name sales Switch(config-vlan)# exit How can we add an interface to a VLAN? Switch(config)# interface fastethernet0/0 Switch(config-if)# switchport mode access Switch(config-if)# switchport access vlan 10 How to configure trunk link? Switch(config)# interface fa0/24 Switch(config-if)# switchport trunk encapsulation Switch(config-if)# switchport mode trunk How can we change Native Vlan? Switch(config)# interface fa0/0 Switch(config-if)# switchport trunk native vlan 100 Which command is used to see trunk interfaces? Switch# show interface trunk Which command is used to see all VLANs information? Switch# show vlan
VTP Interview Questions and Answers (VLAN Trunking Protocol)
What is VTP? VTP (VLAN Trunking Protocol) is a Cisco proprietary protocol used by Cisco switches to exchange VLAN information. VTP is used to synchronize VLAN information (Example:-VLAN ID or VLAN Name) with switches inside the same VTP domain.
What are different VTP modes? VTP Server mode - By default every switch is in server mode. Switch in VTP Server Mode can create, delete VLANs and will propagate VLAN changes. VTP Client mode - Switch in VTP client mode cannot create or delete VLANs. VLAN Trunking Protocol (VTP) client mode switches listen to VTP advertisements from other switches and modify their VLAN configurations accordingly. It listens and forwards updates. VTP Transparent mode - Switch in VTP Transparent mode does not share its VLAN database but it forwards received VTP advertisements. we can create and delete VLANs on a VTP transparent switch but these changes are not sent to other switches. What are the requirements to exchange VTP messages between two switches? 1.Switch should be configured as either a VTP server or VTP client. 2.VTP domain name must be same on both switches. 3.VTP versions must match. 4.Link between the switches should be a trunk link. What is VTP Pruning ? VLAN Trunking Protocol (VTP) pruning is a feature in Cisco switches, which stops VLAN update information traffic from being sent down trunk links if the updates are not needed. Broadcast frames, multicast frames or unicast frames for which the destination MAC address is unknown are forwarded over a trunk link only if the switch on the receiving end of the trunk link has ports in the source VLAN. This avoids unnecessary flooding. VLAN 1 can never prune because it’s an administrative VLAN.
DTP Interview Questions and Answers (Dynamic Trunking Protocol)
Explain Dynamic Trunking Protocol (DTP) ? Dynamic Trunking Protocol (DTP) is a Cisco proprietary trunking protocol used for negotiating trunking on a link between two Cisco Switches. Dynamic Trunking Protocol (DTP) can also be used for negotiating the encapsulation type of either 802.1q or Cisco ISL (Inter-Switch Link). Explain dynamic desirable & dynamic auto? Dynamic Desirable - It Initiates negotiation. Switch port configured as DT P dynamic desirable mode will actively try to convert the link to a trunk link if the port connected to other port is capable to form a trunk. Dynamic Auto - It does not Initiates negotiation but can respond to negotiation. Switch port configured as DTP dynamic auto is capable to form trunk link if the other side switch interface is configured to form a trunk interface and can negotiate with trunk using DTP.
STP Interview Questions and Answers (Spanning Tree Protocol)
What is STP and Redundant Links? Spanning Tree Protocol (STP) is a protocol which prevents layer 2 loops. STP enables switches to become aware of each other so that they can negotiate a Loop-Free path through network. In practical Scenario, Redundant links are created to avoid complete network failure in an event of failure of one link. How STP works? STP chooses a Reference point (Root Bridge) in the network and calculates all the redundant paths to that reference point. Than it picks one path which to forward frames and blocks other redundant paths. When blocking hapeens, Loops are prevented. What are the different port states? 1.Disabled A port in the disabled state does not participate in the STP. 2.Blocking - A blocked port does not forward frames. It only listens to BPDUs. The purpose of the blocking state is to prevent the use of looped paths. 3.Listening - A port in listening state prepares to forward data frames without populating the MAC address table. The port also sends and listens to BPDUs to make sure no loops occur on the network. 4.Learning - A port in learning state populates the MAC address table but doesn’t forward data f rames. The port still sends and receives BPDUs as before. 5.Forwarding - The port now can send and receive data frames, collect MAC addresses in its address table, send and receive BPDUs. The port is now a fully functioning switch port within the spanning-tree topology. What are STP Timers and Explain different types of STP Timers? STP uses three timers to make sure that a network converges properly before a bridging loop can form. Hello timer - The time interval between Configuration BPDUs sent by the root bridge. It is 2 seconds by default. Forward Delay timer - The time interval that a switch port spends in both the Listening and Learning states. The default value is 15 seconds. Max (Maximum) Age timer - Maximum length of time a BPDU can be stored without receiving an update. It can also be define as a time interval that a switch stores a BPDU before discarding it. It is 20 seconds by default. Explain types of STP Port Roles? Root port - The root port is always the link directly connected to the root bridge, or the shortest path to the root bridge. It is always on Non-Root Bridge. Designated port - A designated port is one that has been determined as having the best (lowest) cost. A designated port will be marked as a forwarding port. It can be on both Root Bridge & Non Root Bridge. All ports of Root Bridge are Designated Port. Forwarding port A forwarding port forwards frames. Blocked port - A blocked port is the port that is used to prevent loops. It only listens to BPDUs. Any port other than Root port & Designated port is a Block Port.
What is BPDU? All the switches exchange information to select Root Bridge as well as for configuration of the network. This is done through Bridge Protocol Data Unit (BPDU). Each switch compares the parameters in the BPDU that it sends to one neighbor with the one that it receives from another neighbor. What is the destination MAC address used by Bridge Protocol Data Units (BPDUs)? Bridge Protocol Data Units (BPDUs) frames are sent out as at multicast destination MAC address 01:80:c2:00:00:00. What are Types of BPDU? Two types of BPDU exist:Configuration BPDU Used for Spanning-Tree Computation. Topology Change Notification (TCN) BPDU - Used to announce changes in the Network Topology. How Root bridge is elected? The bridge ID is used to elect the root bridge in the STP domain. This ID is 8 bytes long and includes both the priority and the MAC address of the device. Switch with the lowest Bridge ID is elected as the Root bridge which means Switch with the lowest priority will become Root Bridge if two or more switches have same priority than switch with lowest mac address will become Root Bridge. What is Path Cost or Spanning Tree Path Cost value? The Spanning Tree Cost Value is inversely proportional to the bandwidth of the link and therefore a path with a low cost value is more preferable than a path with high cost value. Link Bandwidth Cost Value 10 Gbps 2 1 Gbps 4 100 Mbps 19 10 Mbps 100 What is Root Port? Once the Root Switch is elected, every other Switch in the network must select a single port on itself to reach the Root Switch. The port with the lowest root path cost (lowest cumulative cost to reach root switch) is elected as the root port and is placed in the forwarding state. Root Bridge will never have a Root Port. What is Extended System ID? The Extended System ID is utilized by spanning-tree to include the VLAN ID information inside 16-bit STP Bridge Priority value. Extended System ID is the least significant 12-bits in 16-bit STP Bridge Priority value.
DHCP Interview Questions and Answers (Dynamic Host Configuration Protocol)
What is DHCP? Dynamic Host Configuration Protocol (DHCP) assigns IP addresses to hosts dynamically. It allows easier administration and works well in small as well as very large network environments. All types of hardware can be used as a DHCP server including a Cisco router. What information DHCP server IP Subnet Default Domain WINS information
a
DHCP can
server provide
can provide following
Name
How DHCP DHCP works on DORA Process (DISCOVER - OFFER - REQUEST - ACKNOWLEDGEMENT).
to a information
host? address mask gateway Server
Works?
1.When a Client needs an IP configuration, it tries to locate a DHCP server by sending a broadcast called aDHCP DISCOVER. This message will have a Destination IP of 255.255.255.255 and Destination MAC of ff:ff:ff:ff:ff:ff. [Source IP - 0.0.0.0 , Destination IP - 255.255.255.255, Source Mac - Mac address of Host, Destination Mac FF:FF:FF:FF:FF:FF] ———————————————— 2.On Receiving DHCP Discover, Server sends a DHCP OFFER message to the client. The DHCPOFFER is a proposed configuration that may include IP address, DNS server address, and lease time. This message will be unicast and have the destination mac address of DHCP client's mac address. The source mac address will be that of the DHCP server. [S.Mac - Mac address of Server , D.Mac - Mac address of Host] ———————————————— 3.If the Client finds the Offer agreeable, it sends DHCP REQUEST Message requesting those particular IP parameters. This message will be a Broadcast message. [Source Mac - Mac address of Host, Destination Mac - FF:FF:FF:FF:FF:FF] ———————————————— 4.The Server on receiving the DHCP REQUEST makes the configuration official by sending a unicast DHCP ACK acknowledgment. [Source Mac - Mac address of Server, Destination Mac - Mac address of Host] What is the reason for getting APIPA address? With APIPA, DHCP clients can automatically self-configure an IP address and subnetmask when a DHCP server is not available. When DHCP client boots up, it first looks for a DHCP server in order to obtain an IP address and subnet mask. A client uses the self-configured IP address until a DHCP server becomes available. The APIPA service also checks regularly for the presence of a DHCP server. If it detects a DHCP server on the network, APIPA stops and the DHCP server replaces the APIPA networking addresses with dynamically assigned addresses.
What is the range of APIPA address? The IP address range is 169.254.0.1 through 169.254.255.254. The client also configures itself with a default Class B subnet mask of 255.255.0.0. What is the purpose of relay agent? A DHCP relay agent is any host that forwards DHCP packets between clients and servers if s erver is not on the same physical subnet. Relay agents are used to forward requests and replies between clients and servers when they are not on the same physical subnet. DHCP relay agent can be configured using the ip helper-address command. What is DHCP decline message? It is Sent by Client to server indicating network address is already in use (already assigned to another device). What is DHCPNAK message? If the Server is unable to satisfy the DHCPREQUEST message (The requested network address has been allocated) the Server Should sent DHCPNAK message to client. It can also be Sent if client's notion of network address is incorrect (Client has moved to new subnet) or client's lease expired
SNMP Interview Questions and Answers (Simple Network Management Protocol)
What is SNMP? The Simple Network Management Protocol (SNMP) enables a network device to share information about itself and its activities. It uses the User Datagram Protocol (UDP) as the transport protocol for passing data between managers and agents. What are the Components of SNMP? A complete SNMP system consists of the following parts:SNMP Manager - A network management system that uses SNMP to poll and receive data from any numbe r of network devices. The SNMP manager usually is an application that runs in a central location. SNMP Agent - A process that runs on the network device being monitored. All types of data are gathered by the device itself and stored in a local database. The agent can then respond to SNMP polls and queries with information from the database, and it can send unsolicited alerts or “traps” to an SNMP manager. Which Ports are used in SNMP? SNMP uses the UDP port 161 for sending and receiving requests, and port 162 for receiving traps from managed devices. Explain MIB? MIB is a hierarchical Database Structure for information on the device. Example - Serial numbers are in a specific location, NIC Statistics etc.
What are different SNMP versions? There are different versions of SNMP - SNMP V1, SNMP V2c, and SNMP V3. SNMP version 1 - It is the oldest flavor. It is Easy to set up – only requires a plaintext community. SNMP version 2c - It is identical to Version 1, except that it adds support for 64 bit counters. SNMP version 3 - It adds security to the 64 bit counters. SNMP version 3 adds both Encryption and Authentication, which can be used together or separately.
CCNP Interview Questions and Answers
EIGRP Interview Questions and Answers CCNP
What is EIGRP? Enhanced Interior Gateway Routing Protocol (EIGRP) is an enhanced distance vector routing protocol which Uses Diffused Update Algorithm (DUAL) to calculate the shortest path. It is also considered as a Hybrid Routing Protocol because it has characteristics of both Distance Vector and Link State Routing Protocols. EIGRP supports classless routing and VLSM, route summarization, incremental updates, load balancing and other features. What are the requirements for The following fields in a hello packet must match 1.Autonomous System 2.K-values. 3.Authentication. 4.Primary address should 5.If static neighborship than should be define on both sides.
neighborship for routers to
What are the metric of EIGRP protocol & 1.Bandwidth 2.Load 3.Delay 4.Reliability 5.Maximum Transmission Unit By default, EIGRP only uses bandwidth (K1) and delay (K3) to calculate metric. Give Metric
the =
formula 256 *
by [(10^7
which EIGRP / lowest-bandwidth)
in become
be
its
EIGRP? neighbors:number.
used.
default
values? (K1=1) (K2=0) (K3=1) (K4=0) (K5=0)
calculates metric? + cumulative-delay]
The lowest bandwidth is the lowest-bandwidth link in the route, using a unit of kilobits per second. The cumulative-delay value used in the formula is the sum of all the delay values for all links in the route, with a unit of tens of microseconds. What are the four basic components of EIGRP? The four basic components of EIGRP are 1. The Protocol Dependent Module It supports IP, IPv6, IPX, Apple Talk. 2. The Reliable Transport Protocol - RTP is used in EIGRP for detecting packet loss and to ensure ordered delivery of the packets. 3. The Neighbor Discovery and Recovery Module - Hello messages are used for Neighbor Discovery and Recovery. 4. The Diffusing Update Algorithm - It is an algorithm used by EIGRP for selecting lowest cost loop free path for each possible destination. What are the different packet types used by EIGRP? The packet types used by EIGRP are:1. Hello Neighborship is discovered and maintained by Hello Packets. 2. Acknowledgment - ACK packets are used to acknowledge the receipt of update, query and reply packets. Acknowledgment packets are Unicast. 3. Update - EIGRP uses Update messages to send Routing information to neighbors. Update packets can be sent to a single neighbor using unicast or to a group of neighbors using multicast. 4. Query - Query packets are used when EIGRP router has lost path (Successor) to a certain network and does not have any backup paths (Feasible Successor). Router sends query packets to its neighbors asking them if they have information about this particular network. Query packets are multicast. 5. Reply - Reply packets are used in response to the query packets. Reply packets are unicast to the originator of the query. What is Reliable Transport Protocol? EIGRP uses RTP (Reliable Transport Protocol) to deliver EIGRP packets between neighbors in a reliable and ordered way. If the packet with RTP enable sent, gets lost in the transit it will be send again (resend). What 1.Update 2.Query 3.Reply Packet.
packets
are
RTP
enabled? Packet. Packet.
Explain what will happen if the packet is not acknowledged? If a packet is not acknowledged, EIGRP will retransmit the packet to the non responding neighbor as a unicast. No other traffic is sent to this neighbor until it responds. After 16 unacknowledged re-transmissions, the neighbor is removed from the neighbor table. Explain EIGRP Router ID? In EIGRP, duplicate RIDs do not prevent routers from becoming neighbors and two EIGRP routers with the same router ID will still form a neighbor relationship. The only time the value of EIGRP RIDs consider is when
injecting external (redistributed) routes into EIGRP. In this case, the routers injecting the external routes should have unique RIDs to avoid confusion. To manually configures the router ID R1(config)# router eigrp 10 R1(config-router)# eigrp router-id 1.1.1.1 Explain Unequal Cost Load Balancing in EIGRP? By default, EIGRP will automatically load-balance across equal-metric routes. EIGRP also supports loadbalancing across routes with an unequal metric. Unequal cost load balancing in EIGRP is the concept by which load sharing can take place on paths that does not have the equal metric. In EIGRP variance is used for Unequal cost load balancing. Variance is specified as an integer in the range of 1 through 128. The router then multiplies the variance by the successor route’s FD (metric of the best route to reach that subnet). Any Feasible Successor route whose metric is less than or equal to the product of the variance by the successors FD are considered to be equal routes and can be placed into the routing table for load sharing. Router(config)# router eigrp 100 Router(config-router)# variance 2 In this case variance is 2. Explain Split Horizon? The Split Horizon feature prevents a route learned on one interface from being advertised back out of that same interface. It is used to prevent loop in EIGRP. Explain Null Zero? It is a loop avoidance mechanism entry stored in routing table only in case of summarization (auto & manual). It terminates or flush unwanted packets, if any traffic goes towards null0 it will be drop by eigrp. What is Active State and Passive State? Routes for which the successor route fails and no feasible successor routes exist moves to an active state forcing the EIGRP to send out query packets and reconverge. A route is in passive state for which the router has a successor route, and no failure has yet occurred. A stable EIGRP network will have all routes in a Passive state. Explain Stuck in Active? When for a certain prefix, successor route fails and no feasible successor route exists than the router begins a process of finding any loop-free alternative routes to reach that prefix by sending Query messages to all of its neighbors requesting path to lost prefix. If the neighbor routers does not have information about the lost prefix, they will forward the query message to further routers. Within a large network, particularly when routers exist several router hops away, the number of Queries might not only be large, but there also might be a string of routers that all must wait on multiple Reply messages before they can, in turn, issue a Reply. To deal with this long time problem, Cisco IOS first sets a limit on how long it should take to receive all such replies. This timer is called the active timer and is set to 3 minutes by default. Routes for which a router does not receive a Reply within the active timer are considered to be Stuck-in-Active (SIA) routes. Router sends an SIA-Query (Stuck-in-Active Query) EIGRP message to each neighbor that has yet to send back a Reply. The
purpose of the message is to either get an SIA-Reply back indicating that the neighbor really is still waiting for replies to its own queries meaning the neighbor is alive and still working & there is no need to kill the neighborship or to get nothing in reply meaning neighbor was not able to reply, so the action of failing the neighborship is reasonable. What is Graceful Shutdown and GoodBye message in EIGRP? When an EIGRP process is shut down, router sends out “goodbye” messages to its neighbors. The neighbors can then immediately begin recalculating paths to all the destinations that went through that shutdown router without having to wait for the hold timer to expire. How Passive Interface command works in EIGRP? With EIGRP running on a network, the passive-interface command stops sending outgoing hello packets, hence the router cannot form any neighbor relationship via the passive interface. This behavior stops both outgoing and incoming routing updates. However, EIGRP still advertises the connected subnets if matched with an EIGRP network command. # router eigrp 1 # passive-interface fastethernet0/0 Command to see list of passive-interfaces # show ip protocols How can we change Hello and Hold time # interface # ip hello-interval eigrp # ip hold-time eigrp These commands will make hello interval 3 seconds and hold time 12 seconds.
in
EIGRP? Fa0/0 3 12
100 100
# show ip eigrp interfaces detail (To verify) What is the Feasibility Condition in EIGRP? For any route to be a feasible successor it has to fulfill feasibility condition which is as follows:Advertised distance of Feasible successor should be less than Feasible distance of Successor AD of feasible successor < FD of successor. What is the Multicast EIGRP uses the multicast address 224.0.0.10
IP
address
used
by
EIGRP?
OSPF Interview Questions and Answers [CCNP]
What is OSPF Routing Protocol? Open shortest path first is an Open Standard Link State routing protocol which works by using Dijkastra algorithm to initially construct the shortest paths and follows that by populating the routing table with resulting best paths.
What are the steps required to change Neighborship into adjacency? 1.Two-way communication (using Hello Protocol). 2.Database Synchronization which means exchange of Database Description (DD) packets, Link State Request (LSR) packets, Link State Update (LSU) packets. After Database synchronization is complete, the two routers are considered adjacent. Explain LSA (Link-State Advertisement), LSU (Link State Update) and LSR (Link State Request)? The LSAs (Link-State Advertisements) are used by OSPF routers to exchange routing and topology information. When two neighbors decide to exchange routes, they send each other a list of all LSAs in their respective topology database. Each router then checks its topology database and sends Link State Request (LSR) message requesting all LSAs that was not found in its topology table. Other router responds with the Link State Update (LSU) that contains all LSAs requested by the neighbor. Explain OSPF Router ID? Router Id is used to identify the Router. Highest IP address of the router's loopback interfaces is chosen as the Router ID, If no loopback is present than highest IP address of the router's physical interfaces will be chosen as Router ID. OSPF prevents neighborships between routers with duplicate RIDs. All OSPF RIDs in a domain should be unique. OSPF Router ID should not be changed after the OSPF process is started and the OSPF neighborships are established. If you change the OSPF router ID, we need to either reload the IOS or use "clear ip ospf process" command (restart the OSPF process) for changed RID to take effect. To manually configure the router ID R1(config)# router ospf 5 R1(config-router)# router-id 5.5.5.5 Can we use OSPF without backbone area? Yes, but than only intra-area communication is possible. Inter-area communication is not possible without backbone area. What is the difference between an OPPF neighbor and LSAs are exchanged only among adjacent routers not among neighbor routers.
an
adjacent
neighbor?
What are different neighbour states in OSPF ? OSPF routers need to go through several state before establishing a neighbor relationship 1. Down No Hello packets have been received on the interface. 2. Attempt - In Attempt state neighbors must be configured manually. It applies only to nonbroadcast multiaccess (NBMA) networks. 3. Init Router has received a Hello message from the other OSFP router. 4. 2way - the neighbor has received the Hello message and replied with a Hello message of his own. Bidirectional Communication has been established. In Broadcast network D R-BDR election can occur after this point. 5. Exstart - DR & BDR establish adjacencies with each router in the network. Master-slave election will takes place (Master will send its DBD first). 6. Exchange - Routing information is exchanged using DBD (Database Descriptor) packets, Link-State Request
(LSR) and Link-State Update packets may also be sent. 7. Loading - LSRs (Link State Requests) are send to neighbors for every network it doesn't know about. The Neighbor replies with the LSUs (Link State Updates) which contain information about requested networks. After all the requested information have been received, other neighbor goes through the same process. 8. Full - All neighbor routers have the synchronized database and adjacencies has been established. Explain different OSPF LSA Types? 1. Router LSA (Type1) - Each router generates a Type 1 LSA that lists its active interfaces, IP addresses, neighbors and the cost. LSA Type 1 is flooded only within an area. 2. Network LSA (Type2) - Type2 LSA is sent out by the designated router (DR) and lists all the routers on the segment it is adjacent to. Type 2 LSA are flooded only within an area. 3. Summary LSA (Type3) - Type 3 LSAs are generated by Area Border Routers (ABRs) to advertise networks from one area to the rest of the areas in Autonomous System. 4. Summary ASBR LSA (Type4) - Generated by the ABR. It contain routes to ASBRs. 5. External LSA (Type5) - External LSAs are generated by ASBRs and contain routes to networks that are external to the current Autonomous System. 6. Not-So-Stubby Area LSA (Type7) - Stub areas do not allow Type 5 LSAs. A Not So Stubby Area (NSSA) allows advertisement of Type 5 LSA as Type 7 LSAs. Type LSA is generated by an ASBR inside a Not So Stubby Area (NSSA) to describe routes redistributed into the NSSA. Why master slave needs to be Master sends its DBD (Database Description) First. Explain different 1.Broadcast 2.Non-Broadcast 3.Point-to-Point 4.Point-to-multipoint 5.Point-to-multipoint non-broadcast
OSPF
elected
between
Network
two
neighbour
types
interface?
? (NBMA)
What is the requirement of doing summarization? 1. Reduces the amount of information stored in routing tables. 2. Allocates an existing pool of addresses more economically. 3. Lessens the load on router processor and memory resources. 4. Less number of update messages. 5. Less bandwidth. How routes are selected in OSPF according to preference? Intra-Area routes(0)> Inter-Area routes(0-IA)> External-Type-1(E1)> External-Type-2(E2)> NSSA-1(N1)> NSSA2(N2). What is Route Redistribution? Route redistribution is the process of taking routes learned via one routing protocol and injecting those routes into another routing protocol domain.
For example two companies might merge, one company is using Enhanced Interior Gateway Routing Protocol (EIGRP) and the other is using Open Shortest Path First (OSPF). Route redistribution allows exchanging of routes between the two routing domains with a minimal amount of configuration and with little disruption to the existing networks. What is the default redistribution OSPF cost ? Redistribution into OSPF uses the following defaults:1. When taking from BGP, use a default metric of 1. 2. When taking from another OSPF process, take the source route’s metric. 3. When taking from all other sources, use a default metric of 20. What is the difference between Type-1 (E1) & Type-2 (E2) redistribution? Type-2 is the default route type for routes learned via redistribution. The key with E2 routes is that the cost of these routes reflects only the redistributed cost. E2 = only redistributed cost. Type-1 redistributed routes reflects cost to reach ASBR + redistributed cost. E1 = cost to reach ASBR + redistributed cost Explain OSPF Virtual Link? OSPF requires the use of a backbone area (area 0) with each area connecting to area 0 through an ABR. However in some cases, regular area might not have a convenient point of connection to the backbone area. In this case, OSPF uses virtual link to connect that regular area to backbone area virtually. An OSPF virtual link allows two ABRs that connect to the same non-backbone area to form a neighbor relationship through that non-backbone area, even when separated by many other routers and subnets. This virtual link acts like a virtual point-to-point connection between the two routers, with that link inside area 0. The routers form a neighbor relationship, inside area 0, and flood LSAs over that link. Explain OSPF Stub Area and different types of Stub Areas? Stub Area Sometimes we need to control the advertisement of external routes into an area. This area is called Stub area. Stub areas are not capable of importing routes external to ospf.Type 4 & Type 5 LSA are filtered from Stub areas and a default route is injected into that area by ABR in place of external routes.To make area stub we have to give # area 1 stub command on all routers of that area. Three restrictions apply to OSPF stub areas 1.No virtual links are allowed in stub area. 2.Stub area cannot be a backbone area. 3.No Autonomous System Boundary Routers are allowed. Totally Stubby Area Like stub areas, totally stubby areas do not receive type 4 or 5 LSAs from their ABRs. However, they also do not receive type 3 LSAs. It only allows advertisement of internal routes in that area. To make area totally stubby area we have to give # area 1 stub no-summary command on ABR. Not-So-Stubby Areas The motivation behind NSSA is to allow OSPF stub areas to carry external routes. External routes are imported
into OSPF NSSA as Type 7 LSA by ASBR. Type 7 LSA cannot go into area 0 so it is converted back into Type 5 LSA by ABR and injected into area 0. To make area Not-So-Stubby Area we have to give # area 1 NSSA command on all routers of that area. Totally NSSA Along with Type 4 & Type 5 LSA, Type 3 LSA will also be filtered in Totally NSSA. To make area Totally Not-So-Stubby Area we have to give # area 1 nssa no-summary command on ABR of that area. How do I change the reference bandwidth in OSPF? We can change the reference bandwidth using the ospf auto-cost reference-bandwidth command under router ospf. By default, reference bandwidth is 100 Mbps. How does OSPF calculate its metric or cost? OSPF uses Cost as its metric. The formula to calculate the OSPF cost is reference bandwidth divided by interface bandwidth. For example, in the case of Ethernet, it is 100 Mbps / 10 Mbps = 10. If # ip ospf cost _ command is used on the interface, it overrides this formulated cost. Explain OSPF Authentication? These are the three different types of authentication supported by OSPF to secure routing updates. 1.Null Authentication - also called Type 0. It means no authentication information is included in the packet header. It is the default. 2.Plain Text Authentication - also called Type 1. It uses simple clear-text passwords. 3.MD5 Authentication - also called Type 2. It uses MD5 cryptographic passwords. Plain Text Authentication Step1 - To configure plain text authentication, first we have to enable authentication. Authentication can be enabled either under area or for specific interface. To enable authentication for area Router(config)# router ospf 100 Router(config-router)# network 192.168.1.0 0.0.0.255 area 0 Router(config-router)# area 0 authentication This will enable authentication for all the interfaces of the router in area 0. OR If we dont want to enable authentication for an area, we can enable it for the specific interface. This is useful if different interfaces that belong to the same area need to use different authentication methods.. Router(config)# interface fa0/1 Router(config-if)# ip ospf authentication Step2 - Next, We have to configure authentication key on the interface Router(config)# interface fa0/1 Router(config-if)# ip ospf authentication-key Cisco123 Here Cisco123 is the password value.
MD5 Authentication Step1 - To configure MD5 authentication, first we have to enable authentication. Router(config)# router ospf 1 Router(config-router)# network 192.168.1.0 0.0.0.255 area 0 Router(config-router)# area 0 authentication message-digest OR Router(config)# interface fa0/1 Router(config-router)# ip ospf authentication message-digest Step2 - Next, We have to configure authentication key on the interface Router(config)# interface fa0/1 Router(config-router)# ip ospf message-digest-key 10 md5 Cisco123 Here Cisco123 is the password value and 10 is the Key ID (number). It doesn’t matter which key ID you choose but it has to be the same on both ends. Authentication passwords do not have to be the same throughout an area. However, they must be same between neighbors. Which command enables OSPF for IPv6 on a router? # ipv6 router ospf process-id What is the link-state retransmit interval, and what is the command to set it? OSPF must send acknowledgment of each newly received link-state advertisement (LSA). LSAs are retransmitted until they are acknowledged. The link-state retransmit interval defines the time between retransmissions. We can use the command ip ospf retransmit-interval to set the retransmit interval. The default value is 5 seconds. When routes are redistributed between OSPF processes, are all shortest path first algorithm (SPF) metrics preserved or is the default metric value used? The SPF metrics are preserved. The redistribution between them is like redistribution between any two IP routing processes. How do I stop individual interfaces from developing adjacencies in an OSPF network? To stop routers from becoming OSPF neighbors on a particular interface, issue the passive-interface command at the interface. When I have two type 5 link-state advertisements (LSAs) for the same external network in the OSPF database, which path should be installed in the routing table? When you have two type 5 LSAs for the same external network in the OSPF database, prefer the external LSA that has the shortest path to the Autonomous System Boundary Router (ASBR) and install that into the IP routing table. Use the show ip ospf border-routers command to check the cost to the ASBR. Should I use the same process number while configuring OSPF on multiple routers within the same network? OSPF, unlike Border Gateway Protocol (BGP) or Enhanced Interior Gateway Routing Protocol (EIGRP) does not check the process number (or autonomous system number) when adjacencies are formed between neighboring routers and routing information is exchanged.
Can we have OSPF Yes we can have OSPF run over a GRE tunnel.
run
over
a
GRE
tunnel?
BGP Interview Questions and Answers
Explain Border Gateway Protocol (BGP) ? Border Gateway Protocol advertises, learns and chooses the best paths inside the global Internet. When two ISPs connect, they typically use BGP to exchange routing information. Enterprises also sometimes uses BGP to exchange routing information with ISPs, allowing the Enterprise routers to learn Internet routes. when we have multiple Internet connections and we want to influence some packets to take one path and some packets to take another we use BGP. Can Routers on different subnet become BGP neighbors? BGP does not require neighbors to be attached to the same subnet. Instead, BGP routers use a TCP connection between the routers to pass BGP messages allowing neighboring routers to be on the same or different subnet. What TCP port number BGP uses TCP port 179 for the connection.
BGP
use
for
connection?
Difference between eBGP and iBGP neighbor? In iBGP, neighborship is formed between routers within the same AS (autonomous system) whereas in eBGP, neighborship is formed between routers within different AS. What Administrative Distance AD for iBGP = 200, AD for eBGP = 20.
BGP
uses
for
iBGP
&
eBGP
?
Explain Loop prevention mechanism in BGP? BGP uses two mechanism to prevent loops:1. When a router learns routes from an iBGP peer, that router does not advertise the same routes to another iBGP peer. 2. By using AS_PATH - When advertising to an eBGP peer, a BGP router adds its own ASN to the AS_PATH. If a BGP router receives an update and the route advertisement lists an AS_PATH with its own ASN, the router ignores that route. Note - A BGP router does not add its ASN when advertising to an iBGP peer. Do we Yes
need
to
follow
3
way
handshake
process
to
establish
BGP
communication?
What is the difference between hard reset and soft reset in BGP? In case of hard reset the local router brings down the neighborship, brings down the underlying TCP connection and all the BGP table entries learned from that neighbor are removed. #clear ip bgp *command is
used for hard reset. In case of soft reset, the router does not bring down the BGP neighborship or the underlying TCP connection. However, the local router resends outgoing Updates and reprocesses incoming Updates adjusting the BGP table based on the current configuration. #clear ip bgp * soft command is used for soft reset. What are different BGP Message Types? 1. Open - It is Used to establish a neighbor relationship and exchange parameters, including autonomous system number and authentication values. 2. Keepalive - It is Sent periodically to maintain the neighbor relationship. If the Keepalive message is not received within the negotiated Hold timer than BGP neighborship will be turned down. 3. Update - It exchanges Path Attributes and the associated prefix/length (NLRI) that use those attributes. 4. Notification - It is Used to report BGP error. It results in a reset of neighbor relationship. Explain various states of BGP? 1. Idle - The BGP process is either administratively down or waiting for the the next retry attempt. 2. Connect - The BGP process is waiting for the TCP connection to be completed. If it is successful, it will continue to the OpenSent state. In case it fails, it will continue to the Active state. 3. Active - BGP will try another TCP three-way handshake to establish a connection with the remote BGP neighbor. If it is successful, it will move to the OpenSent state. 4. Opensent - The TCP connection exists, and a BGP Open message has been sent to the peer, but the matching Open message has not yet been received from the other router. 5. Openconfirm - An Open message has been both sent to and received from the other router. Next step is to receive a BGP Keepalive message (to confirm that all neighbor-related parameters match) or a BGP Notification message (to learn that there is some mismatch in neighbor parameters). 6. Established - All neighbor parameters matched, the neighbor relationship has been established and the peers can now exchange Update messages Explain BGP Path Attributes? BGP supports a wide variety of Path Attributes. BGP use these path attributes to examine the competing BGP paths (routes) in BGP table to choose the best path(route). 1. Next Hop - It lists the next-hop IP address used to reach a prefix. If Next hop is reachable? If no route to reach Next Hop, router cannot use this route. 2. Weight - It is a numeric value set by a router when receiving updates to influence the route for a prefix. It is not advertised to any BGP peers. Bigger is preferred 3. Local Preference - It is a numeric value set and communicated within a single AS for the purpose of choosing best route for all routers in that AS to reach a certain network. Bigger is preferred 4. Locally injected routes - Locally injected routes (routes injected using network command) are better than iBGP/eBGP learned. 5. AS Path - It is the number of ASNs in the AS Path. Smaller is preferred. 6. Origin - Preferred I over E & E over ?. It implies that the route was injected into BGP as I (IGP), E (EGP) or ? (incomplete information). 7. Multi-Exit Discriminator (MED) - Allows an AS to tell a neighboring AS the best path to forward packets into the first AS. Smaller is preferred.
8. Neighbor type eBGP is preferred over 9. IGP metric - Route with nearest IGP neighbor (lowest IGP metric) is 10. eBGP route Oldest (longest known) route is 11. Neighbor Router ID Lowest is 12. Neighbor IP address Lowest is Trick to Remember - N WLLA OMNI
iBGP. preferred. preferred. preferred. preferred.
Explain BGP Weight attribute? The weight attribute is a Cisco proprietary attribute that is used in the path selection process when there is more than one route to the same destination. A path with the Higher weight value is preferred. The default value for weight is 0. The weight attribute is local to the router and is not propagated to any BGP peers. Weight attribute is set by a router when receiving Updates influencing that one router’s route for a prefix. Explain BGP Local preference? Local preference is an indication to the AS about which path has preference to exit the AS in order to reach a certain network. A path with a higher local preference is preferred more. By default value for loc al preference is 100 and can be changed manually. Unlike the weight attribute, which is only relevant to the local router, local preference attribute is communicated throughout a single AS for the purpose of influencing the choice of best path to exit the AS. Explain BGP MED? The purpose of MED is to influence how other autonomous systems enters into your AS to reach a certain prefix. BGP MED is an attribute which is not propagated throughout the whole network but just to adjacent AS. The lower the MED the more the path will be preferred. What is Recursive Lookup? The router looks up the BGP route and the next hop to reach a destination in the remote AS. Then the router looks up the route to reach the next hop. In this way router has to perform lookup twice to reach to a destination, this process is called recursive lookup. What is route reflector and why it is required? In BGP, route learned from an iBGP neighbor will not be advertised to another iBGP neighbor. To overcome this situation route reflector is used. It acts as a route reflector server and makes IBGP neighbors as route reflector clients enabling route advertisements between them. What is the difference between Local Preference and MED? The Local Preference attribute is to influence your own AS how to get or exit to another AS. MED is to influence other AS how to enter your own AS. What is the command to administratively disable # neighbor neighbor-ip # no neighbor neighbor-ip shutdown (to enable it again)
BGP
neighborship? shutdown
STP Interview Questions and Answers [CCNP]
What is STP & Redundant Links? Spanning Tree Protocol (STP) is a protocol which prevents layer 2 loops. STP enables switches to become aware of each other so that they can negotiate a Loop-Free path through network. In practical Scenario, Redundant links are created to avoid complete network failure in an event of failure of one link. How STP works? STP chooses a Reference point (Root Bridge) in the network and calculates all the redundant paths to that reference point. Than it picks one path by which to forward frames and blocks other redundant paths. What are the different port states? 1. Disabled A port in the disabled state does not participate in the STP. 2. Blocking - A blocked port does not forward frames. It only listens to BPDUs. The purpose of the blocking state is to prevent the use of looped paths. 3. Listening - A port in listening state prepares to forward data frames without populating the MAC addresstable. The port also sends and listens to BPDUs to make sure no loops occur on the network. 4. Learning - A port in learning state populates the MAC address table but doesn’t forward data frames. The port still sends and receives BPDUs as before. 5. Forwarding - The port now can send and receive data frames, collect MAC addresses in its address table, send and receive BPDUs. The port is now a fully functioning switch port within the spanning-tree topology. What is the default time a port takes to transition from the blocking state to the forwarding state? The default time a port takes to transition from the blocking state to the forwarding state is 50 seconds: 20 seconds for Max Age, 15 seconds for listening, and 15 seconds for learning. What are STP Timers and Explain different types of STP Timers? STP uses three timers to make sure that a network converges properly before a bridging loop can form. 1. Hello - The time interval between Configuration BPDUs sent by the root bridge. It is 2 seconds by default. 2. Forward Delay - The time interval that a switch port spends in both the Listening and Learning states. The default value is 15 seconds. 3. Max Age - Maximum length of time, a BPDU can be stored without receiving an update. It can also be define as a time interval that a switch stores a BPDU before discarding it. It is 20 seconds by default. Explain types of STP Port Roles? 1. Root port - The root port is always the link directly connected to the root bridge, or the shortest path to the root bridge. It is always on Non-Root Bridge. 2. Designated port - A designated port is one that has been determined as having the best (lowest) cost. A designated port will be marked as a forwarding port. It can be on both Root Bridge & Non Root Bridge. All ports of Root Bridge are Designated Port. 3. Forwarding port A forwarding port forwards frames. 4. Blocked port - A blocked port is the port that is used to prevent loops. It only listens to frames. Any port other than Root port & Designated port is Block Port.
What is the STP blocking state? When a switch starts, all ports are in the blocking state to prevent any loop in the network. If there is a better path to the root bridge, the port remains in the blocked state. Ports in the blocked state cannot send or receive traffic, but they can receive BPDUs. What is BPDU? All the switches exchange information to select Root Bridge as well as for configuration of the network. This is done through Bridge Protocol Data Unit (BPDU). Each switch compares the parameters in the BPDU that it sends to one neighbor with the one that it receives from another neighbor. How often do Bridges send The default time that bridges send BPDUs is 2 seconds.
BPDUs
on
active
ports?
What is the destination MAC address used by Bridge Protocol Data Units (BPDUs)? Bridge Protocol Data Units (BPDUs) frames are sent out as at multicast destination MAC address 01:80:c2:00:00:00. What are Types of BPDU? Two types of BPDU exist 1. Configuration BPDU Used for Spanning-Tree Computation. 2. Topology Change Notification (TCN) BPDU - Used to announce changes in the Network Topology. How Root bridge is elected? The Bridge ID is used to elect the root bridge in the STP domain. This ID is 8 bytes long and includes both the priority and the MAC address of the device. Switch with the lowest Bridge ID is elected as the Root bridge which means Switch with the lowest priority will become Root Bridge if two or more switches have same priority than switch with lowest mac address will become Root Bridge. Explain Root Root path cost is the Cumulative Cost of all links to the Root Bridge.
path
cost?
How Root Ports are elected? Non Root Bridges use Root path cost to determine which port will be the Root port. The port with the lowest root path cost is elected as the root port and is placed in the forwarding state. What is the difference between Path cost and Root Path cost? Path cost is the value assigned to each port. It is added to BPDUs received on that port to calculate the root path cost. Root path cost is defined as the cumulative cost to reach the root bridge. This value is calculated by adding the receiving port's path cost to the value contained in the BPDU. In a BPDU, Root path cost is transmitted not the path cost. What is Path Cost or Spanning Tree Path Cost value? The Spanning Tree Cost Value is inversely proportional to the associated bandwidth of the link and therefore a path with a low cost value is more preferable than a path with high cost value.
Link Bandwidth 10 Gbps 1 Gbps 100 Mbps 10 Mbps 100
Cost
Value 2 4 19
What is Root Port? Once the Root Switch is elected, every other Switch in the network must select a single port on itself to reach the Root Switch. The single selected port on a Switch with least Path Cost to reach the Root Bridge is called the Root Port. Root Bridge will never have a Root Port. What is Extended System ID? The Extended System ID is utilized by spanning-tree to include the VLAN ID information inside 16-bit STP Bridge Priority value. Extended System ID is the least significant 12-bits in 16-bit STP Bridge Priority value. Explain Root Guard ? Root guard is used to protect root bridge. Root Guard stops a new switch introduced in the network with a lower bridge ID to become the root bridge. If a port with Root Guard feature enabled receives a superior BPDU, it moves the port into a root-inconsistent state (equal to a listening state) thus maintaining the current Root Bridge status. It is enabled on interface level. switch(config-if)# spanning-tree guard root What is BPDU Guard ? When we enable portfast on a port , we do not expect BPDU's on that port. Suppose a switch is connected by mistake on the port where portfast is enabled, loop can form. An even greater consequence is that connected switch has potential to become root bridge. The BPDU Guard feature was developed to protect the integrity of switch ports that have PortFast enabled. If any BPDU (superior to the current root or not) is received on a port where BPDU Guard is enabled, that port immediately is put into the error-disable state. The port is shut down in an error condition and must be either manually re-enabled or automatically recovered through the errordisable timeout function. BPDU Guard can be enabled on both interface & global level. It is basically enabled on access layer switches. In this all vlans are effected. Switch(config)# spanning-tree Switch(config-if)# spanning-tree bpduguard enable
portfast
bpduguard
default
Explain Sudden Loss of BPDUs? Suppose switch does not receive BPDUs, it will think that the topology must have changed, so blocked ports can be unblocked again. What if the absence of BPDUs is actually a mistake and not a topology change, bridging loops easily can form. There are two features that help detect or prevent the unexpected loss of BPDUs:1. Loop Guard 2. Unidirectional Link Detection (UDLD)
What is Loop Guard? Loop Guard keeps track of the BPDU activity on non-designated ports. It does not allow non-designated ports to become designated ports in case of sudden loss of BPDUs. While BPDUs are received, the port is allowed to behave normally. When BPDUs go missing, Loop Guard moves the port into the loop-inconsistent state (port is effectively blocking at this point to prevent a loop from forming and to keep it in the non-designated role). When BPDUs are received on the port again, Loop Guard allows the port to move through the normal STP states and become active. It can be enabled on both interface & global level. It affects per vlan basis. Switch(config)# spanning-tree loopguard default Switch(config-if)# spanning-tree guard loop What is BPDU Filter? STP runs on a switch to prevent loops. However, in special cases when we need to prevent BPDUs from being sent or processed on one or more switch ports, we can use BPDU filtering to effectively disable STP on those ports. It prevents port from sending and receiving BPDUs. It can be enabled on both interface & global level. Switch(config)# spanning-tree portfast Switch(config-if)# spanning-tree bpdufilter { enable | disable }
bpdufilter
default
What is the difference between BPDU Guard and BPDU Filter? BPDU Guard works aggresively and puts the port in error-disable state while BPDU filter does not shut the port, it only filters BPDU. BPDU Guard only prevents receiving BPDUs while BPDU filter prevents both sending and receiving BPDU. If Both BPDU Guard and BPDU Filter is enabled on a port than only BPDU filter will work
RSTP and MST Interview Questions and Answers
What are the Port Roles in RSTP? 1. Root port - It is the port on the switch that has the best root path cost to the root bridge. This is identical to 802.1D. 2. Designated port - The switch port on a network segment that has the best root path cost to the root. 3. Alternate port - A port that has an alternative path to the root, different from the path the root port takes. This path is less desirable than that of the root port. 4. Backup port - A port that provides a redundant (but less desirable) connection to a segment where another switch port already connects. If that common segment is lost, the switch might or might not have a path back to the root. What are different port states in RSTP? 1. Discarding - Incoming frames simply are dropped; no MAC addresses are learned.This state combines the
802.1D Disabled, Blocking, and Listening states. 2. Learning Incoming frames are dropped, but MAC addresses are learned. 3. Forwarding - Incoming frames are forwarded according to MAC addresses that have been learned. Explain RSTP BPDU's? RSTP distinguishes its BPDUs from 802.1D BPDUs as RSTP BPDU's version is set to 2. BPDUs are sent out every switch port at hello time intervals, regardless of whether BPDUs are received from the root. When t hree BPDUs are missed in a row, that neighbor is presumed to be down and all information related to the port leading to the neighbor is aged out. Also, some previously unused bits in the Message Type field are used in RSTP BPDU's. What is Edge Ports and Point to point Ports? Edge Port - Port on which end devices connect. Portfast is enabled on this port. As loop cannot form on this port so it can be placed immediately in forwarding state. If a BPDU is received on edge port , it looses its edge port status. Point to point Port - These are ports that connect to other switch and becomes designated port. Full-duplex ports are considered point to point because only two switches can be present on the link. Explain RSTP convergence in terms of proposal and agreement? In RSTP, BPDUs are exchanged back and forth in the form of a proposal and an agreement. One switch proposes that its port becomes a designated port and if the other switch agrees it replies with an agreement message. Explain TCN in RSTP? In RSTP, TCN BPDU is not sent to root bridge instead the switch on which the change happens will itself send TCN BPDU to all other switches. BPDU's with their TCN bit set are sent out on all non-edge designated ports. What is the command Switch(config)# spanning-tree mode rapid-pvst
to
change
mode
to
RSTP?
Explain MST? Multiple Spanning Tree Protocol maps one or more vlans to single STP instance. Multiple instances of STP can be used with each instance supporting a different group of VLANs. Instance zero is by default on a switch. Any non-mapped Vlan is assigned to instance Zero. What is MST region? Every switch in a MST region runs MST with compatible parameters. Within the region, all switches must run the instance of MST that is defined by the following attributes: 1. MST configuration name. 2. MST configuration revision number. 3. MST instance-to-VLAN mapping table. If two switches have the same set of attributes, they belong to the same MST region.
How two MST regions Two MST regions communicate through CST (Common Spanning Tree).
communicate?
Explain M-Record? In MST, one switch calculates hash for particular instance and send it to other switch. Other switch will match priority in that hash with its own calculated hash and root bridge is elected. Explain MST BPDU's? The entire MST instance-to-VLAN mapping table is not sent in the BPDUs because the instance mappings must be configured on each switch. Instead, a digest or a hash code computed is sent. Switches comapre the received BPDU hash with its own hash. How revision number in MST works? The configuration revision number gives us a means of tracking changes to the MST region configuration. Each time we make changes to the configuration, we should increase the number by one. It is not increemented automatically. What is the command Switch(config)# spanning-tree mode mst.
to
change
mode
to
MST?
Router ID Significance in EIGRP, OSPF & BGP
EIGRP The EIGRP RID is a 32-bit number in dotted decimal format. In EIGRP, duplicate RIDs do not prevent routers from becoming neighbors and two EIGRP routers with the same router ID will still form a neighbor relationship. The only time the value of EIGRP RIDs consider is when injecting external (redistributed) routes into EIGRP. In this case, the routers injecting the external routes should have unique RIDs to avoid confusion. To manually configures the router ID R1(config)# router eigrp 10 R1(config-router)# eigrp router-id 1.1.1.1 OSPF Every OSPF router within the network will have a 32 bit number router ID that uniquely identifies it to the other routers on the network. Unlike EIGRP, OSPF prevents neighborships between routers with duplicate RIDs. All OSPF RIDs in a domain should be unique. OSPF Router ID should not be changed after the OSPF process is started and the ospf neighborships are established. If you change the OSPF router ID, we need to either reload the IOS or use "clear ip ospf process" command (restart the OSPF process) for changed RID to take effect. To manually configure the router ID R1(config)# router ospf 5 R1(config-router)# router-id 5.5.5.5
BGP Like OSPF, BGP also prevents neighborship between routers with same router ID. The BGP ro uter IDs of the two routers should not be same. Router ID also acts as a tie-breaker for BGP path selection. If all other attributes (weight, local preference, origin, AS path etc) till router ID are equal than decision i s made based on lowest router ID. To manually configure the router ID R1(config)# router bgp 100 R1(config-router)# bgp router-id 9.9.9.9
In all of above routing protocols Router ID is determined according to the following general rules Step 1. Use the router ID defined in the router-id x.x.x.x OSPF router subcommand. Step 2. Use the highest IP address of any up loopback interface. Step 3. Use the highest IP address of any up physical interface.
0 comments Cisco eigrp router id ospf router id bgp router id Share Passive Interface command Behavior in RIP, EIGRP & OSPF
RIP In RIP passive-interface command will disable sending multicast updates via a specific interface but will allow listening to incoming updates from other RIP speaking neighbors. R1# router rip R1# passive-interface fa0/0 Command to see list of passive-interfaces R1# show ip protocols EIGRP When an interface is passive, EIGRP quits sending any outgoing hello packets, so the router can not form any neighbor relationship via passive interface. This behavior stops both outgoing and incoming routing updates. However, EIGRP still advertises the connected subnets if matched with an EIGRP network command. R1# router eigrp 1 R1# passive-interface fa0/0 Command to see list of passive-interfaces R1# show ip protocols OSPF It works just like it works with EIGRP. When a router configures an interface as passive to OSPF, OSPF stops sending outgoing hello packets, so the router can not form any neighbor relationship via the passive interface. This behavior stops both outgoing and incoming routing updates. However, OSPF sti ll advertises the
connected subnets if matched with an OSPF network command. R1# router ospf 3 R1# passive-interface fa0/0 Command to see list of passive-interfaces R1# show ip protocols
0 comments Cisco ospf passive interface eigrp passive interface rip passive interface Share List of Protocols which works on TCP and UDP?
TCP
UDP
TELNET, HTTP, HTTPS, FTP, SMTP, BGP, POP3, IMAP, NFS.
DHCP, TFTP, DNS, RIP, SNMP, VOIP.
0 comments Cisco protocol tcp udp protocol tcp vs udp dns tcp or udp Share Comparison of RIP, EIGRP & OSPF ?
RIP
EIGRP
OSPF
Distance Vector
Advanced Distance Vector
Link state
Classfull (By Default)
Classfull (By Default)
Classless
Algorithm
Bellman-Ford
Diffusing Update (DUAL)
Dijkastra
AD Value
120
90
110
Maximum Hops
15
100 to 255
Unlimited
Works on Transport Layer
Works on Network Layer
Works on Network
Type Subnet Mask
Layer
RIP
EIGRP
OSPF
Layer Port/ Protocol No Metric Multicast Address
520
88
89
Hop Counts
K-Values
Cost
224.0.0.9
224.0.0.10
224.0.0.5, 224.0.0.6 Area ID, Hello Interval,
Neighborship
-------------------------Requirements
Update - 30 sec, Hold - 180 sec Timers
Invalid - 180 sec, Flush 240sec
AS, K-Values, Authentication.
Dead Time, Authentication.
Hello - 5 sec, Hold - 15 sec
Hello -10 sec, Dead 40 sec
MD5
Type 0, Plain Text, MD5
Version1- No Authentication Authentication
Version 2 - Plain Text & MD5
ASA Firewall Interview Questions and Answers [CCIE]
What is a Firewall? Firewall is a device that is placed between a trusted and an untrusted network. It deny or permit traffic that enters or leaves network based on pre-configured policies. Firewalls protect inside networks from unauthorized access by users on an outside network. A firewall can also protect inside networks from each other. For example - By keeping a Management network separate from a user network. What is the difference between Gateway and Firewall? A Gateway joins two networks together and a network firewall protects a network against unauthorized incoming or outgoing access. Network firewalls may be hardware devices or software programs. Firewalls works Firewalls work at layer 3, 4 & 7.
at
which
Layers?
What is the difference between Stateful & Stateless Firewall? Stateful firewall - A Stateful firewall is aware of the connections that pass through it. It adds and maintains information about users connections in state table, referred to as a connection table. It than uses this
connection table to implement the security policies for users connections. Example of stateful firewall are PIX, ASA, Checkpoint. Stateless firewalls - (Packet Filtering) Stateless firewalls on the other hand, does not look at the state of connections but just at the packets themselves. Example of a packet filtering firewall is the Extended Access Control Lists on Cisco IOS Routers. What information does Stateful Firewall Maintains? Stateful firewall maintains following information in its State table:1.Source IP address. 2.Destination IP address. 3.IP protocol like TCP, UDP. 4.IP protocol information such as TCP/UDP Port Numbers, TCP Sequence Numbers, and TCP Flags. What are the security-levels in Cisco ASA? ASA uses Security levels to determine the Trustworthiness of a network attached to the respective interface. The security level can be configured between 0 to 100 where higher numbers are more trusted than lower. By default, the ASA allows traffic from a higher security level to a lower security level only. How can we allow packets from lower security level to higher security level (Override Security Levels)? We use ACLs to allow packets from lower security level to higher security level. Same Security level traffic is By default same security level traffic is not ASA(config)# same-security-traffic permit inter-interface.
allowed allowed.
or denied To allow it we
in use
ASA? command:-
What is the security level of Inside and Outside Interface by default? Security Level of Inside interface by default is 100. Security Level of Outside Interface by default is 0. What protocols are By default, TCP and UDP are inspected by ASA. Does ASA No, ASA does not inspect ICMP by default.
inspected
inspects
by
ASA?
ICMP?
Explain DMZ (Demilitarized Zone) Server? If we need some network resources such as a Web server or FTP server to be available to outside users we place these resources on a separate network behind the firewall called a demilitarized zone (DMZ). The firewall allows limited access to the DMZ, but because the DMZ only includes the public servers, an attack there only affects the servers and does not aff ect the inside network. How does a firewall process a packet? When a packet is received on the ingress interface, the ASA checks if it matches an existing entry in the connection table. If it does, protocol inspection is carried out on that packet. ----------------------------------------------------------------------------------------------------------------------
If it does not match an existing connection and the packet is either a TCP-SYN packet or UDP packet, the packet is subjected to ACL checks.The reason it needs to be a TCP-SYN packet is because a SYN packet is the first packet in the TCP 3-way handshake. Any other TCP packet that isn’t part of an existing connection is likely an attack. ---------------------------------------------------------------------------------------------------------------------If the packet is allowed by ACLs and is also verified by translation rules, the packet goes through protocol inspection. ---------------------------------------------------------------------------------------------------------------------Then, the IP header is translated if NAT is used and if the NAT rule specifies an egress interface, the ASA will virtually forward the packet to this egress interface and then perform a route lookup. ---------------------------------------------------------------------------------------------------------------------If a route is found that specifies the egress interface, then the Layer-2 header of the packet is re-written and the packet is forwarded out the egress interface. What are the values for TCP session UDP session ICMP session - 2 seconds
timeout
of
TCP
session, -
UDP
session, 60 2
ICMP
session? minutes minutes
Explain TCP Flags? While troubleshooting TCP connections through the ASA, the connection flags shown for each TCP connection provide information about the state of TCP connections to the ASA.
What is # sh run timeout
the
command
to
see
What is the Difference between ports in ASA In ASA 8.4 all ports are Gig ports and in ASA 8.2 all are Ethernet ports.
timeout
8.4
and
timers?
ASA
8.2?
What # sh conn
is
the
command
to
check
connection
table?
How ASA works in reference to Traceroute? ASA does not decrement the TTL value in traceroute because it does not want to give its information to others for security purpose. It forwards it without decrementing the TTL Value. What if we apply ACL as global in It will be applied on all interfaces towards inbound. Global option is only in ASA 8.4 not in ASA 8.2
ASA?
What is the difference in ACL on ASA than on Router? In router, if we delete one access-control entry whole ACL will be deleted. In ASA, if we will delete one accesscontrol entry whole ACL will not be deleted. Name some concepts that Line VTY cannot Wildcard mask concept Loopback cannot be configured on ASA. What is the To capture packet To see it:- # sh capture abc What is # http server enable
the
command from inside
command
cannot be is
to interface:-
to
be configured on configured on not present in
capture packets # capture abc
enable
ASA? ASA. ASA.
in interfacer
ASA? inside
on
ASA?
HTTP
How to give static # route outside < Next Hop>
route
on
ASA?
How to give # route outside 0 0 < Next Hop>
route
on
ASA?
What are the 1.Standard 2.Extended 3.Ethertype 4.Webtype ACL (SSL VPN)
default
different
ACL
types
of
(Transparent
ACL
in
Firewall? ACL ACL Firewall)
What is Tranparent Firewall? In Transparent Mode, ASA acts as a Layer 2 device like a bridge or switch and forwards Ethernet frames based on destination MAC-address. What is the need of Transparent Firewall? If we want to deploy a new firewall into an existing network it can be a complicated process due to various
issues like IP address reconfiguration, network topology changes, current firewall etc. We can easily insert a transparent firewall in an existing segment and control traffic between two sides without having to readdress or reconfigure the devices. What are the similarities between switch and ASA (in Transparent mode) ? Both learns which mac addresses are associated with which interface and store them in local mac address table. What are the differences between switch and ASA (in Transparent mode) ? ASA does not floods unknown unicast frames that are not found in mac address table. ASA does not participate in STP. Switch process traffic at layer 1 & layer 2 while ASA can process traffic from layer 1 to layer 7. What are the features that 1.Dynamic 2.Multicasting. 3.QOS. 4.VPNs like IPSec and 5.ASA cannot act as DHCP relay agent.
are
not
supported
WebVPN
in
Transparent
cannot
be
mode? Routing.
terminated.
Explain Ether-Type ACL? In Transparent mode, unlike TCP/IP traffic for which security levels are used to permit or deny traffic all non-IP traffic is denied by default. We create Ether-Type ACL to allow NON-IP traffic. We can control traffic like BPDU, IPX etc with Ether-Type ACL. What is the # firewall transparent
command
What is # sh firewall
command
the
to
to
convert
see
ASA
mode
into
Transparent
(routed
or
mode?
transparent)?
Explain Failover? Failover is a cisco proprietary feature. It is used to provide redundancy. It requires two identical ASAs to be connected to each other through a dedicated failover link. Health of active interfaces and units are monitored to determine if failover has occurred or not. What 1.Active/Standby 2.Active/Active Failover.
are
What information 1.State 2.Hello 3.Network
is -
type
exchanged
between Active Link
of
ASAs
over or
Failover? Failover.
a
Failover
link? standby. Messages. Status.
4.Mac 5.Configuration Replication and Synchronization.
Addresses.
What is the difference between Stateful failover and Stateless failover? Stateless Failover - When failover occurs all active connections are dropped. Clients need to re-establish connections when the new active unit takes over. Stateful Failover - The active unit continually passes per-connection state information to the standby unit. After a failover occurs, the same connection information is available at the new active unit. Clients are not required to reconnect to keep the same communication session. What Information Active unit passes to the standby unit in Stateful Failover? NAT translation table, TCP connection states, The ARP table, The Layer 2 bridge table (when running in transparent firewall mode), ICMP connection state etc. What are the Failover Requirements between two devices? Hardware Requirements - The two units in a failover configuration must be the same model, should have same number and types of interfaces. Software Requirements - The two units in a failover configuration must be in the same operating modes (routed or transparent single or multiple context). They must have the same software version. Explain Active/Standby Failover? In Active/Standby Failover, one unit is the active unit which passes traffic. The standby unit does not actively pass traffic. When Failover occurs, the active unit fails over to the standby unit, unit, which then becomes active. We can use Active/Standby Failover for ASAs in both single or multiple context mode. Explain Active/Active Failover? It is only available for ASAs in multiple context mode. In an Active/Active Failover configuration, both ASAs can pass network traffic. In Active/Active Failover, we divide the security contexts on the ASA into Failover Groups. A Failover Group is simply a logical group of one or more security contexts. Each group is assigned to be active on a specific ASA in the failover pair. When Failover occurs, it occurs at at the Failover group level. level. What # Failover
is
What # sh failover
is
the
the
command
command
to
to
enable
Failover?
see
Failover?
Explain Unit Health Monitoring in Failover? How Failover occurs? The ASA unit determines the health of the other unit by monitoring the failover link. When a unit does not receive three consecutive hello messages on the failover link, it sends hello messages on each interface, including the failover interface, to find whether or not the other unit is responsive. Based upon the response from the other unit it takes following actions:1.If the ASA receives a response on the failover interface, then it does not failover. 2.If the ASA does not receive a response on the failover link, but it does receive a response on another
interface, then the unit does not failover. The failover link is marked as failed. 3.If the ASA does not receive a response on any interface, then the standby unit switches to active mode and classifies the other unit as failed. How active unit is determined in 1.If a unit boots and detects another unit already running as active, 2.If a unit boots and does not detect active unit, it 3.If both units boot simultaneously, then the primary unit becomes the unit becomes the standby unit.
Active/Standby Failover? it becomes the standby unit. becomes the active unit. active unit, and the secondary
Name some commands replicated to standby unit? All configuration commands except for mode, firewall, and failover lan unit are replicated to standby unit. # copy running-config startup-config # write memory Name some commands that are not All forms of the copy command except for all forms of the write command except for # write memory
replicated to standby unit? # copy running-config startup-config
Explain Active/Standby Failover & Active/Active Failover in In Active/Standby Failover there is In Active/Active Failover preemption is optional.
terms no
of
preemption? preemption.
Explain Security Context? We can partition a Single ASA into multiple virtual devices, known as Security Contexts. Each Context acts as an independent device, with its own security policy, interfaces, and administrators. Multiple contexts are similar to having multiple standalone devices. What features are supported Routing tables, Firewall features, IPS, and Management. What features are not VPN and Dynamic Routing Protocols.
supported
in
multiple
in
multiple
context
context
mode?
mode?
Explain System area? When we boot up in multiple mode from the CLI, we are taken into the system area. The system area is used to create and manage the contexts, configure the physical properties of the interfaces, create VLANs for trunking, create resource classes to restrict the context system resource usage. What is the admin context? When the appliance boots up, one context is automatically created called Admin Context which defaults to being the administrative context. Any context can be made administrative context. One of the contexts on our appliance must be the administrative context. An “*” beside a context name indicates that the context is the administrative context.
How ASA classifies packets? The packet that enters is to be processed by which context is classified by ASA as follows:1.Unique Interfaces - If only one context is associated with the ingress interface, the ASA classifies the packet into that context. 2.Unique MAC Addresses - If multiple contexts share an interface, then the interface MAC address is used as classifier. ASA lets us assign a different MAC address in each context to the same shared interface. By default, shared interfaces do not have unique MAC addresses. We can set the MAC addresses manually or we can automatically generate MAC addresses by # mac-address auto command. 3.NAT Configuration - If we do not use unique MAC addresses, then the mapped addresses in our NAT configuration are used to classify packets. What is the command to switch to multiple context Mode? # mode multiple After entering this command the appliance will reboot itself and our current configuration is automatically backed up to flash in case we want to switch back to single mode. The file is called “old_running.cfg.” What is # mode single
the
command
to
switch
back
to
single
mode?
What are different types of NAT in ASA? Static NAT - A consistent mapping between a real and mapped IP address. It allows Bidirectional traffic initiation. Dynamic NAT - A group of real IP addresses are mapped to a (usually smaller) group of mapped IP addresses on a first come first served basis. It allows only Unidirectional traffic initiation. Dynamic Port Address Translation (PAT) - A group of real IP addresses are mapped to a single IP address using a unique source port of that IP address. Identity NAT - A real address is statically translated to itself, essentially bypassing NAT. What is Policy NAT? Policy NAT allows you to NAT by specifying both the source and destination addresses in an extended access list. We can also optionally specify the source and destination ports. Regular NAT can only consider the source addresses, not the destination address. In Static NAT it is called as Static Policy NAT. In Dynamic NAT it is called as Dynamic Policy NAT. Give the 1.Nat 2.Existing 3.Static -
order of
preference
between
different
types of
translation
in
Static Static
Identity Policy Static Static
NAT? exemption. Xlate. NAT NAT NAT NAT PAT
4.Dynamic - Dynamic PAT
NAT Zero NAT NAT
NAT Dynamic
Policy Dynamic
What is the difference between Auto NAT & Manual NAT? Auto NAT (Network Object NAT) - It only considers the source address while performing NAT. So, Auto NAT is only used for Static or Dynamic NAT. Auto NAT is configured within an object. Manual NAT (Twice NAT) - Manual NAT considers either only the source address or the source and destination address while performing NAT. It can be used for almost all types of NAT like NAT exempt, policy NAT etc. Unlike Auto NAT that is configured within an object, Manual NAT is configured directly from the global configuration mode. Give NAT Order in NAT is Section 1 Section 2 Section 3 – Manual Nat After-Auto
terms ordered
What # #
command
are
What is the # sh local-host
the
of
Auto in
NAT
& 3 Manual Auto
– –
to
see
NAT
sh sh command
to
see
both
NAT
Table
and
Manual
NAT? sections. NAT NAT
Translations? xlate nat Connection
Table?
VPN Interview Questions and Answers
What is VPN? Virtual Private Network (VPN) creates a secure network connection over a public network such as the internet. It allows devices to exchange data through a secure virtual tunnel. It uses a combination of security features like encryption, authentication, tunneling protocols, and data integrity to provide secure communication between participating peers. What is Authentication, Confidentiality & Integrity? Authentication - Verifies that the packet received is actually from the claimed sender. It verifies the authenticity of sender. Pre-shared Key, Digital Certificate are some methods that can be used for authentication. Integrity - Ensures that the contents of the packet has not been altered in between by man-in-middle. Hashing
Algorithm includes MD5, SHA. Confidentiality - Encrypts the message content through encryption so that data is not disclosed to unauthorized parties. Encryption algorithms include DES (Data Encryption Standard), 3DES (Triple-DES), AES (Advanced Encryption Standard). What is Symmetric and Asymmetric Encryption? In symmetric encryption, a single key is used both to encrypt and decrypt traffic. It is also referred as shared key or shared secret encryption. Symmetric encryption algorithms include DES, 3DES, AES. In Asymmetric encryption two keys are used to encrypt and decrypt traffic, one for encryption and one for decryption. The most common asymmetric encryption algorithm is RSA. What is IPSec VPN? IP Security Protocol VPN means VPN over IP Security. It allows two or more users to communicate in a secure manner by authenticating and encrypting each IP packet of a communication session. IPsec provides data confidentiality, data integrity and data authentication between participating peers. At what layer IPsec secures IP traffic at the Layer 3 (Network Layer) of the OSI model. Name a major IPSec only supports unicast IP traffic.
IPsec
drawback
works?
of
IPSec?
What is the difference between Transport and Tunnel mode? Tunnel mode - Protects data in network-to-network or site-to-site scenarios. It encapsulates and protects the entire IP packet—the payload including the original IP header and a new IP header (protects the entire IP payload including user data). Transport mode - Protects data in host-to-host or end-to-end scenarios. In transport mode, IPsec protects the payload of the original IP datagram by excluding the IP header (only protects the upper-layer protocols of IP payload (user data)). IPSec protocols AH and ESP can operate in either transport mode and tunnel mo de. What are the three IPsec offers 1.Peer 2.Data 3.Data integrity.
main the
security
services following
that
IPSec security
VPN
provides? services:Authentication. confidentiality.
Define Digital Signatures? Digital signature is an attachment to an electronic message used for security purposes. It is used to verify the authenticity of the sender. What is Authorization? Authorization is a security mechanism used to determine user/client privileges or access levels related to network resources, including firewalls, routers, switches and application features. Authorization is normally
preceded by authentication and during authorization, It’s system that verifies an authenticated user’s access rules and either grants or refuses resource access.
What is Site to Site and Remote Access VPN? A site-to-site VPN allows offices in multiple locations to establish secure connections with each other over a public network such as the Internet. Remote Access VPN allows Remote users to connect to the Headquarters through a secure tunnel that is established over the Internet. The remote user is able to access internal, private web pages and perform various IP-based network tasks. There are two primary methods of deploying Remote Access VPN:1.Remote Access IPsec VPN. 2.Remote Access Secure Sockets Layer (SSL) VPN. What are the 1.Authentication 2.Encapsulating 3.Internet Key Exchange (IKE).
3
protocols Header
Security
used
in
Payload
IPSec? (AH). (ESP).
Explain IPsec Protocol Headers? 1.Encapsulating Security Payload (ESP) - It is an IP-based protocol which uses port 50 for communication between IPsec peers. ESP is used to protect the confidentiality, integrity and authenticity of the data and offers anti-replay protection. Drawback ESP does not provide protection to the outer IP Header 2.Authentication Header (AH) - It is also an IP-based protocol that uses port 51 for communication between IPsec peers. AH is used to protect the integrity and authenticity of the data and offers anti-replay protection. Unlike ESP, AH provides protection to the IP header also. Drawback - AH does not provide confidentiality protection. How ESP & AH provides anti-replay protection? Both ESP and AH protocols provide an anti-reply protection based on sequence numbers. The sender increments the sequence number after each transmission, and the receiver checks the sequence number and reject the packet if it is out of sequence. What is IKE? It is a hybrid protocol that implements Oakley and SKEME key exchanges inside the Internet Security Association and Key Management Protocol (ISAKMP) framework. It defines the mechanism for creating and exchanging keys. IKE derives authenticated keying material and negotiates SAs that are used for ESP and AH protocols. At what IKE uses UDP port 500. Explain IKE
protocol
how is
a
does
IKE/ISAKMP two-phase
IKE
works?
Works? protocol-
Phase 1 IKE phase 1 negotiates the following:1.It protects the phase 1 communication itself (using crypto and hash algorithms). 2.It generates Session key using Diffie-Hellman groups. 3.Peers will authenticate each other using pre-shared, public key encryption, or digital signature. 4.It also protects the negotiation of phase 2 communication. There are two modes in IKE phase 1:Main mode - Total Six messages are exchanged in main mode for establishing phase 1 SA. Aggressive mode - It is faster than the main mode as only three messages are exchanged in this mode to establish phase 1 SA. It is faster but less secure. At the end of phase 1, a bidirectional ISAKMP/IKE SA (phase 1 SA) is established for IKE communication. Phase 2 IKE phase 2 protects the user data and establishes SA for IPsec. There is one mode in IKE phase 2:Quick mode - In this mode three messages are exchanged to establish the phase 2 IPsec SA. At the end of phase 2 negotiations, two unidirectional IPsec SAs (Phase 2 SA) are established for user data — one for sending and another for receiving encrypted data. Explain the messages Phase 1 - Main Mode
exchange
between
the
peers
in
IKE/ISAKMP?
MESSAGE 1: Initiator offers Policy proposal which includes encryption, authentication, hashing algorithms (like AES or 3DES, PSK or PKI, MD5 or RSA). MESSAGE 2: Responder presents policy acceptance (or not). MESSAGE 3: Initiator sends the Diffie-Helman key and nonce. MESSAGE 4: Responder sends the Diffie-Helman key and nonce. MESSAGE 5: Initiator sends ID, preshare key or certificate exchange for authentication. MESSAGE 6: Responder sends ID, preshare key or certificate exchange for authentication. Only First Four messages were exchanged in clear text. After that all messages are encrypted. Phase 2 - Quick Mode MESSAGE 7: Initiator sends MESSAGE 8: Responder sends MESSAGE 9: Initiator All messages in Quick mode are encrypted.
Hash, Hash, sends
IPSec Proposal, IPSec Proposal, signature,
ID, ID, hash,
What is Diffie-Hellman? DH is a public-key cryptography protocol which allows two parties to establish a shared secret over an insecure communications channel. Diffie-Hellman is used within IKE to establish session keys and is a component of Oakley.
nonce. nonce. ID.
How Diffie-Hellman works? Each side have a private key which is never passed and a Diffie-Hellman Key (Public Key used for encryption). When both side wants to do a key exchange they send their Public Key t o each other. for example Side A get the Public Key of Side B, then using the RSA it creates a shared key which can only be opened on Side B with Side B's Private Key So, even if somebody intercepts the shared key he will not be able to do reverse engineering to see it as only the private key of Side B will be able to open it. What are Security Associations? The SAs define the protocols and algorithms to be applied to sensitive packets and specify the keying material to be used by the two peers. SAs are unidirectional and are established per security protocol (AH or ESP). What is Transform set? An IKE transform set is a combination of security protocols and algorithms. During the IPsec SA negotiation, the peers agree to use a particular transform set for protecting a particular data flow. What are Crypto access lists? Crypto access lists specifies which IP traffic is protected by crypto and which traffic is not protected by crypto. To protect IP traffic "permit" keyword is used in an access list. If the traffic is not to be protected than "deny" keyword is used in access list. What are Crypto map? Crypto map is used to pull together the various parts used to set up IPsec SAs including:1.Which traffic should be protected by IPsec (crypto access list). 2.Where IPsec-protected traffic should be sent (remote IPsec peer). 3.What IPsec SA should be applied to this traffic (transform sets). Multiple interfaces can share the same crypto map set in case we want to apply the same policy to multiple interfaces. If more than one crypto map is created for a given interface than use the sequence number of each map entry to rank the map entries, the lower the seq -num argument the higher the priority. How do you check the Use following commands Phase 1Phase 2 - show crypto ipsec sa
status of to check show
the tunnel’s the status crypto
phase 1 & of tunnel isakmp
2 ? phases:sa
What is IPsec Virtual Tunnel Interface? IPSec VTI is the concept of using a dedicated IPsec interface called IPsec Virtual Tunnel Interface for highly scalable IPsec-based VPNs. IPsec VTI provides a routable interface for terminating IPsec tunnels. VTI also allows the encrypting of multicast traffic with IPsec. What is the difference between Static Crypto Maps and Dynamic Crypto Maps? Static Crypto Maps are used when peers are predetermined. It is basically used in IPSec site to site VPNs. Dynamic crypto maps are used with networks where the peers are not always predetermined. It is basically used in IPSEC Remote Access VPNs.
There are two types of IPsec VTI interfaces: 1.Static VTI (SVTI): This can be used for site-to-site IPsec-based VPNs. 2.Dynamic VTI (DVTI): DVTI replaces dynamic crypto maps. It can be used for remote-access VPNs. What is Cisco Easy VPN? Remote Access VPN when implemented with IPsec is called Cisco Easy VPN. The Easy VPN is easy to set up, with minimal configuration required at the remote client site. Cisco Easy VPN allows us to define centralized security policies at the head-end VPN device (VPN Server) which are then pushed to the remote site VPN device upon connection. What is DMVPN? DMVPN allows IPsec VPN networks to better scale hub-to-spoke and spoke-to-spoke topologies optimizing the performance and reducing latency for communications between sites. It offers following benefits:1. It Optimizes network performance. 2. It Reduces router configuration on the hub. 3.Support for dynamic routing protocols running over the DMVPN tunnels. 4.Support for multicast traffic from hub to spokes. 5.The capability of establishing direct spoke-to-spoke IPsec tunnels for communication between sites without having the traffic to go through the hub. What are the three phases of DMVPN? Phase 1 - In phase 1 we use NHRP so that spokes can register themselves with the hub. Only Hub uses a multipoint GRE interface, all spokes will be using regular point-to-point GRE tunnel interfaces which means that there will be no direct spoke-to-spoke communication, all traffic has to go via hub. The only advantage of the phase I setup is the fact the hub router’s config uration is much simpler. Summarization is possible in phase 1. Phase 2 - In phase 2 all spokes routers also use multipoint GRE tunnels so we do have direct spoke to spoke tunneling. When a spoke router wants to communicate to another spoke it will send an NHRP resolution request to the hub to find the NBMA IP address of the other spoke. Summarization is not possible in phase 2. Full Process 1.Spoke 1 forwards a packet with a next hop which is another spoke (spoke 2). There is no NHRP map entry for this spoke so an NHRP resolution request is sent to the hub. 2.The request from spoke 1 contains the tunnel IP address of the spoke 2 so the hub relays the request to spoke 2. 3.Spoke 2 receives the request, adds its own address mapping to it and sends it as an NHRP reply directly to spoke 1. 4.Spoke 2 then sends its own NHRP resolution request to the hub that relays it to spoke 1. 5.Spoke 1 receives the request from spoke 2 via the hub and replies by adding its own mapping to it and sending it directly to spoke 2. Spoke to Spoke tunnel is established.
Phase 3 - In phase 3 NHRP redirect configured on the hub tells the initiator spoke to look for a better path to the destination spoke. On receiving the NHRP redirect message the spokes communicate with each other over the hub and they have their NHRP replies for the NHRP Resolution Requests that they sent out. NHRP Shortcut configured on the spoke updates the CEF table. It basically changes the next-hop value for a remote spoke from the initial hub tunnel IP address to the NHRP resolved tunnel IP address of remote spoke. Summarization is possible in phase 3. Explain Next Hop Resolution Protocol (NHRP)? It is a Layer 2 protocol which is used to map a tunnel IP address to an NBMA address. It functions similar to ARP. Hub maintains NHRP database of the public addresses for each spoke. When the spoke boots up, it registers its real address to the hub and queries the NHRP database for real addresses of other spokes so that they can build direct tunnels. What is GRE? Generic Routing Encapsulation Protocol is a tunneling protocol developed by Cisco designed to encapsulate IP unicast, multicast and broadcast packets. It uses IP protocol number 47. Name a No encryption.
major
drawback
of
both
GRE
&
L2TP?
What is SSL VPN? How it is different from IPsec VPN? SSL VPN provides remote access connectivity from any internet enabled device through a standard web browser and its native SSL encryption. It does not require any special client software at a remote site.In IPsec VPN connection is initiated using a preinstalled VPN client software so it requires installation of a special client software. In SSL VPN connection is initiated through a web browser so it does not requires any special purpose VPN client software, only a web browser is required. At which Layer does SSL VPN operates? SSL is an Application layer (Layer 7) cryptographic protocol that provides secure communications over the Internet for web browsing, e-mail and other traffic. It uses TCP port 443. What are different SSL VPN Modes? SSL VPN can be deployed in one of the following three modes:1.Clientless mode - It works at Layer 7, Clientless mode provides secure access to web resources and webbased content. This mode can be used for accessing most content that you would expect to access in a web browser such as Internet, databases and online tools. Clientless mode also supports common Internet file system (CIFS). Clientless mode is limited to web-based content only. It does not provide access to TCP connections such as SSH or Telnet. 2.Thin client mode - It works at Layer 7 and is also known as port forwarding. Thin client mode provides remote access to TCP-based services such as Telnet, Secure Shell (SSH), Simple Mail Transfer Protocol (SMTP), Internet Message Access Protocol (IMAP) and Post Office Protocol (POP3) applications. Thin client is delivered via a Java applet that is dynamically downloaded from the SSL VPN appliance upon session establishment.
3.Thick client mode - It works at Layer 3 and is also known as tunnel mode or full tunneling client. The thick client mode provides extensive application support through dynamically downloaded SSL VPN Client software or the Cisco AnyConnect VPN client software from the VPN server appliance. This mode delivers a lightweight, centrally configured, and easy-to-support SSL VPN tunneling client that provides full network layer (Layer 3) access to virtually any application. Explain SSL Handshake? 1.Client initiates by sending a CLIENT HELLO message which contains SSL version that the client supports, in what order the client prefer the versions, Ciphersuits (Cryptographic Algorithms) supported by the client, Random Number. 2.Server will send back a SERVER HELLO message Which contains Version Number (Server selects SSL version that is supported by both the server and the client), Cipher Suits (selected by server the best cipher suite version that is supported by both of them), Session ID, Random Data. 3.Server also sends PKI certificate for authenticating himself signed and verified by Certificate Authority along with the public key for encryption. 4.Server will than send Server Hello Done indicating that the server has finished sending its hello message, and is waiting for a response from the client. 5.Client will sends its certificate if the server has also requested for client authentication in server hello message. 6.Client will sends Client Key Exchange message after calculating the premaster secret with the help of the random values of both the server and the client. This message is sent by encrypting it with the server's public key which was shared through the hello message. Server will decrypt the premaster secret with its private key. Now both client and server will perform series of steps to generate session keys (symmetric) which will be used for encryption and decryption of data exchanges during SSL session and also to verify its integrity. 7.Client will send CHANGE CIPHER SUITE message informing the server that future messages will be encrypted using session key. 8.Client will send CLIENT FINISH (DONE) message indicating that client is done. 9.Server will also send CHANGE CIPHER SUITE message. 10.Client will also send CLIENT FINISH (DONE) message.