Anda di halaman 1dari 69

[CCNA]

List the Layers of OSI Model?


Application Layer, Presentation Layer, Session Layer, Transport Layer, Network Layer, Data Link Layer,
Physical Layer.

What are the Functions of Transport, Network and Data Link Layer?
Transport layer
1.It segments and reassemble data from upper-layer applications and combine it into the same data stream.
2.It provides end-to-end data transport services.
3.Establishes logical connection between the sending host and destination host on an internetwork.
4.It ensures Data integrity at the Transport layer by maintaining flow control.

Network layer
1.The Network layer (layer 3) manages device addressing.
2.It tracks the location of devices on the network.
3.It determines the best way to move data between devices that are not locally attached.
4.Routers Functions at the Network layer to provide the routing services within an internetwork.

Data link layer


1.The Data Link layer is responsible for physical transmission of the data.
2.It handles error notification, flow control.
3.Data Link layer ensures that messages are delivered to the proper device on a LAN using mac addresses.
4.It translates messages from the Network layer into bits for the Physical layer to transmit.
5.The Data Link layer formats the message into data frame, and adds a customized header containing the
hardware destination and source address.

Which Layer is responsible for Reliable connection?


Transport Layer

What are the different protocols works at each of the layers of OSI Model?
Physical Layer
ISDN (Integrated Services Digital Network), ADSL (Asymmetric Digital Subscriber Line), Universal Serial Bus,
Bluetooth, Controller Area Network, Ethernet.

Data Link layer


Spanning Tree Protocol, VLan Trunking Protocol, Dynamic Trunking Protocol, HDLC, PPP, Frame Relay, Token
Ring.
Network Layer
ICMP, IGMP, IPV4, IPV6, IPSEC, OSPF, EIGRP, RIP, BGP.

Transport Layer
TCP, UDP, GRE.

Session Layer
NFS (Network File System).

Presentation Layer
Data encryption/decryption, Data compression, Data Conversion Protocols

Application Layer
DNS, DHCP, FTP, HTTP, NTP, SNMP, SMP, TELNET, TFTP, SSH.

What is a port number and give some examples?


TCP & UDP must use port numbers to communicate with upper layers because these are what keep track of
different conversations crossing the network simultaneously.

PROTOCOLS PORT NUMBERS


FTP 20, 21
TELNET 23
SMTP 25
DNS 53
67 (DHCP Server)
DHCP
68 (DHCP Client)
TFTP 69
HTTP 80
POP3 110
NTP 123
IMAP4 143
SNMP 161
BGP 179
HTTPS 443
RIP 520
What is the Range Of Port Numbers ?
Well Known Ports - 0 to 1023
Registered Ports - 1024 to 49151
Open Ports - 49152 to 65535

What is a Protocol Number and give some examples?


In IPV4 There is a Field called Protocol to identify the Next Level Protocol. In IPV6 this Field is called "Next
Header" Field.

PROTOCOL PROTOCOL NUMBER


ICMP 1
IGMP 2
IPV4 4
TCP 6
EGP 8
IGP 9
UDP 17
IPV6 41
GRE 47
EIGRP 88
OSPF 89
VRRP 112

Define Unicast, Multicast and Broadcast?


Broadcast is the term used to describe communication where a piece of information is sent to all nodes on
the network.
Multicast is the term used to describe communication where a piece of information is sent from a single
source and transmitted to many devices but not all devices.
Unicast is the term used to describe communication where a piece of information is sent to a single
destination host.

What is the difference between Half-duplex and Full-duplex?


Half Duplex - Data can Flow in both Direction but not simultaneously. At a time Data can flow only in one
direction Example - HUB.
Full Duplex - Data can Flow in both Direction Simultaneously Example - Switch.

What is the MAC format?


It is a 12 Digits 48 Bit (6 Byte) Hardware address written in Hexadecimal Format.
It Consists of two parts -
The First 24 Bits OUI (Organizationally Unique Identifier) is assigned by IEEE.
The Last 24 Bits is Manufacturer-assigned Code.

What is a Frame?
The Data Link layer formats the message into pieces, each called a data frame, and adds a customized header
containing the hardware source and destination address.

What is TCP/IP Model?


TCP/IP is four layer standard model.
The four layers of TCP/IP model are Application layer, Transport layer, Internet layer, Network access layer

What are the protocols that are included by each layer of TCP/IP model?

Layers of TCP/IP model Protocols


Application Layer DNS, DHCP, FTP, TFTP, SMTP, HTTP, Telnet, SSH
Transport Layer TCP, UDP
Internet layer Layer IP, ICMP, IGMP
Network access layer Ethernet, Token Ring, FDDI, X.25, Frame Relay, ARP, RARP

What is ARP?
Address Resolution Protocol (ARP) is a network protocol, which is used to map a network layer protocol
address (IP Address) to a data link layer hardware address (MAC Address). ARP basically resolves IP address to
the corresponding MAC address.

ARP works at which layer and Why?


ARP works at data link layer (Layer 2). ARP is implemented by the network protocol driver and its packets are
encapsulated by Ethernet headers and transmitted.

Explain the use of ARP?


If a host in an Ethernet network wants to communicate with another host, it can communicate only if it knows
the MAC address of other host. ARP is used to get the Mac address of a host from its IP address.

What is an ARP Table (cache)?


ARP maintains a table that contains the mappings between IP address and MAC address. This Table is called
ARP Table.

What is the Source & Destination IP address in ARP Request and ARP Reply packet?
ARP Request
Source - Mac Address of Host which transmitted the ARP Request packet. (Senders MAC address)
Destination - FF:FF:FF:FF:FF:FF Broadcast

ARP Reply
Source - Mac address of Host replying for ARP Request.
Destination - Mac Address of Host which generated the ARP Request packet.

What is the Size of an ARP Request and ARP Reply packet?


The size of an ARP request or ARP reply packet is 28 bytes.

How can we differentiate between a ARP Request packet and a ARP Reply packet?
We can differentiate ARP request packet from an ARP reply packet using the 'operation' field in the ARP
packet. For ARP Request it is 1 and for ARP Reply it is 2.

What is Proxy ARP?


Proxy ARP is the process in which one system responds to the ARP request for the another system.
Example - Host A sends an ARP request to resolve the IP address of Host B. Instead of Host B, Host C
responds to this ARP request.

What is Gratuitous ARP? Why it is used?


When a Host sends an ARP request to resolve its own IP address, it is called Gratuitous ARP. In the ARP
request packet, the Source IP address and Destination IP address are filled with the Same Source IP address
itself. The Destination MAC address is the Broadcast address (FF:FF:FF:FF:FF:FF).
Gratuitous ARP is used by the Host after it is assigned an IP address by DHCP Server to check whether another
host in the network does not have the same IP address. If the Host does not get ARP reply for a gratuitous
ARP request, It means there is no another host which is configured with the same IP address. If the Host gets
ARP reply than it means another host is also configured with the same IP address.

What is Reverse ARP?


Reverse ARP is used to obtain Device's IP address when its MAC address is already Known.

What is Inverse ARP?


Inverse ARP dynamically maps local DLCIs to remote IP addresses when Frame Relay is configured.

IP Addressing Interview Questions and Answers

What is IP address and it's format ?


An IP address is a is a software address assigned to each machine on an IP network. It specifies the location of
a device on the network. It allows hosts on one network to communicate with a host on a different network.
It is a 32 bits of information. These 32 bits are divided into four sections referred to as octets or bytes. Each
octet contains 1 byte (8 bits).
An IP address can be depicted using one of three methods:
1. Dotted - decimal, example - 172.16.30.56
2. Binary - 10101100.00010000.00011110.00111000
3. Hexadecimal - AC.10.1E.38

What are the different Classes of IP address and give the range of each class?
There are five classes of IP addresses:-
Class A - 1 to 127 (127 cannot be used as it is Loopback Address)
Class B - 128 to 191
Class C - 192 to 223
Class D - 224 to 239 (MULTICAST ADDRESSES)
Class E - 240 to 255 (RESEARCH & DEVELOPMENT)

Class A address 127.0.0.0 to 127.255.255.255 are reserved for loopback addresses.

What are Private addresses and Give range of Private Addresses?


These addresses can be used only on private network. They cannot be routed through the Internet. Private IP
addresses are designed for security and they also saves valuable IP address space.
Class A - 10.0.0.0 to 10.255.255.255
Class B - 172.16.0.0 to 172.31.255.255
Class C - 192.168.0.0 to 192.168.255.255

What is subnet mask?


A subnet mask is a 32-bit value that allows the recipient of IP packets to distinguish the network ID portion of
the IP address from the host ID portion of the IP address.

ICMP Interview Questions and Answers

What is the Internet Control Message Protocol?


ICMP is basically a management protocol and messaging service provider for IP. It can provide Hosts with
information about network problems.

ICMP works at which layer?


It works at Network Layer.

Which two fields in the ICMP header is used to identify the intent of ICMP message?
Type and Code.

What are various ICMP messages?


1. Destination Unreachable.
2.Buffer Full.
3.Hops/Time Exceeded.
4.Ping.
5.Traceroute.
How Traceroute works?
1. Firstly, Traceroute creates a UDP packet from the source to destination with a TTL value of 1.
2. Packet reaches the first router where the router decrements the value of TTL by 1, making packet’s TTL
value 0 because of which the packet gets dropped.
3. As the packet gets dropped, it sends an ICMP message [Hop/Time exceeded] back to the source.
4. This is how Traceroute comes to know the first router’s address and the time taken for the round-trip.
5. It sends two more packets in the same way to get average round-trip time. First round-trip takes longer
than the other two due to the delay in ARP finding the physical address, the address stays in the ARP cache
during the second and the third time and hence the process speeds up.
6. These steps Takes place again and again until the destination has been reached. The only change that
happens is that the TTL is incremented by 1 when the UDP packet is to be sent to next router/host.
7. Once the destination is reached, Time exceeded ICMP message is NOT sent back this time because the
destination has already been reached.
8. But, the UDP packet used by Traceroute specifies the destination port number that is not usually used for
UDP. So, when the destination verifies the headers of the UDP packet, the packet gets dropped because of
improper port being used and an ICMP message [Destination Unreachable] is sent back to the source.
9. When Traceroute encounters this message, it understands that the destination is reached. Also, The
destination is reached 3 times to get the average round-trip time.

Why there are three columns in traceroute results?


Three probes (change with -q flag) are sent at each ttl setting and a line ***is printed showing the ttl, address
of the gateway and round trip time of each probe( so three * ).

Which ICMP message confirms the traceroute is completed?


Destination Unreachable Message

IP Header Interview Questions and Answers

Which is the importance of identification field in the IP packet?


This is used to identify each fragmented packet so that destination device can rearrange the whole
communication in order.

Which device can reassemble the packet?


This is done only by the ultimate destination of the IP message.

What is IP datagram?
IP datagram can be used to describe a portion of IP data. Each IP datagram has set of fields arranged in order.
IP datagram has following fields Version, Header length, Type of service, Total length, checksum, flag, protocol,
Time to live, Identification, Source IP Address and Destination Ip Address, Padding, Options and Payload.
What is MTU (Maximum Transmission Unit) ?
The maximum transmission unit (MTU) of an interface tells Cisco IOS the largest IP packet that can be
forwarded out on that interface.

What is Fragmentation ?
Fragmentation is a process of breaking the IP packets into smaller pieces (fragments). Fragmentation is
required when the datagram is larger than the MTU. Each fragment than becomes a datagram in itself and
transmitted independently from source. These datagrams are reassembled by the destination.

How the packet is reassembled?


1.When a host receives an IP fragment, it stores this fragment in a reassembly buffer based on its fragment
offset field.
2.Once all the fragments of the original IP datagram are received, the datagram is processed.
3.On receiving the first fragment, a reassembly timer is started.
4.If this reassembly timer expires before all the fragments are received than datagram is discarded.

What is the importance of DF, MF flag?


Don’t fragment bit
If DF bit is set, fragmentation is not allowed.
when a router needs to forward a packet larger than the outgoing interface’s MTU, the router either
fragments the packet or discards it. If the IP header’s Do Not Fragment (DF) bit is set, means fragmentation is
not allowed and the router discards the packet. If the DF bit is not set, means Fragmentation is allowed and
the router can perform Layer 3 fragmentation on the packet.

More fragments bit


If MF Bit is set to 1 means more fragments are coming. If it is set to 0 means This is the Last Fragment.
All fragments that belong to an IP datagram will have more fragments bit set except for the final fragment.
The final fragment does not have the more fragment bit set indicating that this is the last fragment. This is
how the End hosts comes to know that it has collected all the fragments of the IP datagram.

What is the purpose of fragment offset?


It is used to define the Size of each Fragmented Packet.

What is the importance of TTL value?


It defines how long a packet can travel in the network. It is the number of hops that the IP datagram will go
through before being discarded. At every hop TTL value is decremented by 1. When this field becomes zero,
the data gram is discarded. This behavior helps prevent routing loops. The typical value for a TTL field is 32 or
64.

What does the protocol field determines in the IP packet?


The Protocol field is an 8-bit field that identifies the next level protocol. It Indicates to which upper-layer
protocol this datagram should be delivered.
Example - TCP, UDP.
TCP Interview Questions and Answers (Transmission Control Protocol)

What is TCP?
Transmission Control Protocol is a connection oriented protocol. This means that before any data transfer can
take place , Certain Parameters has to be negotiated in order to establish the connection.

Explain TCP Three Way Handshake process?

For Reliable connection the Transmitting device first establishes a connection-oriented (reliable) session with
its peer system, which is called three way handshake. Data is then transferred. When the Data transfer is
finished, connection is terminated and virtual circuit is teared down.
1.In the First Part of Three way Handshake, Source sends a TCP SYN Segment with the initial sequence
number X indicating the desire to open the connection.
—————————————————
2.In Second Part, When Destination receives TCP SYN, It acknowledges this with Ack (X+1) as well as its own
SYN Y (It informs Source what sequence number it will start its data with and will use in further messages).
This response is called SYN/ACK.
—————————————————
3.In Third Part, Source Sends an ACK (ACK = Y+1) Segment to the destination indicating that the connection is
set up. Data transfer can then begin.

During this 3 way Handshake, Devices are negotiating parameters like Window Size etc.

What does Window Size indicate?


It is 16-bit Window field which indicates the number of bytes a sender will send before receiving an
acknowledgment from the receiver.

What is the purpose of RST bit?


When the connection Is not allowed by destination connection is reset.

What are TCP Flags?


TCP Flags are used to influence the Flow of Data across a TCP Connection.
1.PUSH (PSH) - It Pushes the Buffered data to the receivers application. If data is to be send on immediate
Basis we will push it.
2.Reset (RST) - It Resets the connection.
3.Finish (FIN) - It finishes the session. It means No More Data from the Sender.
4.Urgent (URG) - It is use to set the priority to tell the receiver that this data is important for you.
5.Acknowledgement (ACK) - All packets after SYN packet sent by Client should have this Flag Set. ACK=10
means Host has received 0 through 9 and is expecting Byte 10 Next.
6.Synchronize (SYN) - It Initiates a Connection. It Synchronizes the sequence number.
What is the difference between PUSH and URG flag?
The PSH flag in the TCP header informs the receiving host that the data should be pushed up to the receiving
application immediately. The URG flag is used to inform a receiving station that certain data within a segment
is urgent and should be prioritized.

What is the importance of Sequence Number and Acknowledgement Number?


Sequence Number is a 32-bit field which indicates the amount of data that is sent during a TCP session. By
Sequence Number sender can be assured that the receiver received the data because the receiver uses this
sequence number as the acknowledgment number in the next segment it sends to acknowledge the received
data. When the TCP session starts, the initial sequence number can be any number in the range 0–
4,294,967,295.
Acknowledgment number is used to acknowledge the received data and is equal to the received sequence
number plus 1.

ACL Interview Questions and Answers

What is ACL?
Access Control List is a packet filtering method that filters the IP packets based on source and destination
address. It is a set of rules and conditions that permit or deny IP packets to exercise control over network
traffic.

What are different Types of ACL?


There are two main types of Access lists:-
1.Standard Access List.
2.Extended Access List.

Explain Standard Access List?


Standard Access List examines only the source IP address in an IP packet to permit or deny that packet. It
cannot match other field in the IP packet. Standard Access List can be created using the access-list numbers 1-
99 or in the expanded range of 1300-1999. Standard Access List must be applied close to destination. As we
are filtering based only on source address, if we put the standard access-list close to the source host or
network than nothing would be forwarded from source.

Example:-
R1(config)# access-list 10 deny host 192.168.1.1
R1(config)# int fa0/0
R1(config-if)# ip access-group 10 in

Explain Extended Access List?


Extended Access List filters the network traffic based on the Source IP address, Destination IP address,
Protocol Field in the Network layer, Port number field at the Transport layer. Extended Access List ranges from
100 to 199, In expanded range 2000-2699. Extended Access List should be placed as close to source as
possible. Since extended access list filters the traffic based on specific addresses (Source IP, Destination IP)
and protocols we don’t want our traffic to traverse the entire network just to be denied wasting the
bandwidth.

Example:-
R1(config)# access-list 110 deny tcp any host 192.168.1.1 eq 23
R1(config)# int fa0/0
R1(config-if)# ip access-group 110 in

Explain Named ACL and its advantages over Number ACL?


It is just another way of creating Standard and Extended ACL. In Named ACL names are given to identify
access-list.
It has following advantage over Number ACL - In Name ACL we can give sequence number which means we
can insert a new statement in middle of ACL.
Example:-
R1(config)# ip access-list extended CCNA
R1(config)# 15 permit tcp host 10.1.1.1 host 20.1.1.1 eq 23
R1(config)# exit
This will insert above statement at Line 15.
R1(config)# int fa0/0
R1(config-if)# ip access-group ccna in

What is Wildcard Mask?


Wildcard mask is used with ACL to specify an individual hosts, a network, or a range of network. Whenever a
zero is present, it indicates that octet in the address must match the corresponding reference exactly.
Whenever a 255 is present, it indicates that octet need not to be evaluated.
Wildcard Mask is completely opposite to subnet mask.
Example:- For /24
Subnet Mask - 255.255.255.0
Wildcard Mask - 0.0.0.255

How to permit or deny specific Host in ACL?


1.Using a wildcard mask "0.0.0.0"
Example:- 192.168.1.1 0.0.0.0 or
2.Using keyword "Host"
Example:- Host 192.168.1.1

In which directions we can apply an Access List?


We can apply access list in two direction:-
IN - ip access-group 10 in
OUT - ip access-group 10 out

Difference between Inbound Access-list and Outbound Access-list?


When an access-list is applied to inbound packets on interface, those packets are first processed through ACL
and than routed. Any packets that are denied won’t be routed. When an access-list is applied to outbound
packets on interface, those packets are first routed to outbound interface and than processed through ACL.

Difference between #sh access-list command and #sh run access-list command?
#sh access-list shows number of Hit Counts.
#sh run access-list does not show number of Hit Counts.

How many Access Lists can be applied to an interface on a Cisco router?


We can assign only one access list per interface per protocol per direction which means that when creating an
IP access lists, we can have only one inbound access list and one outbound access list per interface. Multiple
access lists are permitted per interface, but they must be for a different protocol.

How Access Lists are processed?


Access lists are processed in sequential, logical order, evaluating packets from the top down, one statement at
a time. As soon as a match is made, the permit or deny option is applied, and the packet is not evaluated
against any more access list statements. Because of this, the order of the statements within any access list is
significant. There is an implicit “deny” at the end of each access list which means that if a packet doesn’t match
the condition on any of the lines in the access list, the packet will be discarded.

What is at the end of each Access List?


At the end of each access list, there is an implicit deny statement denying any packet for which the match has
not been found in the access list.

Key Information

 Any access list applied to an interface without an access list being created will not filter traffic.
 Access lists only filters traffic that is going through the router. They will not filter the traffic that has
originated from the router.
 If we will remove one line from an access list, entire access-list will be removed.
 Every Access list should have at least one permit statement or it will deny all traffic.

NAT Interview Questions and Answers (Network Address Translation)

What is NAT?
Network Address Translation translates the private addresses into public addresses before packets are routed
to public network. It allows a network device such as Router to translate addresses between the private and
public network.

What are the Situations where NAT is required?


1.When we need to connect to internet and our hosts doesn't have globally unique IP addresses.
2.When we want to hide internal IP addresses from outside for security purpose.
3.A company is going to merge in another company which uses same address space.

What are the advantages of Nat?


1.It conserves legally registered IP addresses.
2.It prevents address overlapping.
3.Provides security by hiding internal (private) IP addresses.
4.Eliminates address renumbering as a network evolves.

What are different types of NAT?


There are mainly three types of NAT:-
1.Static NAT
2.Dynamic NAT
3.Port Address Translation (Overloading)

What is Static NAT?


Static NAT allows for one to one mapping that is it translates one Private IP address to one Public IP address.
R1(config)# ip nat inside source static 10.1.1.1 15.36.2.1
R1(config)# int fa0/0
R1(config-if)# ip nat inside (It identifies this interface as inside interface)
R1(config)# int fa0/1
R1(config-if)# ip nat outside (It identifies this interface as outside interface)

In ip nat inside source command we can see that the command is referencing the inside interface as source or
starting point of the translation.

What is Dynamic NAT?


It maps an unregistred IP address to a registered IP address from out of a pool of registered Ip addresses.
R1(config)# ip nat pool CCNA 190.1.1.5 190.1.1.254 netmask 255.255.255.0
R1(config)# ip nat inside source list 10 pool CCNA
R1(config)# int fa0/0
R1(config-if)# ip nat inside (It identifies this interface as inside interface)
R1(config)# int fa0/1
R1(config-if)# ip nat outside (It identifies this interface as outside interface)
R1(config)# access-list 10 permit 192.168.1.0 0.0.0.255 (To specify which unregistered addresses needs to be
translated)

What is Port Address Translation (Overloading)?


It maps multiple unregistred IP address to single registered IP address using different port numbers. PAT
allows thousands of users to connect to internet using one pulic address only.
R1(config)# ip nat pool CCNA 190.1.1.5 190.1.1.254 netmask 255.255.255.0
R1(config)# ip nat inside source list 10 pool CCNA overload
R1(config)# int fa0/0
R1(config-if)# ip nat inside (It identifies this interface as inside interface)
R1(config)# int fa0/1
R1(config-if)# ip nat outside (It identifies this interface as outside interface)
R1(config)# access-list 10 permit 192.168.1.0 0.0.0.255 (To specify which unregistered addresses needs to be
translated)

What are Inside Local, Inside Global, Outside Local, Outside Global address?
Inside local address is an IP address of Host before translation.
Inside Global address is the public IP address of Host after translation.
Outside Local address is the address of router interface connected to ISP.
Outside Global address is the address of outside destination (ultimate destination).

Routing Basic Interview Questions and Answers

What is Routing?
The function of Routing is to Route packets between networks that are not locally attached.

What is a Router?
A Router is a networking device that performs routing that is it routes packets between devices that are on
different networks.
Router is a Layer 3 device.

What are the different types of memory in router?


RAM - Running configuration file: running-config is stored in RAM
NVRAM - Start up Configuration file: startup-config is stored in NVRAM
Flash Memory - IOS is stored in Flash Memory
ROM - Instructions for POST, Bootstrap program, Mini-IOS is stored in ROM

What are the possible locations of IOS image?


FLASH and TFTP Server.

What is ROM Monitor?


If the Bootstrap program is not able to find a valid IOS image, it will act as ROM Monitor.
ROM Monitor is capable of performing certain configuration task such as:-
1.Recovering a lost password
2.Changing the configuration register value etc.
3.Downloading IOS image using TFTP

What are the different modes in Router?


1.User Mode >
2.Privilege Mode #
3.Global Configuration Mode #(Config)
Each Mode has access to different set of IOS commands.

What is the command to enter PRIVILEGE mode from USER mode?


> enable

What is the command to enter Global Configuration mode from PRIVILEGE Mode?
# configure terminal

What is the command to Reboot a Router?


# reload

What is the command to backup IOS to TFTP server?


# copy flash tftp

What is the command to copy running-config to startup config?


# copy running-config startup-config

What is the command to display the current running configuration?


# show running-config

Define static routing?


In Static routing routes are manually configured on the router by a network administrator.
Static routing has the following Advantages -
1.There is no overhead on the router CPU.
2.There is no bandwidth usage between routers.
3.It is secure as the administrator can choose to allow routing access to certain networks only.
Static routing has the following Disadvantages -
1.The administrator must really understand the internetwork and how each router is connected in order to
configure routes correctly.
2.It is not feasible in large networks because maintaining it is a full-time job.

What is Default Route?


A default route specifies a path that the router should take if the destination is unknown. All the IP datagrams
with unknown destination address are sent to the default route.

What is a Dynamic Routing?


In Dynamic routing, routes are learned by using a routing protocol. Routing protocols will learn about routes
from other neighboring routers running the same routing protocol. Example - OSPF, EIGRP, RIP.

What is a Routed Protocol?


A Routed Protocol carries data from one network to another network. Routed Protocol carries user traffic
such as file transfers, web traffic, e-mails etc.
Example:- IP (Internet Protocol), IPX (Internetwork Packet Exchange) and AppleTalk.
What is Routing Protocol?
Routing Protocols learn the routes and provide the best routes from one network to another network.
Example - RIP (Routing Information Protocol) , EIGRP (Enhanced Interior Gateway Routing Protocol) and OSPF
(Open Shortest Path First).

What is IGP?
An Interior Gateway Protocol refers to a routing protocol that handles routing within a single autonomous
system. Example - RIP, IGRP, EIGRP, and OSPF.

What is EGP?
An Exterior Gateway Protocol refers to a routing protocol that handles routing between different Autonomous
Systems (AS). Example:- Border Gateway Protocol (BGP).

What is an Autonomous System?


An Autonomous System (AS) is a group of networks under a single administrative control.

What is Administrative Distance (AD)?


Administrative Distance is the trust worthiness of a routing protocol. Routers use AD value to select the best
path when there are two or more different routes to the same destination learned through two different
routing protocols.

What are the Range of AD values?


0 to 255, where 0 is the Best and 255 is the worst.
Routing Protocol Administrative Distance Value
Directly Connected 0
Static route 1
EIGRP 90
OSPF 110
RIP 120

What is Distance-Vector Routing Protocol?


Distance vector routing protocols use the distance or hops as metric to find paths to destinations.
Example:- Routing Information Protocol (RIP), Interior Gateway Routing Protocol (IGRP)

What is Link-State Routing Protocol?

Each router running a link state routing protocol originates information about the router, its directly
connected links, and the state of those links. This information is sent to all the routers in the network as
multicast messages.
Link-state routing always try to maintain full networks topology by updating itself incrementally only when
network topology changes. Example:- Open Shortest Path First (OSPF)

What is Hybrid Routing Protocol?


A Hybrid Routing protocol takes the advantages of both Distance Vector and Link State Routing protocols.
1.It sends traditional Distance Vector updates.
2.It has Link State characteristics also which means it synchronizes routing tables between neighbors at
startup, and then it sends specific updates when network topology changes.
Example:- Enhanced Interior Gateway Routing Protocol (EIGRP)

What is a Route metric?


Routing Protocol uses Route Metric value to find the best path when there are two or more different routes to
the same destination.
Different routing protocols use Route Metric to compute the distance to destination.
RIP - Hop Count, OSPF - Cost, EIGRP - Bandwidth, Delay, Reliability, Load, MTU.

What is Hop Count?


Hop count is the number of routers from the source through which data must pass to reach the destination
network.

What is Bandwidth, Delay, Reliability, Load ?


1.Bandwidth - It is the Data capacity of a link in Kbps.
2.Delay - It is the time takes to reach the destination.
3.Reliability - The path with the least amount of errors or downtime.
4.Load - It is the amount of utilization of a path.
5.MTU - Maximum transmission unit (MTU) defines the maximum Layer 3 packet that can be sent over a
medium.

What is Cost?
Cost is the inverse proportion of bandwidth of the links.

What is CDP?
Cisco Discovery Protocol is a CISCO proprietary protocol to help administrators in collecting information about
both locally attached and remote devices.

RIP Interview Questions and Answers

What is RIP?
RIP is a Distance-Vector Routing protocol. It is a Classful routing protocol (Classful routing protocols do not
send subnet mask information with their routing updates). It does not support VLSM (Variable Length Subnet
Masking). RIP uses Hop count as its metric to determine the best path to a remote network and it supports
maximum hop count of 15. Any router farther than 15 hops away is considered as unreachable. It sends its
complete routing table out of all active interfaces every 30 seconds.
What are the four timers in RIP?
Route update timer 30 seconds - It is the time interval between periodic routing updates in which the router
sends a complete copy of its routing table out to all neighbors.
Route invalid timer 180 seconds - It is the time interval before a router determines that a route has become
invalid. Route will become invalid if it hasn’t heard any updates about a particular route for that period.
Hold down timer 180 seconds - It is the amount of time during which routing information is suppressed.
Routes will enter into the holddown state when an update packet is received that indicated the route is
unreachable. This continues either until an update packet is received with a better metric or until the
holddown timer expires.
Route flush timer 240 seconds - It is the time between a route becoming invalid and its removal from the
routing table. Before it's removed from the table, the router notifies its neighbors of that invalid route. The
value of the route invalid timer must be less than that of the route flush timer.

What is the difference between RIPV1 & RIPV2?

RIPV1 RIPV2
RIPV1 is a classful protocol. RIPV2 is a classless protocol.
RIPV1 use broadcasts for updates. RIPv2 uses multicasts for updates.
RIPV1 broadcasts updates every 30 RIPv2 supports triggered updates (when a change
seconds. occurs).
RIPV1 does not support variable VLSM. RIPV2 supports VLSM.
RIPV1 does not supports authentication. RIPV2 supports authentication.

Explain Load-Balancing in RIP?


RIP can perform load balancing over upto six equal-cost paths.

Explain Split Horizon?


The Split Horizon feature prevents a route learned on one interface from being advertised back out of that
same interface.

What is route poisoning?


With route poisoning, when a distance vector routing protocol notices that a route is no longer valid, the route
is advertised with an infinite metric, signifying that the route is bad. In RIP, a metric of 16 is used to signify
infinity.

How do you stop RIP updates from propagating out an interface on a router?
Sometimes we dont want RIP updates to propagate across the network, wasting valuable bandwidth. For this
purpose, we can use passive-interface command to stop RIP updates from propagating out an interface.

Which port number and protocol RIP use?


RIP uses UDP (user datagram protocol) port number 520.
What is the administrative distance of RIP?
RIP has an administrative distance of 120.

What is the multicast address of RIP?


224.0.0.9

How do we configure RIP?


Router(config)# router rip
Router(config-router)# network 192.168.1.0
Router(config-router)# version 2 (to convert it into RIPV2)

What is the difference between RIPng and RIP?


RIPng is for IPv6 and RIP is for IPv4

EIGRP Interview Questions and Answers

Explain EIGRP Routing Protocol?


Enhanced Interior Gateway Routing Protocol (EIGRP Protocol) is an enhanced distance vector routing protocol
which Uses Diffused Update Algorithm (DUAL) to calculate the shortest path. It is also considered as a Hybrid
Routing Protocol because it has characteristics of both Distance Vector and Link State Routing Protocols.
EIGRP supports classless routing and VLSM, route summarization, incremental updates, load balacing and
other features.

What are the requirements for neighborship in EIGRP?


The following fields in a hello packet must match for routers to become neighbors -
1.Autonomous System number.
2.K-values.
3.Authentication.
4.Primary address should be used.
5.If static neighborship than should be define on both sides.

What tables does EIGRP routers maintain?


EIGRP router stores routing and topology information in three tables:
1. Neighbor table - Stores information about EIGRP neighbors.
2. Topology table - Stores routing information which is learned from neighbor routers.
3. Routing table - Stores the best paths to all networks.

Why no auto-summary command is used in EIGRP?


By default, EIGRP behaves like a classfull routing protocol which means it does not advertises the subnet mask
information along with the routing information. No auto-summary command will ensure that EIGRP sends the
subnet mask information along with the routing information.
What metric does EIGRP use?
EIGRP calculates its metric by using Bandwidth, Load, Delay, Reliability and MTU.

What are the EIGRP Hello and Hold timer?


Hello Time - Router will send a hello to its neighbor every 5 seconds (Hello time).
Hold Time - If a Router does not receive hello for 15 seconds (Hold time) than it will assume that link is down
and it will drop the neighborship.

What are the default values EIGRP Hello and Hold timer?
Hello Time - 5 seconds
Hold Time - 15 seconds

What is Successor?
Successor is the best path to reach to a destination in the topology table.

What is Feasible successor?


Feasible successor is the second best path to reach a destination after Successor. It acts as backup for the
Successor.

What is Feasible distance?


Feasible distance is the distance (metric) to reach destination network.

What is Advertised Distance/Reported Distance?


Advertised distance is the distance (Metric) of a neighbor router to destination network. This is the metric of a
destination network as reported by a neighbor.

What Authentication does EIGRP supports?


EIGRP supports Only MD5.

Give the Formula EIGRP uses to calculate Metric?


((10^7/least bandwidth of link) + cumulative delay)*256

What is the Different Administrative Distance that EIGRP use?


1.Internal - 90
2.External - 170
3.Summary - 5

What multicast address does EIGRP use?


EIGRP routers use the multicast address of 224.0.0.10

How we configure EIGRP?


Router(config)# router eigrp 100
Router(config-router)# network 172.16.1.0 0.0.0.255
Router(config-router)# network 10.16.1.0 0.0.0.255
Router(config-router)# no auto-summary

Give some commands to troubleshoot EIGRP?


#show ip route - It shows full Routing Table.
#show ip route eigrp - It shows only EIGRP routes (routes learned through EIGRP protocol) in the routing
table.
#show ip eigrp neighbors - It shows EIGRP Neighbor Table.
#show ip eigrp topology - It shows EIGRP Topology Table.

OSPF Interview Questions and Answers (Open Shortest Path First)

What is OSPF Routing protocol?


Open shortest path first is an Open Standard Link State routing protocol which works by using Dijkastra
algorithm to initially construct the shortest paths and follows that by populating the routing table with
resulting best paths.

Mention some characteristics of OSPF?


1.OSPF is a classless routing protocol that supports VLSM and CIDR.
2.It allows for creation of areas and autonomous system.
3.OSPF uses cost as its metric, which is computed based on the bandwidth of the link.
4.It has no hop-count limit. It supports unlimited Hop count.
5.OSPF supports both IPV4 & IPV6.
6.OSPF routes have an administrative distance of 110.

What is the need for dividing the autonomous system into various areas?
we would divide the autonomous system into various areas to keep route updates to a minimum to conserve
resources and to keep problems from propagating throughout the network.

What is the benefit of dividing the entire network into areas?


The following are benefits of dividing the entire network into areas -
1.Decrease routing overhead.
2.Speed up convergence.
3.Confine network instability to single areas of the network.

What is Backbone Area?


While configuring multi-area OSPF, one area must be called area 0, referred to as backbone area. All other
areas must connect to backbone area as inter-area traffic is send through the backbone area.

Explain Area Border Router(ABR)?


It is the router that connects other areas to the backbone area within an autonomous system. ABR can have
its interfaces in more than one area.
What is Autonomous System Border Router (ASBR)?
It is the Router that connects different Autonomous Systems.

What is OSPF Router ID?


Router Id is used to identify the Router. Highest IP address of the router's loopback interfaces is chosen as the
Router ID, If no loopback is present than highest IP address of the router's physical interfaces will be chosen
as Router ID

What Parameters must match for two routers to become neighbors?


The following parameters must be the same on both routers in order for routers to become neighbors:-
1.Subnet
2.Area id
3.Hello and Dead interval time
4.Authentication

How OSPF DR & BDR is elected?


• The router with the highest priority becomes the DR and router with second highest priority becomes the
BDR. If there is a tie in priority, router with the highest Router ID will become DR.
• By default priority on Cisco routers is 1. We can manually change it.
• If the Router priority is set to 0 (Zero), that router will not participate in DR/BDR election.
• DR election process is not preemptive. If a router with a higher priority is added to the network, it will not
become DR untill we clear OSPF process and DR/BDR election takes place again.
Command to change the priority on an interface
router(config)# interface fa0/0
router(config-if)# ip ospf priority 100

Why DR and BDR are elected in OSPF?


All OSPF routers will form adjacencies with the DR and BDR. If link-state changes, the update will be sent only
to the DR, which then forwards it to all other routers. This greatly reduces the flooding of LSAs therefore
conserving the bandwidth.

Explain the various OSPF states?


OSPF routers need to go through several states before establishing a neighbor relationship:-
1.Down - No Hello packets have been received on the interface.
2.Attempt - In Attempt state neighbors must be configured manually. It applies only to nonbroadcast multi-
access (NBMA) networks.
3.Init state - Router has received a Hello message from the other OSFP router.
4.2way state - The neighbor has received the Hello message and replied with a Hello message of his own.
Bidirectional Communication has been established. In Broadcast network DR-BDR election can occur after this
point.
5.Exstart state – DR & BDR establish adjacencies with each router in the network. Master-slave election will
takes place (Master will send its DBD first).
6.Exchange state – Routing information is exchanged using DBD (Database Descriptor) packets, Link-State
Request (LSR). Link-State Update packets may also be sent.
7.Loading state – LSRs (Link State Requests) are send to neighbors for every network it doesn't know about.
The Neighbor replies with the LSUs (Link State Updates) which contain information about requested networks.
The requested information have been received, other neighbor goes through the same process
8.Full state - All neighbor routers have the synchronized database and adjacencies has been established.

Explain OSPF LSA, LSU and LSR?


The LSAs (Link-State Advertisements) are used by OSPF routers to exchange routing and topology
information. When two neighbors decide to exchange routes, they send each other a list of all LSA in their
respective topology database. Each router then checks its topology database and sends Link State Request
(LSR) message requesting all LSAs that was not found in its topology table. Other router responds with the
Link State Update (LSU) that contains all LSAs requested by the neighbor.

What are the steps required to change Neighborship into adjacency?


1.Two-way communication (using Hello Protocol)
2.Database Synchronization which means exchange of Database Description (DD) packets, Link State Request
(LSR) packets, Link State Update (LSU) packets.
3.After Database synchronization is complete, the two routers are considered adjacent.

Explain OSPF timers?


Hello interval - This defines how often OSPF router will send the hello packet to other OSPF router.
Dead interval - This defines how long a router will wait for hello packets before it declares the neighbor dead.

What is the default Hello Interval?


The default Hello Interval for OSPF is 10 seconds.

What is the default Dead Interval?


The Dead Interval is four times the Hello Interval. By default it is 40 seconds.

What multicast address does OSPF use?


OSPF use the multicast address of 224.0.0.5 & 224.0.0.6.

Tables maintained by OSPF?


Router participating in OSPF routing protocol maintains three OSPF tables:-
1.Neighbor table - Stores information about OSPF neighbors.
command to see # sh ip ospf neighbor
2.Topology table - Stores the topology structure of a network.
command to see # sh ip ospf topology
3.Routing table - Stores the best routes to all known networks.
command to see # sh ip route ospf

What are different OSPF LSA types ?


1. Router LSA (Type1) - Each router generates a Type 1 LSA that lists its active interfaces, IP addresses,
neighbors and the cost. LSA Type 1 is flooded only with in an area.
2. Network LSA (Type2) - Type 2 LSA is sent out by the designated router (DR) and lists all the routers on the
segment it is adjacent to. Type 2 LSA are flooded only within an area. It contains the information about DR's.
3. Summary LSA (Type3) - Type 3 LSAs are generated by Area Border Routers (ABRs) to advertise networks
from one area to the rest of the areas in Autonomous System. It contains the information about inter-area
routes.
4. Summary ASBR LSA (Type4) - It is generated by the ABR and contain routes to ASBRs.
5. External LSA (Type5) - External LSAs are generated by ASBRs and contain routes to networks that are
external to current AS.
6. Not-So-Stubby Area LSA (Type7) - Stub areas do not allow Type 5 LSAs. A Not So Stubby Area (NSSA) allows
advertisement of Type 5 LSA as Type 7 LSAs. Type LSA is generated by an ASBR inside a Not So Stubby Area
(NSSA) to describe routes redistributed into the NSSA.

How do we configure OSPF Routing Protocol?


router(config)# router ospf 10
router(config-router)# network 12.1.1.0 0.0.0.255 area 0
router(config-router)# network 23.1.0.0 0.0.255.255 area 1
router(config-router)# exit
• Router ospf 10 command enables the OSPF process. Here “10” indicates the OSPF process ID and can be
different on neighbor routers. Process ID allows multiple OSPF processes to run on the same router.
• Second command configures 12.1.1.0/24 network in area 0.
• Third command configures 23.1.0.0/16 network in area 1.

Switching Interview Questions and Answers

What is Switching?
The function of Switching is to Switch data packets between devices on the same network.

What is Switch?
A Switch is a device which is used to connect multiple devices inside Local Area Network (LAN). Unlike hubs,
switches examine each packet and process it accordingly rather than simply repeating the signal to all ports.
Switches operate at Layer Two (Data Link Layer) of the OSI model.

What is the difference between a HUB, Switch & Router?


Hub is designed to connect hosts to each other with no understanding of what it is transferring. When a Hub
receives a packet of data from a connected device, it broadcasts that data packet to all other ports regardless
of destination port. HUB operates at Layer 1 (Physical Layer).
Switch also connects hosts to each other like a hub. Switch differs from a hub in the way it handles packets.
When a switch receives a packet, it determines what hosts the packet is intended for and sends it to that hosts
only. It does not broadcast the packet to all the hosts as a hub does which means bandwidth is not shared
and makes the network more efficient. Switch operates at Layer 2 (Data Link Layer).
Router is different from a switch or hub since its function is to route data packets to other networks, instead
of just the local network. Routers operates at Layer 3 (Network Layer).
What are the functions of a Switch?
The Switch performs three major functions:-
1.Address learning.
2.Packet forwarding/filtering.
3.Loop avoidance by Spanning Tree Protocol.

What is Sub Interface?


To support ISL or 802.1Q routing on a Fast Ethernet interface, the router’s interface is divided into logical
interfaces—one for each VLAN. These are called subinterfaces.

What is a Broadcast Domain and a Collision Domain?


Broadcast Domain - Broadcast is a type of communication, where the sending device send a single copy of
data and that copy of data will be delivered to every other device in the network segment. A Broadcast
Domain consists of all the devices that will receive every broadcast packet originating from any device within
the network segment. All ports on a hub or a switch are by default in the same broadcast domain. All ports
on a router are in the different broadcast domains and routers don't forward broadcast.
Collision Domain - is a network scenario where one particular device sends a packet on a network segment
forcing every other device on that same segment to pay attention to it. At the same time, if a different device
tries to transmit simultaneously, it will lead to a collision after which both devices must retransmit, one at a
time. This situations is often in a hub environment, because each port on a hub is in the same collision
domain. By contrast, Each port on a bridge, a switch or router is in a seperate collision domain.

Compare HUB and Switch with respect to broadcast and collision domain?
In Hub there is one collision domain and one broadcast domain.
In Switch there is multiple collision domain and one broadcast domain.

What is a MAC address Table and how a Switch will build a MAC table?
To switch frames between LAN ports efficiently, the switch maintains an address table called MAC address
Table or CAM Table (Content Addressable Memory Table). When the switch receives a frame, source MAC
address is learned and recorded in the CAM table along with the port of arrival, VLAN and time stamp. The
switch dynamically builds the MAC address table by using the Source MAC address of the frames received.
Than this table is used by switch to determine where to forward traffic on a LAN.

How Switch Learns Mac Address?


When a frame reaches to the port of a switch, the switch reads the MAC address of the source device from
Ethernet frame and compares it to its MAC address table (also known as CAM (Content Addressable Memory)
table). If the switch does not find a corresponding entry in MAC address table, the switch will add the address
to the table with the port number at which the Ethernet frame is received.
If the MAC address is already available in the MAC address table, the switch compares the incoming port with
the port already available in the MAC table. If the port numbers are different, the switch updates the MAC
address table with the new port number.

How does Switch performs Forwarding function?


When a Layer2 Ethernet frame reaches a port on the Switch, it not only reads the source MAC address of the
Ethernet frame as a part of learning function, but also reads the destination MAC address as a part of
forwarding function. The destination MAC address is important to determine the port which the destination
device is connected to.
As the destination MAC address is found on the MAC address table, the switch forwards the Ethernet frame
via the corresponding port of the MAC address.

Explain Flooding?
If the destination MAC address is not found in the MAC address table, the switch forwards the frame out all of
its ports except the port on which the frame was received. This is known as flooding.

VLAN Interview Questions and Answers

What is a VLAN and how it will reduce the broadcast traffic?


A VLAN is a logical grouping of network users and resources connected to administratively defined ports on a
switch. VLAN divides the Broadcast Domain So, the frames that will be broadcasted onto the network are only
switched between the ports logically grouped within the same VLAN.

What is the difference between an access port and a trunk port?


Access port - Access Port belongs to and carries the traffic of only one VLAN. Anything arriving on an access
port is simply assumed to belong to the VLAN assigned to the port. Any device attached to an access link is
unaware of a VLAN membership as switches remove any VLAN information from the frame before it’s
forwarded out to an access-link device. Access-link devices can’t communicate with devices outside their VLAN
unless the packet is routed.
Trunk Ports - Trunk Port can carry the traffic of multiple VLANs from 1 to 4094 VLans at a time. Normally
Trunk link is used to connect switches to other switches or to routers. Trunk ports supports tagged and
untagged traffic simultaneously.

What is Frame Tagging and different types of Frame Tagging?


Frame tagging method uniquely assigns a VLan ID to each frame. It is used to identify the VLAN that the Frame
belongs to.
There are mainly two types of Frame Tagging Method:-
1.Inter-Switch Link (ISL)
2.802.1Q
These are also known as Frame Encapsulation Protocols.

Explain difference between 802.1Q and ISL ?


802.1Q - It is an open standard created by the Institute of Electrical and Electronics Engineers (IEEE). To
Identify to which VLAN a frame belongs to, a field is inserted into the frame's header. It is a Light Weighted
Protocol & adds only 4 Byte within Frame's Header.
ISL (Inter-Switch Link) - This protocol is Cisco proprietary which means unlike 802.1Q, it can be used only
between Cisco switches. ISL works by adding Header (26 Bytes) and Trailer(4 Bytes) with Original Ethernet
Frame.
What is a Native VLAN and What type of traffic will go through Native VLAN?
The Trunk port is assigned a default VLAN ID for a VLAN that all untagged traffic will travel on. This VLAN is
called the Native VLAN and is always VLAN 1 by default (but can be changed to any VLAN number). Similarly,
any untagged or tagged traffic with unassigned VLAN ID is assumed to belong to the Native VLAN.

What is Inter-Vlan Routing?


VLANs divide broadcast domains in a LAN environment So, by default only Hosts that are members of the
same VLAN can communicate. Whenever hosts in one VLAN need to communicate with hosts in another
VLAN, the traffic must be routed between them. This is known as Inter-VLAN routing.
This can be done by two methods - Router-On-Stick & Switch Virtual Interfaces (SVI)

Give the commands to create VLAN?


Switch(config)# vlan 10
Switch(config-vlan)# name sales
Switch(config-vlan)# exit

How can we add an interface to a VLAN?


Switch(config)# interface fastethernet0/0
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10

How to configure trunk link?


Switch(config)# interface fa0/24
Switch(config-if)# switchport trunk encapsulation <dot1q/isl>
Switch(config-if)# switchport mode trunk

How can we change Native Vlan?


Switch(config)# interface fa0/0
Switch(config-if)# switchport trunk native vlan 100

Which command is used to see trunk interfaces?


Switch# show interface trunk

Which command is used to see all VLANs information?


Switch# show vlan

VTP Interview Questions and Answers (VLAN Trunking Protocol)

What is VTP?
VTP (VLAN Trunking Protocol) is a Cisco proprietary protocol used by Cisco switches to exchange VLAN
information. VTP is used to synchronize VLAN information (Example:-VLAN ID or VLAN Name) with switches
inside the same VTP domain.
What are different VTP modes?
VTP Server mode - By default every switch is in server mode. Switch in VTP Server Mode can create, delete
VLANs and will propagate VLAN changes.
VTP Client mode - Switch in VTP client mode cannot create or delete VLANs. VLAN Trunking Protocol (VTP)
client mode switches listen to VTP advertisements from other switches and modify their VLAN configurations
accordingly. It listens and forwards updates.
VTP Transparent mode - Switch in VTP Transparent mode does not share its VLAN database but it forwards
received VTP advertisements. we can create and delete VLANs on a VTP transparent switch but these changes
are not sent to other switches.

What are the requirements to exchange VTP messages between two switches?
1.Switch should be configured as either a VTP server or VTP client.
2.VTP domain name must be same on both switches.
3.VTP versions must match.
4.Link between the switches should be a trunk link.

What is VTP Pruning ?


VLAN Trunking Protocol (VTP) pruning is a feature in Cisco switches, which stops VLAN update information
traffic from being sent down trunk links if the updates are not needed. Broadcast frames, multicast frames or
unicast frames for which the destination MAC address is unknown are forwarded over a trunk link only if the
switch on the receiving end of the trunk link has ports in the source VLAN. This avoids unnecessary flooding.
VLAN 1 can never prune because it’s an administrative VLAN.

DTP Interview Questions and Answers (Dynamic Trunking Protocol)

Explain Dynamic Trunking Protocol (DTP) ?


Dynamic Trunking Protocol (DTP) is a Cisco proprietary trunking protocol used for negotiating trunking on a
link between two Cisco Switches. Dynamic Trunking Protocol (DTP) can also be used for negotiating the
encapsulation type of either 802.1q or Cisco ISL (Inter-Switch Link).

Explain dynamic desirable & dynamic auto?


Dynamic Desirable - It Initiates negotiation. Switch port configured as DTP dynamic desirable mode will
actively try to convert the link to a trunk link if the port connected to other port is capable to form a trunk.
Dynamic Auto - It does not Initiates negotiation but can respond to negotiation. Switch port configured as DTP
dynamic auto is capable to form trunk link if the other side switch interface is configured to form a trunk
interface and can negotiate with trunk using DTP.

STP Interview Questions and Answers (Spanning Tree Protocol)


What is STP and Redundant Links?
Spanning Tree Protocol (STP) is a protocol which prevents layer 2 loops. STP enables switches to become
aware of each other so that they can negotiate a Loop-Free path through network.
In practical Scenario, Redundant links are created to avoid complete network failure in an event of failure of
one link.

How STP works?


STP chooses a Reference point (Root Bridge) in the network and calculates all the redundant paths to that
reference point. Than it picks one path which to forward frames and blocks other redundant paths. When
blocking hapeens, Loops are prevented.

What are the different port states?


1.Disabled - A port in the disabled state does not participate in the STP.
2.Blocking - A blocked port does not forward frames. It only listens to BPDUs. The purpose of the blocking
state is to prevent the use of looped paths.
3.Listening - A port in listening state prepares to forward data frames without populating the MAC address
table. The port also sends and listens to BPDUs to make sure no loops occur on the network.
4.Learning - A port in learning state populates the MAC address table but doesn’t forward data frames. The
port still sends and receives BPDUs as before.
5.Forwarding - The port now can send and receive data frames, collect MAC addresses in its address table,
send and receive BPDUs. The port is now a fully functioning switch port within the spanning-tree topology.

What are STP Timers and Explain different types of STP Timers?
STP uses three timers to make sure that a network converges properly before a bridging loop can form.
Hello timer - The time interval between Configuration BPDUs sent by the root bridge. It is 2 seconds by
default.
Forward Delay timer - The time interval that a switch port spends in both the Listening and Learning states.
The default value is 15 seconds.
Max (Maximum) Age timer - Maximum length of time a BPDU can be stored without receiving an update. It
can also be define as a time interval that a switch stores a BPDU before discarding it. It is 20 seconds by
default.

Explain types of STP Port Roles?


Root port - The root port is always the link directly connected to the root bridge, or the shortest path to the
root bridge. It is always on Non-Root Bridge.
Designated port - A designated port is one that has been determined as having the best (lowest) cost. A
designated port will be marked as a forwarding port. It can be on both Root Bridge & Non Root Bridge. All
ports of Root Bridge are Designated Port.
Forwarding port - A forwarding port forwards frames.
Blocked port - A blocked port is the port that is used to prevent loops. It only listens to BPDUs. Any port other
than Root port & Designated port is a Block Port.
What is BPDU?
All the switches exchange information to select Root Bridge as well as for configuration of the network. This is
done through Bridge Protocol Data Unit (BPDU). Each switch compares the parameters in the BPDU that it
sends to one neighbor with the one that it receives from another neighbor.

What is the destination MAC address used by Bridge Protocol Data Units (BPDUs)?
Bridge Protocol Data Units (BPDUs) frames are sent out as at multicast destination MAC address
01:80:c2:00:00:00.

What are Types of BPDU?


Two types of BPDU exist:-
Configuration BPDU - Used for Spanning-Tree Computation.
Topology Change Notification (TCN) BPDU - Used to announce changes in the Network Topology.

How Root bridge is elected?


The bridge ID is used to elect the root bridge in the STP domain. This ID is 8 bytes long and includes both the
priority and the MAC address of the device.
Switch with the lowest Bridge ID is elected as the Root bridge which means Switch with the lowest priority will
become Root Bridge if two or more switches have same priority than switch with lowest mac address will
become Root Bridge.

What is Path Cost or Spanning Tree Path Cost value?


The Spanning Tree Cost Value is inversely proportional to the bandwidth of the link and therefore a path with
a low cost value is more preferable than a path with high cost value.
Link Bandwidth Cost Value
10 Gbps 2
1 Gbps 4
100 Mbps 19
10 Mbps 100

What is Root Port?


Once the Root Switch is elected, every other Switch in the network must select a single port on itself to reach
the Root Switch. The port with the lowest root path cost (lowest cumulative cost to reach root switch) is
elected as the root port and is placed in the forwarding state. Root Bridge will never have a Root Port.

What is Extended System ID?


The Extended System ID is utilized by spanning-tree to include the VLAN ID information inside 16-bit STP
Bridge Priority value. Extended System ID is the least significant 12-bits in 16-bit STP Bridge Priority value.

DHCP Interview Questions and Answers (Dynamic Host Configuration Protocol)


What is DHCP?
Dynamic Host Configuration Protocol (DHCP) assigns IP addresses to hosts dynamically. It allows easier
administration and works well in small as well as very large network environments. All types of hardware can
be used as a DHCP server including a Cisco router.

What information a DHCP server can provide to a host?


DHCP server can provide following information -
IP address
Subnet mask
Default gateway
Domain Name Server
WINS information

How DHCP Works?


DHCP works on DORA Process (DISCOVER - OFFER - REQUEST - ACKNOWLEDGEMENT).

1.When a Client needs an IP configuration, it tries to locate a DHCP server by sending a broadcast called
aDHCP DISCOVER. This message will have a Destination IP of 255.255.255.255 and Destination MAC of
ff:ff:ff:ff:ff:ff.
[Source IP - 0.0.0.0 , Destination IP - 255.255.255.255, Source Mac - Mac address of Host, Destination Mac -
FF:FF:FF:FF:FF:FF]
————————————————
2.On Receiving DHCP Discover, Server sends a DHCP OFFER message to the client. The DHCPOFFER is a
proposed configuration that may include IP address, DNS server address, and lease time. This message will be
unicast and have the destination mac address of DHCP client's mac address. The source mac address will be
that of the DHCP server.
[S.Mac - Mac address of Server , D.Mac - Mac address of Host]
————————————————
3.If the Client finds the Offer agreeable, it sends DHCP REQUEST Message requesting those particular IP
parameters. This message will be a Broadcast message.
[Source Mac - Mac address of Host, Destination Mac - FF:FF:FF:FF:FF:FF]
————————————————
4.The Server on receiving the DHCP REQUEST makes the configuration official by sending a unicast DHCP
ACK acknowledgment.
[Source Mac - Mac address of Server, Destination Mac - Mac address of Host]

What is the reason for getting APIPA address?


With APIPA, DHCP clients can automatically self-configure an IP address and subnetmask when a DHCP server
is not available. When DHCP client boots up, it first looks for a DHCP server in order to obtain an IP address
and subnet mask.
A client uses the self-configured IP address until a DHCP server becomes available. The APIPA service also
checks regularly for the presence of a DHCP server. If it detects a DHCP server on the network, APIPA stops
and the DHCP server replaces the APIPA networking addresses with dynamically assigned addresses.
What is the range of APIPA address?
The IP address range is 169.254.0.1 through 169.254.255.254. The client also configures itself with a default
Class B subnet mask of 255.255.0.0.

What is the purpose of relay agent?


A DHCP relay agent is any host that forwards DHCP packets between clients and servers if server is not on the
same physical subnet. Relay agents are used to forward requests and replies between clients and servers
when they are not on the same physical subnet.
DHCP relay agent can be configured using the ip helper-address command.

What is DHCP decline message?


It is Sent by Client to server indicating network address is already in use (already assigned to another device).

What is DHCPNAK message?


If the Server is unable to satisfy the DHCPREQUEST message (The requested network address has been
allocated) the Server Should sent DHCPNAK message to client. It can also be Sent if client's notion of network
address is incorrect (Client has moved to new subnet) or client's lease expired

SNMP Interview Questions and Answers (Simple Network Management Protocol)

What is SNMP?
The Simple Network Management Protocol (SNMP) enables a network device to share information about itself
and its activities. It uses the User Datagram Protocol (UDP) as the transport protocol for passing data between
managers and agents.

What are the Components of SNMP?


A complete SNMP system consists of the following parts:-
SNMP Manager - A network management system that uses SNMP to poll and receive data from any number of
network devices. The SNMP manager usually is an application that runs in a central location.
SNMP Agent - A process that runs on the network device being monitored. All types of data are gathered by
the device itself and stored in a local database. The agent can then respond to SNMP polls and queries with
information from the database, and it can send unsolicited alerts or “traps” to an SNMP manager.

Which Ports are used in SNMP?


SNMP uses the UDP port 161 for sending and receiving requests, and port 162 for receiving traps from
managed devices.

Explain MIB?
MIB is a hierarchical Database Structure for information on the device. Example - Serial numbers are in a
specific location, NIC Statistics etc.
What are different SNMP versions?
There are different versions of SNMP - SNMP V1, SNMP V2c, and SNMP V3.
SNMP version 1 - It is the oldest flavor. It is Easy to set up – only requires a plaintext community.
SNMP version 2c - It is identical to Version 1, except that it adds support for 64 bit counters.
SNMP version 3 - It adds security to the 64 bit counters. SNMP version 3 adds both Encryption and
Authentication, which can be used together or separately.

CCNP Interview Questions and Answers

EIGRP Interview Questions and Answers CCNP

What is EIGRP?
Enhanced Interior Gateway Routing Protocol (EIGRP) is an enhanced distance vector routing protocol which
Uses Diffused Update Algorithm (DUAL) to calculate the shortest path. It is also considered as a Hybrid
Routing Protocol because it has characteristics of both Distance Vector and Link State Routing Protocols.
EIGRP supports classless routing and VLSM, route summarization, incremental updates, load balancing and
other features.

What are the requirements for neighborship in EIGRP?


The following fields in a hello packet must match for routers to become neighbors:-
1.Autonomous System number.
2.K-values.
3.Authentication.
4.Primary address should be used.
5.If static neighborship than should be define on both sides.

What are the metric of EIGRP protocol & its default values?
1.Bandwidth (K1=1)
2.Load (K2=0)
3.Delay (K3=1)
4.Reliability (K4=0)
5.Maximum Transmission Unit (K5=0)
By default, EIGRP only uses bandwidth (K1) and delay (K3) to calculate metric.

Give the formula by which EIGRP calculates metric?


Metric = 256 * [(10^7 / lowest-bandwidth) + cumulative-delay]
The lowest bandwidth is the lowest-bandwidth link in the route, using a unit of kilobits per second.
The cumulative-delay value used in the formula is the sum of all the delay values for all links in the route, with
a unit of tens of microseconds.

What are the four basic components of EIGRP?


The four basic components of EIGRP are -
1. The Protocol Dependent Module - It supports IP, IPv6, IPX, Apple Talk.
2. The Reliable Transport Protocol - RTP is used in EIGRP for detecting packet loss and to ensure ordered
delivery of the packets.
3. The Neighbor Discovery and Recovery Module - Hello messages are used for Neighbor Discovery and
Recovery.
4. The Diffusing Update Algorithm - It is an algorithm used by EIGRP for selecting lowest cost loop free path
for each possible destination.

What are the different packet types used by EIGRP?


The packet types used by EIGRP are:-
1. Hello - Neighborship is discovered and maintained by Hello Packets.
2. Acknowledgment - ACK packets are used to acknowledge the receipt of update, query and reply packets.
Acknowledgment packets are Unicast.
3. Update - EIGRP uses Update messages to send Routing information to neighbors. Update packets can be
sent to a single neighbor using unicast or to a group of neighbors using multicast.
4. Query - Query packets are used when EIGRP router has lost path (Successor) to a certain network and does
not have any backup paths (Feasible Successor). Router sends query packets to its neighbors asking them if
they have information about this particular network. Query packets are multicast.
5. Reply - Reply packets are used in response to the query packets. Reply packets are unicast to the originator
of the query.

What is Reliable Transport Protocol?


EIGRP uses RTP (Reliable Transport Protocol) to deliver EIGRP packets between neighbors in a reliable and
ordered way. If the packet with RTP enable sent, gets lost in the transit it will be send again (resend).

What packets are RTP enabled?


1.Update Packet.
2.Query Packet.
3.Reply Packet.

Explain what will happen if the packet is not acknowledged?


If a packet is not acknowledged, EIGRP will retransmit the packet to the non responding neighbor as a unicast.
No other traffic is sent to this neighbor until it responds. After 16 unacknowledged re-transmissions, the
neighbor is removed from the neighbor table.

Explain EIGRP Router ID?


In EIGRP, duplicate RIDs do not prevent routers from becoming neighbors and two EIGRP routers with the
same router ID will still form a neighbor relationship. The only time the value of EIGRP RIDs consider is when
injecting external (redistributed) routes into EIGRP. In this case, the routers injecting the external routes
should have unique RIDs to avoid confusion.
To manually configures the router ID
R1(config)# router eigrp 10
R1(config-router)# eigrp router-id 1.1.1.1

Explain Unequal Cost Load Balancing in EIGRP?


By default, EIGRP will automatically load-balance across equal-metric routes. EIGRP also supports load-
balancing across routes with an unequal metric. Unequal cost load balancing in EIGRP is the concept by which
load sharing can take place on paths that does not have the equal metric. In EIGRP variance is used for
Unequal cost load balancing. Variance is specified as an integer in the range of 1 through 128. The router then
multiplies the variance by the successor route’s FD (metric of the best route to reach that subnet). Any
Feasible Successor route whose metric is less than or equal to the product of the variance by the successors
FD are considered to be equal routes and can be placed into the routing table for load sharing.
Router(config)# router eigrp 100
Router(config-router)# variance 2
In this case variance is 2.

Explain Split Horizon?


The Split Horizon feature prevents a route learned on one interface from being advertised back out of that
same interface. It is used to prevent loop in EIGRP.

Explain Null Zero?


It is a loop avoidance mechanism entry stored in routing table only in case of summarization (auto & manual).
It terminates or flush unwanted packets, if any traffic goes towards null0 it will be drop by eigrp.

What is Active State and Passive State?


Routes for which the successor route fails and no feasible successor routes exist moves to an active state
forcing the EIGRP to send out query packets and reconverge.
A route is in passive state for which the router has a successor route, and no failure has yet occurred. A stable
EIGRP network will have all routes in a Passive state.

Explain Stuck in Active?


When for a certain prefix, successor route fails and no feasible successor route exists than the router begins a
process of finding any loop-free alternative routes to reach that prefix by sending Query messages to all of its
neighbors requesting path to lost prefix. If the neighbor routers does not have information about the lost
prefix, they will forward the query message to further routers. Within a large network, particularly when
routers exist several router hops away, the number of Queries might not only be large, but there also might
be a string of routers that all must wait on multiple Reply messages before they can, in turn, issue a Reply. To
deal with this long time problem, Cisco IOS first sets a limit on how long it should take to receive all such
replies. This timer is called the active timer and is set to 3 minutes by default. Routes for which a router does
not receive a Reply within the active timer are considered to be Stuck-in-Active (SIA) routes. Router sends an
SIA-Query (Stuck-in-Active Query) EIGRP message to each neighbor that has yet to send back a Reply. The
purpose of the message is to either get an SIA-Reply back indicating that the neighbor really is still waiting for
replies to its own queries meaning the neighbor is alive and still working & there is no need to kill the
neighborship or to get nothing in reply meaning neighbor was not able to reply, so the action of failing the
neighborship is reasonable.

What is Graceful Shutdown and GoodBye message in EIGRP?


When an EIGRP process is shut down, router sends out “goodbye” messages to its neighbors. The neighbors
can then immediately begin recalculating paths to all the destinations that went through that shutdown
router without having to wait for the hold timer to expire.

How Passive Interface command works in EIGRP?


With EIGRP running on a network, the passive-interface command stops sending outgoing hello packets,
hence the router cannot form any neighbor relationship via the passive interface. This behavior stops both
outgoing and incoming routing updates. However, EIGRP still advertises the connected subnets if matched
with an EIGRP network command.
# router eigrp 1
# passive-interface fastethernet0/0
Command to see list of passive-interfaces
# show ip protocols

How can we change Hello and Hold time in EIGRP?


# interface Fa0/0
# ip hello-interval eigrp 100 3
# ip hold-time eigrp 100 12
These commands will make hello interval 3 seconds and hold time 12 seconds.

# show ip eigrp interfaces detail (To verify)

What is the Feasibility Condition in EIGRP?


For any route to be a feasible successor it has to fulfill feasibility condition which is as follows:-
Advertised distance of Feasible successor should be less than Feasible distance of Successor
AD of feasible successor < FD of successor.

What is the Multicast IP address used by EIGRP?


EIGRP uses the multicast address 224.0.0.10

OSPF Interview Questions and Answers [CCNP]

What is OSPF Routing Protocol?


Open shortest path first is an Open Standard Link State routing protocol which works by using Dijkastra
algorithm to initially construct the shortest paths and follows that by populating the routing table with
resulting best paths.
What are the steps required to change Neighborship into adjacency?
1.Two-way communication (using Hello Protocol).
2.Database Synchronization which means exchange of Database Description (DD) packets, Link State Request
(LSR) packets, Link State Update (LSU) packets.
After Database synchronization is complete, the two routers are considered adjacent.

Explain LSA (Link-State Advertisement), LSU (Link State Update) and LSR (Link State Request)?
The LSAs (Link-State Advertisements) are used by OSPF routers to exchange routing and topology
information. When two neighbors decide to exchange routes, they send each other a list of all LSAs in their
respective topology database. Each router then checks its topology database and sends Link State Request
(LSR) message requesting all LSAs that was not found in its topology table. Other router responds with the
Link State Update (LSU) that contains all LSAs requested by the neighbor.

Explain OSPF Router ID?


Router Id is used to identify the Router. Highest IP address of the router's loopback interfaces is chosen as the
Router ID, If no loopback is present than highest IP address of the router's physical interfaces will be chosen
as Router ID. OSPF prevents neighborships between routers with duplicate RIDs. All OSPF RIDs in a domain
should be unique. OSPF Router ID should not be changed after the OSPF process is started and the OSPF
neighborships are established. If you change the OSPF router ID, we need to either reload the IOS or use
"clear ip ospf process" command (restart the OSPF process) for changed RID to take effect.
To manually configure the router ID
R1(config)# router ospf 5
R1(config-router)# router-id 5.5.5.5

Can we use OSPF without backbone area?


Yes, but than only intra-area communication is possible. Inter-area communication is not possible without
backbone area.

What is the difference between an OPPF neighbor and an adjacent neighbor?


LSAs are exchanged only among adjacent routers not among neighbor routers.

What are different neighbour states in OSPF ?


OSPF routers need to go through several state before establishing a neighbor relationship -
1. Down - No Hello packets have been received on the interface.
2. Attempt - In Attempt state neighbors must be configured manually. It applies only to nonbroadcast multi-
access (NBMA) networks.
3. Init - Router has received a Hello message from the other OSFP router.
4. 2way - the neighbor has received the Hello message and replied with a Hello message of his own.
Bidirectional Communication has been established. In Broadcast network DR-BDR election can occur after this
point.
5. Exstart - DR & BDR establish adjacencies with each router in the network. Master-slave election will takes
place (Master will send its DBD first).
6. Exchange - Routing information is exchanged using DBD (Database Descriptor) packets, Link-State Request
(LSR) and Link-State Update packets may also be sent.
7. Loading - LSRs (Link State Requests) are send to neighbors for every network it doesn't know about. The
Neighbor replies with the LSUs (Link State Updates) which contain information about requested networks.
After all the requested information have been received, other neighbor goes through the same process.
8. Full - All neighbor routers have the synchronized database and adjacencies has been established.

Explain different OSPF LSA Types?


1. Router LSA (Type1) - Each router generates a Type 1 LSA that lists its active interfaces, IP addresses,
neighbors and the cost. LSA Type 1 is flooded only within an area.
2. Network LSA (Type2) - Type2 LSA is sent out by the designated router (DR) and lists all the routers on the
segment it is adjacent to. Type 2 LSA are flooded only within an area.
3. Summary LSA (Type3) - Type 3 LSAs are generated by Area Border Routers (ABRs) to advertise networks
from one area to the rest of the areas in Autonomous System.
4. Summary ASBR LSA (Type4) - Generated by the ABR. It contain routes to ASBRs.
5. External LSA (Type5) - External LSAs are generated by ASBRs and contain routes to networks that are
external to the current Autonomous System.
6. Not-So-Stubby Area LSA (Type7) - Stub areas do not allow Type 5 LSAs. A Not So Stubby Area (NSSA) allows
advertisement of Type 5 LSA as Type 7 LSAs. Type LSA is generated by an ASBR inside a Not So Stubby Area
(NSSA) to describe routes redistributed into the NSSA.

Why master slave needs to be elected between two neighbour interface?


Master sends its DBD (Database Description) First.

Explain different OSPF Network types ?


1.Broadcast
2.Non-Broadcast (NBMA)
3.Point-to-Point
4.Point-to-multipoint
5.Point-to-multipoint non-broadcast

What is the requirement of doing summarization?


1. Reduces the amount of information stored in routing tables.
2. Allocates an existing pool of addresses more economically.
3. Lessens the load on router processor and memory resources.
4. Less number of update messages.
5. Less bandwidth.

How routes are selected in OSPF according to preference?


Intra-Area routes(0)> Inter-Area routes(0-IA)> External-Type-1(E1)> External-Type-2(E2)> NSSA-1(N1)> NSSA-
2(N2).

What is Route Redistribution?


Route redistribution is the process of taking routes learned via one routing protocol and injecting those routes
into another routing protocol domain.
For example two companies might merge, one company is using Enhanced Interior Gateway Routing Protocol
(EIGRP) and the other is using Open Shortest Path First (OSPF). Route redistribution allows exchanging of
routes between the two routing domains with a minimal amount of configuration and with little disruption to
the existing networks.

What is the default redistribution OSPF cost ?


Redistribution into OSPF uses the following defaults:-
1. When taking from BGP, use a default metric of 1.
2. When taking from another OSPF process, take the source route’s metric.
3. When taking from all other sources, use a default metric of 20.

What is the difference between Type-1 (E1) & Type-2 (E2) redistribution?
Type-2 is the default route type for routes learned via redistribution. The key with E2 routes is that the cost of
these routes reflects only the redistributed cost. E2 = only redistributed cost.
Type-1 redistributed routes reflects cost to reach ASBR + redistributed cost. E1 = cost to reach ASBR +
redistributed cost

Explain OSPF Virtual Link?


OSPF requires the use of a backbone area (area 0) with each area connecting to area 0 through an ABR.
However in some cases, regular area might not have a convenient point of connection to the backbone area.
In this case, OSPF uses virtual link to connect that regular area to backbone area virtually. An OSPF virtual link
allows two ABRs that connect to the same non-backbone area to form a neighbor relationship through that
non-backbone area, even when separated by many other routers and subnets. This virtual link acts like a
virtual point-to-point connection between the two routers, with that link inside area 0. The routers form a
neighbor relationship, inside area 0, and flood LSAs over that link.

Explain OSPF Stub Area and different types of Stub Areas?


Stub Area
Sometimes we need to control the advertisement of external routes into an area. This area is called Stub area.
Stub areas are not capable of importing routes external to ospf.Type 4 & Type 5 LSA are filtered from Stub
areas and a default route is injected into that area by ABR in place of external routes.To make area stub we
have to give # area 1 stub command on all routers of that area.
Three restrictions apply to OSPF stub areas
1.No virtual links are allowed in stub area.
2.Stub area cannot be a backbone area.
3.No Autonomous System Boundary Routers are allowed.

Totally Stubby Area


Like stub areas, totally stubby areas do not receive type 4 or 5 LSAs from their ABRs. However, they also do
not receive type 3 LSAs. It only allows advertisement of internal routes in that area.
To make area totally stubby area we have to give # area 1 stub no-summary command on ABR.

Not-So-Stubby Areas
The motivation behind NSSA is to allow OSPF stub areas to carry external routes. External routes are imported
into OSPF NSSA as Type 7 LSA by ASBR. Type 7 LSA cannot go into area 0 so it is converted back into Type 5
LSA by ABR and injected into area 0.
To make area Not-So-Stubby Area we have to give # area 1 NSSA command on all routers of that area.

Totally NSSA
Along with Type 4 & Type 5 LSA, Type 3 LSA will also be filtered in Totally NSSA.
To make area Totally Not-So-Stubby Area we have to give # area 1 nssa no-summary command on ABR of that
area.

How do I change the reference bandwidth in OSPF?


We can change the reference bandwidth using the ospf auto-cost reference-bandwidth command under
router ospf. By default, reference bandwidth is 100 Mbps.

How does OSPF calculate its metric or cost?


OSPF uses Cost as its metric. The formula to calculate the OSPF cost is reference bandwidth divided by
interface bandwidth. For example, in the case of Ethernet, it is 100 Mbps / 10 Mbps = 10.
If # ip ospf cost _ command is used on the interface, it overrides this formulated cost.

Explain OSPF Authentication?


These are the three different types of authentication supported by OSPF to secure routing updates.
1.Null Authentication - also called Type 0. It means no authentication information is included in the packet
header. It is the default.
2.Plain Text Authentication - also called Type 1. It uses simple clear-text passwords.
3.MD5 Authentication - also called Type 2. It uses MD5 cryptographic passwords.

Plain Text Authentication


Step1 - To configure plain text authentication, first we have to enable authentication. Authentication can be
enabled either under area or for specific interface.
To enable authentication for area
Router(config)# router ospf 100
Router(config-router)# network 192.168.1.0 0.0.0.255 area 0
Router(config-router)# area 0 authentication
This will enable authentication for all the interfaces of the router in area 0.
OR
If we dont want to enable authentication for an area, we can enable it for the specific interface. This is useful if
different interfaces that belong to the same area need to use different authentication methods..
Router(config)# interface fa0/1
Router(config-if)# ip ospf authentication

Step2 - Next, We have to configure authentication key on the interface


Router(config)# interface fa0/1
Router(config-if)# ip ospf authentication-key Cisco123
Here Cisco123 is the password value.
MD5 Authentication
Step1 - To configure MD5 authentication, first we have to enable authentication.
Router(config)# router ospf 1
Router(config-router)# network 192.168.1.0 0.0.0.255 area 0
Router(config-router)# area 0 authentication message-digest
OR
Router(config)# interface fa0/1
Router(config-router)# ip ospf authentication message-digest
Step2 - Next, We have to configure authentication key on the interface
Router(config)# interface fa0/1
Router(config-router)# ip ospf message-digest-key 10 md5 Cisco123
Here Cisco123 is the password value and 10 is the Key ID (number). It doesn’t matter which key ID you choose
but it has to be the same on both ends.
Authentication passwords do not have to be the same throughout an area. However, they must be same
between neighbors.

Which command enables OSPF for IPv6 on a router?


# ipv6 router ospf process-id

What is the link-state retransmit interval, and what is the command to set it?
OSPF must send acknowledgment of each newly received link-state advertisement (LSA). LSAs are
retransmitted until they are acknowledged. The link-state retransmit interval defines the time between
retransmissions. We can use the command ip ospf retransmit-interval to set the retransmit interval. The
default value is 5 seconds.

When routes are redistributed between OSPF processes, are all shortest path first algorithm (SPF) metrics
preserved or is the default metric value used?
The SPF metrics are preserved. The redistribution between them is like redistribution between any two IP
routing processes.

How do I stop individual interfaces from developing adjacencies in an OSPF network?


To stop routers from becoming OSPF neighbors on a particular interface, issue the passive-interface
command at the interface.

When I have two type 5 link-state advertisements (LSAs) for the same external network in the OSPF database,
which path should be installed in the routing table?
When you have two type 5 LSAs for the same external network in the OSPF database, prefer the external LSA
that has the shortest path to the Autonomous System Boundary Router (ASBR) and install that into the IP
routing table. Use the show ip ospf border-routers command to check the cost to the ASBR.

Should I use the same process number while configuring OSPF on multiple routers within the same network?
OSPF, unlike Border Gateway Protocol (BGP) or Enhanced Interior Gateway Routing Protocol (EIGRP) does not
check the process number (or autonomous system number) when adjacencies are formed between
neighboring routers and routing information is exchanged.
Can we have OSPF run over a GRE tunnel?
Yes we can have OSPF run over a GRE tunnel.

BGP Interview Questions and Answers

Explain Border Gateway Protocol (BGP) ?


Border Gateway Protocol advertises, learns and chooses the best paths inside the global Internet. When two
ISPs connect, they typically use BGP to exchange routing information. Enterprises also sometimes uses BGP to
exchange routing information with ISPs, allowing the Enterprise routers to learn Internet routes. when we
have multiple Internet connections and we want to influence some packets to take one path and some
packets to take another we use BGP.

Can Routers on different subnet become BGP neighbors?


BGP does not require neighbors to be attached to the same subnet. Instead, BGP routers use a TCP
connection between the routers to pass BGP messages allowing neighboring routers to be on the same or
different subnet.

What TCP port number BGP use for connection?


BGP uses TCP port 179 for the connection.

Difference between eBGP and iBGP neighbor?


In iBGP, neighborship is formed between routers within the same AS (autonomous system) whereas in eBGP,
neighborship is formed between routers within different AS.

What Administrative Distance BGP uses for iBGP & eBGP ?


AD for iBGP = 200, AD for eBGP = 20.

Explain Loop prevention mechanism in BGP?


BGP uses two mechanism to prevent loops:-
1. When a router learns routes from an iBGP peer, that router does not advertise the same routes to another
iBGP peer.
2. By using AS_PATH - When advertising to an eBGP peer, a BGP router adds its own ASN to the AS_PATH. If a
BGP router receives an update and the route advertisement lists an AS_PATH with its own ASN, the router
ignores that route.
Note - A BGP router does not add its ASN when advertising to an iBGP peer.

Do we need to follow 3 way handshake process to establish BGP communication?


Yes

What is the difference between hard reset and soft reset in BGP?
In case of hard reset the local router brings down the neighborship, brings down the underlying TCP
connection and all the BGP table entries learned from that neighbor are removed. #clear ip bgp *command is
used for hard reset.
In case of soft reset, the router does not bring down the BGP neighborship or the underlying TCP connection.
However, the local router resends outgoing Updates and reprocesses incoming Updates adjusting the BGP
table based on the current configuration. #clear ip bgp * soft command is used for soft reset.

What are different BGP Message Types?


1. Open - It is Used to establish a neighbor relationship and exchange parameters, including autonomous
system number and authentication values.
2. Keepalive - It is Sent periodically to maintain the neighbor relationship. If the Keepalive message is not
received within the negotiated Hold timer than BGP neighborship will be turned down.
3. Update - It exchanges Path Attributes and the associated prefix/length (NLRI) that use those attributes.
4. Notification - It is Used to report BGP error. It results in a reset of neighbor relationship.

Explain various states of BGP?


1. Idle - The BGP process is either administratively down or waiting for the the next retry attempt.
2. Connect - The BGP process is waiting for the TCP connection to be completed. If it is successful, it will
continue to the OpenSent state. In case it fails, it will continue to the Active state.
3. Active - BGP will try another TCP three-way handshake to establish a connection with the remote BGP
neighbor. If it is successful, it will move to the OpenSent state.
4. Opensent - The TCP connection exists, and a BGP Open message has been sent to the peer, but the
matching Open message has not yet been received from the other router.
5. Openconfirm - An Open message has been both sent to and received from the other router.
Next step is to receive a BGP Keepalive message (to confirm that all neighbor-related parameters match) or a
BGP Notification message (to learn that there is some mismatch in neighbor parameters).
6. Established - All neighbor parameters matched, the neighbor relationship has been established and the
peers can now exchange Update messages

Explain BGP Path Attributes?


BGP supports a wide variety of Path Attributes. BGP use these path attributes to examine the competing BGP
paths (routes) in BGP table to choose the best path(route).
1. Next Hop - It lists the next-hop IP address used to reach a prefix. If Next hop is reachable? If no route to
reach Next Hop, router cannot use this route.
2. Weight - It is a numeric value set by a router when receiving updates to influence the route for a prefix. It is
not advertised to any BGP peers. Bigger is preferred
3. Local Preference - It is a numeric value set and communicated within a single AS for the purpose of
choosing best route for all routers in that AS to reach a certain network. Bigger is preferred
4. Locally injected routes - Locally injected routes (routes injected using network command) are better than
iBGP/eBGP learned.
5. AS Path - It is the number of ASNs in the AS Path. Smaller is preferred.
6. Origin - Preferred I over E & E over ?. It implies that the route was injected into BGP as I (IGP), E (EGP) or ?
(incomplete information).
7. Multi-Exit Discriminator (MED) - Allows an AS to tell a neighboring AS the best path to forward packets
into the first AS. Smaller is preferred.
8. Neighbor type - eBGP is preferred over iBGP.
9. IGP metric - Route with nearest IGP neighbor (lowest IGP metric) is preferred.
10. eBGP route - Oldest (longest known) route is preferred.
11. Neighbor Router ID - Lowest is preferred.
12. Neighbor IP address - Lowest is preferred.
Trick to Remember - N WLLA OMNI

Explain BGP Weight attribute?


The weight attribute is a Cisco proprietary attribute that is used in the path selection process when there is
more than one route to the same destination. A path with the Higher weight value is preferred. The default
value for weight is 0. The weight attribute is local to the router and is not propagated to any BGP peers.
Weight attribute is set by a router when receiving Updates influencing that one router’s route for a prefix.

Explain BGP Local preference?


Local preference is an indication to the AS about which path has preference to exit the AS in order to reach a
certain network. A path with a higher local preference is preferred more. By default value for local preference
is 100 and can be changed manually. Unlike the weight attribute, which is only relevant to the local router,
local preference attribute is communicated throughout a single AS for the purpose of influencing the choice of
best path to exit the AS.

Explain BGP MED?


The purpose of MED is to influence how other autonomous systems enters into your AS to reach a certain
prefix. BGP MED is an attribute which is not propagated throughout the whole network but just to adjacent
AS. The lower the MED the more the path will be preferred.

What is Recursive Lookup?


The router looks up the BGP route and the next hop to reach a destination in the remote AS. Then the router
looks up the route to reach the next hop. In this way router has to perform lookup twice to reach to a
destination, this process is called recursive lookup.

What is route reflector and why it is required?


In BGP, route learned from an iBGP neighbor will not be advertised to another iBGP neighbor. To overcome
this situation route reflector is used. It acts as a route reflector server and makes IBGP neighbors as route
reflector clients enabling route advertisements between them.

What is the difference between Local Preference and MED?


The Local Preference attribute is to influence your own AS how to get or exit to another AS.
MED is to influence other AS how to enter your own AS.

What is the command to administratively disable BGP neighborship?


# neighbor neighbor-ip shutdown
# no neighbor neighbor-ip shutdown (to enable it again)
STP Interview Questions and Answers [CCNP]

What is STP & Redundant Links?


Spanning Tree Protocol (STP) is a protocol which prevents layer 2 loops. STP enables switches to become
aware of each other so that they can negotiate a Loop-Free path through network. In practical Scenario,
Redundant links are created to avoid complete network failure in an event of failure of one link.

How STP works?


STP chooses a Reference point (Root Bridge) in the network and calculates all the redundant paths to that
reference point. Than it picks one path by which to forward frames and blocks other redundant paths.

What are the different port states?


1. Disabled - A port in the disabled state does not participate in the STP.
2. Blocking - A blocked port does not forward frames. It only listens to BPDUs. The purpose of the blocking
state is to prevent the use of looped paths.
3. Listening - A port in listening state prepares to forward data frames without populating the MAC
addresstable. The port also sends and listens to BPDUs to make sure no loops occur on the network.
4. Learning - A port in learning state populates the MAC address table but doesn’t forward data frames. The
port still sends and receives BPDUs as before.
5. Forwarding - The port now can send and receive data frames, collect MAC addresses in its address table,
send and receive BPDUs. The port is now a fully functioning switch port within the spanning-tree topology.

What is the default time a port takes to transition from the blocking state to the forwarding state?
The default time a port takes to transition from the blocking state to the forwarding state is 50 seconds: 20
seconds for Max Age, 15 seconds for listening, and 15 seconds for learning.

What are STP Timers and Explain different types of STP Timers?
STP uses three timers to make sure that a network converges properly before a bridging loop can form.
1. Hello - The time interval between Configuration BPDUs sent by the root bridge. It is 2 seconds by default.
2. Forward Delay - The time interval that a switch port spends in both the Listening and Learning states. The
default value is 15 seconds.
3. Max Age - Maximum length of time, a BPDU can be stored without receiving an update. It can also be define
as a time interval that a switch stores a BPDU before discarding it. It is 20 seconds by default.

Explain types of STP Port Roles?


1. Root port - The root port is always the link directly connected to the root bridge, or the shortest path to the
root bridge. It is always on Non-Root Bridge.
2. Designated port - A designated port is one that has been determined as having the best (lowest) cost. A
designated port will be marked as a forwarding port. It can be on both Root Bridge & Non Root Bridge. All
ports of Root Bridge are Designated Port.
3. Forwarding port - A forwarding port forwards frames.
4. Blocked port - A blocked port is the port that is used to prevent loops. It only listens to frames. Any port
other than Root port & Designated port is Block Port.
What is the STP blocking state?
When a switch starts, all ports are in the blocking state to prevent any loop in the network. If there is a better
path to the root bridge, the port remains in the blocked state. Ports in the blocked state cannot send or
receive traffic, but they can receive BPDUs.

What is BPDU?
All the switches exchange information to select Root Bridge as well as for configuration of the network. This is
done through Bridge Protocol Data Unit (BPDU). Each switch compares the parameters in the BPDU that it
sends to one neighbor with the one that it receives from another neighbor.

How often do Bridges send BPDUs on active ports?


The default time that bridges send BPDUs is 2 seconds.

What is the destination MAC address used by Bridge Protocol Data Units (BPDUs)?
Bridge Protocol Data Units (BPDUs) frames are sent out as at multicast destination MAC address
01:80:c2:00:00:00.

What are Types of BPDU?


Two types of BPDU exist -
1. Configuration BPDU - Used for Spanning-Tree Computation.
2. Topology Change Notification (TCN) BPDU - Used to announce changes in the Network Topology.

How Root bridge is elected?


The Bridge ID is used to elect the root bridge in the STP domain. This ID is 8 bytes long and includes both the
priority and the MAC address of the device. Switch with the lowest Bridge ID is elected as the Root bridge
which means Switch with the lowest priority will become Root Bridge if two or more switches have same
priority than switch with lowest mac address will become Root Bridge.

Explain Root path cost?


Root path cost is the Cumulative Cost of all links to the Root Bridge.

How Root Ports are elected?


Non Root Bridges use Root path cost to determine which port will be the Root port. The port with the lowest
root path cost is elected as the root port and is placed in the forwarding state.

What is the difference between Path cost and Root Path cost?
Path cost is the value assigned to each port. It is added to BPDUs received on that port to calculate the root
path cost. Root path cost is defined as the cumulative cost to reach the root bridge. This value is calculated by
adding the receiving port's path cost to the value contained in the BPDU. In a BPDU, Root path cost is
transmitted not the path cost.

What is Path Cost or Spanning Tree Path Cost value?


The Spanning Tree Cost Value is inversely proportional to the associated bandwidth of the link and therefore a
path with a low cost value is more preferable than a path with high cost value.
Link Bandwidth Cost Value
10 Gbps 2
1 Gbps 4
100 Mbps 19
10 Mbps 100

What is Root Port?


Once the Root Switch is elected, every other Switch in the network must select a single port on itself to reach
the Root Switch. The single selected port on a Switch with least Path Cost to reach the Root Bridge is called the
Root Port. Root Bridge will never have a Root Port.

What is Extended System ID?


The Extended System ID is utilized by spanning-tree to include the VLAN ID information inside 16-bit STP
Bridge Priority value. Extended System ID is the least significant 12-bits in 16-bit STP Bridge Priority value.

Explain Root Guard ?


Root guard is used to protect root bridge. Root Guard stops a new switch introduced in the network with a
lower bridge ID to become the root bridge. If a port with Root Guard feature enabled receives a superior
BPDU, it moves the port into a root-inconsistent state (equal to a listening state) thus maintaining the current
Root Bridge status. It is enabled on interface level.
switch(config-if)# spanning-tree guard root

What is BPDU Guard ?


When we enable portfast on a port , we do not expect BPDU's on that port. Suppose a switch is connected by
mistake on the port where portfast is enabled, loop can form. An even greater consequence is that connected
switch has potential to become root bridge. The BPDU Guard feature was developed to protect the integrity of
switch ports that have PortFast enabled. If any BPDU (superior to the current root or not) is received on a port
where BPDU Guard is enabled, that port immediately is put into the error-disable state. The port is shut down
in an error condition and must be either manually re-enabled or automatically recovered through the error-
disable timeout function.
BPDU Guard can be enabled on both interface & global level. It is basically enabled on access layer switches.
In this all vlans are effected.

Switch(config)# spanning-tree portfast bpduguard default


Switch(config-if)# spanning-tree bpduguard enable

Explain Sudden Loss of BPDUs?


Suppose switch does not receive BPDUs, it will think that the topology must have changed, so blocked ports
can be unblocked again. What if the absence of BPDUs is actually a mistake and not a topology change,
bridging loops easily can form.
There are two features that help detect or prevent the unexpected loss of BPDUs:-
1. Loop Guard
2. Unidirectional Link Detection (UDLD)
What is Loop Guard?
Loop Guard keeps track of the BPDU activity on non-designated ports. It does not allow non-designated ports
to become designated ports in case of sudden loss of BPDUs. While BPDUs are received, the port is allowed to
behave normally. When BPDUs go missing, Loop Guard moves the port into the loop-inconsistent state (port
is effectively blocking at this point to prevent a loop from forming and to keep it in the non-designated role).
When BPDUs are received on the port again, Loop Guard allows the port to move through the normal STP
states and become active.
It can be enabled on both interface & global level. It affects per vlan basis.
Switch(config)# spanning-tree loopguard default
Switch(config-if)# spanning-tree guard loop

What is BPDU Filter?


STP runs on a switch to prevent loops. However, in special cases when we need to prevent BPDUs from being
sent or processed on one or more switch ports, we can use BPDU filtering to effectively disable STP on those
ports. It prevents port from sending and receiving BPDUs. It can be enabled on both interface & global level.

Switch(config)# spanning-tree portfast bpdufilter default


Switch(config-if)# spanning-tree bpdufilter { enable | disable }

What is the difference between BPDU Guard and BPDU Filter?


BPDU Guard works aggresively and puts the port in error-disable state while BPDU filter does not shut the
port, it only filters BPDU. BPDU Guard only prevents receiving BPDUs while BPDU filter prevents both sending
and receiving BPDU.

If Both BPDU Guard and BPDU Filter is enabled on a port than only BPDU filter will work

RSTP and MST Interview Questions and Answers

What are the Port Roles in RSTP?


1. Root port - It is the port on the switch that has the best root path cost to the root bridge. This is identical to
802.1D.
2. Designated port - The switch port on a network segment that has the best root path cost to the root.
3. Alternate port - A port that has an alternative path to the root, different from the path the root port takes.
This path is less desirable than that of the root port.
4. Backup port - A port that provides a redundant (but less desirable) connection to a segment where
another switch port already connects. If that common segment is lost, the switch might or might not have a
path back to the root.

What are different port states in RSTP?


1. Discarding - Incoming frames simply are dropped; no MAC addresses are learned.This state combines the
802.1D Disabled, Blocking, and Listening states.
2. Learning - Incoming frames are dropped, but MAC addresses are learned.
3. Forwarding - Incoming frames are forwarded according to MAC addresses that have been learned.

Explain RSTP BPDU's?


RSTP distinguishes its BPDUs from 802.1D BPDUs as RSTP BPDU's version is set to 2. BPDUs are sent out
every switch port at hello time intervals, regardless of whether BPDUs are received from the root. When three
BPDUs are missed in a row, that neighbor is presumed to be down and all information related to the port
leading to the neighbor is aged out. Also, some previously unused bits in the Message Type field are used in
RSTP BPDU's.

What is Edge Ports and Point to point Ports?


Edge Port - Port on which end devices connect. Portfast is enabled on this port. As loop cannot form on this
port so it can be placed immediately in forwarding state. If a BPDU is received on edge port , it looses its edge
port status.
Point to point Port - These are ports that connect to other switch and becomes designated port. Full-duplex
ports are considered point to point because only two switches can be present on the link.

Explain RSTP convergence in terms of proposal and agreement?


In RSTP, BPDUs are exchanged back and forth in the form of a proposal and an agreement. One switch
proposes that its port becomes a designated port and if the other switch agrees it replies with an agreement
message.

Explain TCN in RSTP?


In RSTP, TCN BPDU is not sent to root bridge instead the switch on which the change happens will itself send
TCN BPDU to all other switches. BPDU's with their TCN bit set are sent out on all non-edge designated ports.

What is the command to change mode to RSTP?


Switch(config)# spanning-tree mode rapid-pvst

Explain MST?
Multiple Spanning Tree Protocol maps one or more vlans to single STP instance. Multiple instances of STP can
be used with each instance supporting a different group of VLANs. Instance zero is by default on a switch. Any
non-mapped Vlan is assigned to instance Zero.

What is MST region?


Every switch in a MST region runs MST with compatible parameters. Within the region, all switches must run
the instance of MST that is defined by the following attributes:
1. MST configuration name.
2. MST configuration revision number.
3. MST instance-to-VLAN mapping table.
If two switches have the same set of attributes, they belong to the same MST region.
How two MST regions communicate?
Two MST regions communicate through CST (Common Spanning Tree).

Explain M-Record?
In MST, one switch calculates hash for particular instance and send it to other switch. Other switch will match
priority in that hash with its own calculated hash and root bridge is elected.

Explain MST BPDU's?


The entire MST instance-to-VLAN mapping table is not sent in the BPDUs because the instance mappings must
be configured on each switch. Instead, a digest or a hash code computed is sent. Switches comapre the
received BPDU hash with its own hash.

How revision number in MST works?


The configuration revision number gives us a means of tracking changes to the MST region configuration.
Each time we make changes to the configuration, we should increase the number by one. It is not
increemented automatically.

What is the command to change mode to MST?


Switch(config)# spanning-tree mode mst.

Router ID Significance in EIGRP, OSPF & BGP

EIGRP
The EIGRP RID is a 32-bit number in dotted decimal format. In EIGRP, duplicate RIDs do not prevent routers
from becoming neighbors and two EIGRP routers with the same router ID will still form a neighbor
relationship. The only time the value of EIGRP RIDs consider is when injecting external (redistributed) routes
into EIGRP. In this case, the routers injecting the external routes should have unique RIDs to avoid confusion.
To manually configures the router ID
R1(config)# router eigrp 10
R1(config-router)# eigrp router-id 1.1.1.1

OSPF
Every OSPF router within the network will have a 32 bit number router ID that uniquely identifies it to the
other routers on the network. Unlike EIGRP, OSPF prevents neighborships between routers with duplicate
RIDs. All OSPF RIDs in a domain should be unique. OSPF Router ID should not be changed after the OSPF
process is started and the ospf neighborships are established. If you change the OSPF router ID, we need to
either reload the IOS or use "clear ip ospf process" command (restart the OSPF process) for changed RID to
take effect.
To manually configure the router ID
R1(config)# router ospf 5
R1(config-router)# router-id 5.5.5.5
BGP
Like OSPF, BGP also prevents neighborship between routers with same router ID. The BGP router IDs of the
two routers should not be same. Router ID also acts as a tie-breaker for BGP path selection. If all other
attributes (weight, local preference, origin, AS path etc) till router ID are equal than decision is made based on
lowest router ID.
To manually configure the router ID
R1(config)# router bgp 100
R1(config-router)# bgp router-id 9.9.9.9

In all of above routing protocols Router ID is determined according to the following general rules -
Step 1. Use the router ID defined in the router-id x.x.x.x OSPF router subcommand.
Step 2. Use the highest IP address of any up loopback interface.
Step 3. Use the highest IP address of any up physical interface.

0 comments

Cisco eigrp router id ospf router id bgp router id


Share

Passive Interface command Behavior in RIP, EIGRP & OSPF

RIP
In RIP passive-interface command will disable sending multicast updates via a specific interface but will allow
listening to incoming updates from other RIP speaking neighbors.
R1# router rip
R1# passive-interface fa0/0
Command to see list of passive-interfaces
R1# show ip protocols

EIGRP
When an interface is passive, EIGRP quits sending any outgoing hello packets, so the router can not form any
neighbor relationship via passive interface. This behavior stops both outgoing and incoming routing updates.
However, EIGRP still advertises the connected subnets if matched with an EIGRP network command.
R1# router eigrp 1
R1# passive-interface fa0/0
Command to see list of passive-interfaces
R1# show ip protocols

OSPF
It works just like it works with EIGRP. When a router configures an interface as passive to OSPF, OSPF stops
sending outgoing hello packets, so the router can not form any neighbor relationship via the passive interface.
This behavior stops both outgoing and incoming routing updates. However, OSPF still advertises the
connected subnets if matched with an OSPF network command.
R1# router ospf 3
R1# passive-interface fa0/0
Command to see list of passive-interfaces
R1# show ip protocols

0 comments

Cisco ospf passive interface eigrp passive interface rip passive interface
Share

List of Protocols which works on TCP and UDP?

TCP UDP
TELNET, HTTP, HTTPS, FTP, SMTP, BGP, POP3,
DHCP, TFTP, DNS, RIP, SNMP, VOIP.
IMAP, NFS.

0 comments

Cisco protocol tcp udp protocol tcp vs udp dns tcp or udp
Share

Comparison of RIP, EIGRP & OSPF ?

RIP EIGRP OSPF


Advanced Distance
Type Distance Vector Link state
Vector
Subnet Mask Classfull (By Default) Classfull (By Default) Classless
Diffusing Update
Algorithm Bellman-Ford Dijkastra
(DUAL)
AD Value 120 90 110
Maximum Hops 15 100 to 255 Unlimited
Layer Works on Transport Layer Works on Network Layer Works on Network
RIP EIGRP OSPF
Layer
Port/ Protocol
520 88 89
No
Metric Hop Counts K-Values Cost
Multicast
224.0.0.9 224.0.0.10 224.0.0.5, 224.0.0.6
Address
Area ID, Hello Interval,
Neighborship
AS, K-Values,
--------------------------
Authentication. Dead Time,
Requirements
Authentication.
Update - 30 sec, Hold - 180
sec
Hello - 5 sec, Hold - 15 Hello -10 sec, Dead -
Timers
sec 40 sec
Invalid - 180 sec, Flush -
240sec
Version1- No Authentication
Type 0, Plain Text,
Authentication MD5
Version 2 - Plain Text & MD5
MD5

ASA Firewall Interview Questions and Answers [CCIE]

What is a Firewall?
Firewall is a device that is placed between a trusted and an untrusted network. It deny or permit traffic that
enters or leaves network based on pre-configured policies. Firewalls protect inside networks from
unauthorized access by users on an outside network. A firewall can also protect inside networks from each
other. For example - By keeping a Management network separate from a user network.

What is the difference between Gateway and Firewall?


A Gateway joins two networks together and a network firewall protects a network against unauthorized
incoming or outgoing access. Network firewalls may be hardware devices or software programs.

Firewalls works at which Layers?


Firewalls work at layer 3, 4 & 7.

What is the difference between Stateful & Stateless Firewall?


Stateful firewall - A Stateful firewall is aware of the connections that pass through it. It adds and maintains
information about users connections in state table, referred to as a connection table. It than uses this
connection table to implement the security policies for users connections. Example of stateful firewall are PIX,
ASA, Checkpoint.
Stateless firewalls - (Packet Filtering) Stateless firewalls on the other hand, does not look at the state of
connections but just at the packets themselves.
Example of a packet filtering firewall is the Extended Access Control Lists on Cisco IOS Routers.

What information does Stateful Firewall Maintains?


Stateful firewall maintains following information in its State table:-
1.Source IP address.
2.Destination IP address.
3.IP protocol like TCP, UDP.
4.IP protocol information such as TCP/UDP Port Numbers, TCP Sequence Numbers, and TCP Flags.

What are the security-levels in Cisco ASA?


ASA uses Security levels to determine the Trustworthiness of a network attached to the respective interface.
The security level can be configured between 0 to 100 where higher numbers are more trusted than lower. By
default, the ASA allows traffic from a higher security level to a lower security level only.

How can we allow packets from lower security level to higher security level (Override Security Levels)?
We use ACLs to allow packets from lower security level to higher security level.

Same Security level traffic is allowed or denied in ASA?


By default same security level traffic is not allowed. To allow it we use command:-
ASA(config)# same-security-traffic permit inter-interface.

What is the security level of Inside and Outside Interface by default?


Security Level of Inside interface by default is 100. Security Level of Outside Interface by default is 0.

What protocols are inspected by ASA?


By default, TCP and UDP are inspected by ASA.

Does ASA inspects ICMP?


No, ASA does not inspect ICMP by default.

Explain DMZ (Demilitarized Zone) Server?


If we need some network resources such as a Web server or FTP server to be available to outside users we
place these resources on a separate network behind the firewall called a demilitarized zone (DMZ). The
firewall allows limited access to the DMZ, but because the DMZ only includes the public servers, an attack
there only affects the servers and does not affect the inside network.

How does a firewall process a packet?


When a packet is received on the ingress interface, the ASA checks if it matches an existing entry in the
connection table. If it does, protocol inspection is carried out on that packet.
----------------------------------------------------------------------------------------------------------------------
If it does not match an existing connection and the packet is either a TCP-SYN packet or UDP packet, the
packet is subjected to ACL checks.The reason it needs to be a TCP-SYN packet is because a SYN packet is the
first packet in the TCP 3-way handshake. Any other TCP packet that isn’t part of an existing connection is likely
an attack.
----------------------------------------------------------------------------------------------------------------------
If the packet is allowed by ACLs and is also verified by translation rules, the packet goes through protocol
inspection.
----------------------------------------------------------------------------------------------------------------------
Then, the IP header is translated if NAT is used and if the NAT rule specifies an egress interface, the ASA will
virtually forward the packet to this egress interface and then perform a route lookup.
----------------------------------------------------------------------------------------------------------------------
If a route is found that specifies the egress interface, then the Layer-2 header of the packet is re-written and
the packet is forwarded out the egress interface.

What are the values for timeout of TCP session, UDP session, ICMP session?
TCP session - 60 minutes
UDP session - 2 minutes
ICMP session - 2 seconds

Explain TCP Flags?


While troubleshooting TCP connections through the ASA, the connection flags shown for each TCP connection
provide information about the state of TCP connections to the ASA.

What is the command to see timeout timers?


# sh run timeout

What is the Difference between ports in ASA 8.4 and ASA 8.2?
In ASA 8.4 all ports are Gig ports and in ASA 8.2 all are Ethernet ports.
What is the command to check connection table?
# sh conn

How ASA works in reference to Traceroute?


ASA does not decrement the TTL value in traceroute because it does not want to give its information to others
for security purpose. It forwards it without decrementing the TTL Value.

What if we apply ACL as global in ASA?


It will be applied on all interfaces towards inbound. Global option is only in ASA 8.4 not in ASA 8.2

What is the difference in ACL on ASA than on Router?


In router, if we delete one access-control entry whole ACL will be deleted. In ASA, if we will delete one access-
control entry whole ACL will not be deleted.

Name some concepts that cannot be configured on ASA?


Line VTY cannot be configured on ASA.
Wildcard mask concept is not present in ASA.
Loopback cannot be configured on ASA.

What is the command to capture packets in ASA?


To capture packet from inside interface:- # capture abc interfacer inside
To see it:- # sh capture abc

What is the command to enable HTTP on ASA?


# http server enable

How to give static route on ASA?


# route outside <Destination IP> <Subnet Mask> < Next Hop>

How to give default route on ASA?


# route outside 0 0 < Next Hop>

What are the different types of ACL in Firewall?


1.Standard ACL
2.Extended ACL
3.Ethertype ACL (Transparent Firewall)
4.Webtype ACL (SSL VPN)

What is Tranparent Firewall?


In Transparent Mode, ASA acts as a Layer 2 device like a bridge or switch and forwards Ethernet frames based
on destination MAC-address.

What is the need of Transparent Firewall?


If we want to deploy a new firewall into an existing network it can be a complicated process due to various
issues like IP address reconfiguration, network topology changes, current firewall etc. We can easily insert a
transparent firewall in an existing segment and control traffic between two sides without having to readdress
or reconfigure the devices.

What are the similarities between switch and ASA (in Transparent mode) ?
Both learns which mac addresses are associated with which interface and store them in local mac address
table.

What are the differences between switch and ASA (in Transparent mode) ?
ASA does not floods unknown unicast frames that are not found in mac address table.
ASA does not participate in STP.
Switch process traffic at layer 1 & layer 2 while ASA can process traffic from layer 1 to layer 7.

What are the features that are not supported in Transparent mode?
1.Dynamic Routing.
2.Multicasting.
3.QOS.
4.VPNs like IPSec and WebVPN cannot be terminated.
5.ASA cannot act as DHCP relay agent.

Explain Ether-Type ACL?


In Transparent mode, unlike TCP/IP traffic for which security levels are used to permit or deny traffic all non-IP
traffic is denied by default. We create Ether-Type ACL to allow NON-IP traffic. We can control traffic like BPDU,
IPX etc with Ether-Type ACL.

What is the command to convert ASA into Transparent mode?


# firewall transparent

What is the command to see mode (routed or transparent)?


# sh firewall

Explain Failover?
Failover is a cisco proprietary feature. It is used to provide redundancy. It requires two identical ASAs to be
connected to each other through a dedicated failover link. Health of active interfaces and units are monitored
to determine if failover has occurred or not.

What are type of Failover?


1.Active/Standby Failover.
2.Active/Active Failover.

What information is exchanged between ASAs over a Failover link?


1.State - Active or standby.
2.Hello Messages.
3.Network Link Status.
4.Mac Addresses.
5.Configuration Replication and Synchronization.

What is the difference between Stateful failover and Stateless failover?


Stateless Failover - When failover occurs all active connections are dropped. Clients need to re-establish
connections when the new active unit takes over.
Stateful Failover - The active unit continually passes per-connection state information to the standby unit.
After a failover occurs, the same connection information is available at the new active unit. Clients are not
required to reconnect to keep the same communication session.

What Information Active unit passes to the standby unit in Stateful Failover?
NAT translation table, TCP connection states, The ARP table, The Layer 2 bridge table (when running in
transparent firewall mode), ICMP connection state etc.

What are the Failover Requirements between two devices?


Hardware Requirements - The two units in a failover configuration must be the same model, should have
same number and types of interfaces.
Software Requirements - The two units in a failover configuration must be in the same operating modes
(routed or transparent single or multiple context). They must have the same software version.

Explain Active/Standby Failover?


In Active/Standby Failover, one unit is the active unit which passes traffic. The standby unit does not actively
pass traffic. When Failover occurs, the active unit fails over to the standby unit, which then becomes active.
We can use Active/Standby Failover for ASAs in both single or multiple context mode.

Explain Active/Active Failover?


It is only available for ASAs in multiple context mode. In an Active/Active Failover configuration, both ASAs can
pass network traffic. In Active/Active Failover, we divide the security contexts on the ASA into Failover Groups.
A Failover Group is simply a logical group of one or more security contexts. Each group is assigned to be active
on a specific ASA in the failover pair. When Failover occurs, it occurs at the Failover group level.

What is the command to enable Failover?


# Failover

What is the command to see Failover?


# sh failover

Explain Unit Health Monitoring in Failover? How Failover occurs?


The ASA unit determines the health of the other unit by monitoring the failover link. When a unit does not
receive three consecutive hello messages on the failover link, it sends hello messages on each interface,
including the failover interface, to find whether or not the other unit is responsive.
Based upon the response from the other unit it takes following actions:-
1.If the ASA receives a response on the failover interface, then it does not failover.
2.If the ASA does not receive a response on the failover link, but it does receive a response on another
interface, then the unit does not failover. The failover link is marked as failed.
3.If the ASA does not receive a response on any interface, then the standby unit switches to active mode and
classifies the other unit as failed.

How active unit is determined in Active/Standby Failover?


1.If a unit boots and detects another unit already running as active, it becomes the standby unit.
2.If a unit boots and does not detect active unit, it becomes the active unit.
3.If both units boot simultaneously, then the primary unit becomes the active unit, and the secondary
unit becomes the standby unit.

Name some commands replicated to standby unit?


All configuration commands except for mode, firewall, and failover lan unit are replicated to standby unit.
# copy running-config startup-config
# write memory

Name some commands that are not replicated to standby unit?


All forms of the copy command except for # copy running-config startup-config
all forms of the write command except for # write memory

Explain Active/Standby Failover & Active/Active Failover in terms of preemption?


In Active/Standby Failover there is no preemption.
In Active/Active Failover preemption is optional.

Explain Security Context?


We can partition a Single ASA into multiple virtual devices, known as Security Contexts. Each Context acts as
an independent device, with its own security policy, interfaces, and administrators. Multiple contexts are
similar to having multiple standalone devices.

What features are supported in multiple context mode?


Routing tables, Firewall features, IPS, and Management.

What features are not supported in multiple context mode?


VPN and Dynamic Routing Protocols.

Explain System area?


When we boot up in multiple mode from the CLI, we are taken into the system area. The system area is used
to create and manage the contexts, configure the physical properties of the interfaces, create VLANs for
trunking, create resource classes to restrict the context system resource usage.

What is the admin context?


When the appliance boots up, one context is automatically created called Admin Context which defaults to
being the administrative context. Any context can be made administrative context. One of the contexts on our
appliance must be the administrative context. An “*” beside a context name indicates that the context is the
administrative context.
How ASA classifies packets?
The packet that enters is to be processed by which context is classified by ASA as follows:-
1.Unique Interfaces - If only one context is associated with the ingress interface, the ASA classifies the packet
into that context.
2.Unique MAC Addresses - If multiple contexts share an interface, then the interface MAC address is used as
classifier. ASA lets us assign a different MAC address in each context to the same shared interface. By default,
shared interfaces do not have unique MAC addresses. We can set the MAC addresses manually or we can
automatically generate MAC addresses by # mac-address auto command.
3.NAT Configuration - If we do not use unique MAC addresses, then the mapped addresses in our NAT
configuration are used to classify packets.

What is the command to switch to multiple context Mode?


# mode multiple
After entering this command the appliance will reboot itself and our current configuration is automatically
backed up to flash in case we want to switch back to single mode. The file is called “old_running.cfg.”

What is the command to switch back to single mode?


# mode single

What are different types of NAT in ASA?


Static NAT - A consistent mapping between a real and mapped IP address. It allows Bidirectional traffic
initiation.
Dynamic NAT - A group of real IP addresses are mapped to a (usually smaller) group of mapped IP addresses
on a first come first served basis. It allows only Unidirectional traffic initiation.
Dynamic Port Address Translation (PAT) - A group of real IP addresses are mapped to a single IP address using
a unique source port of that IP address.
Identity NAT - A real address is statically translated to itself, essentially bypassing NAT.

What is Policy NAT?


Policy NAT allows you to NAT by specifying both the source and destination addresses in an extended access
list. We can also optionally specify the source and destination ports. Regular NAT can only consider the source
addresses, not the destination address.
In Static NAT it is called as Static Policy NAT.
In Dynamic NAT it is called as Dynamic Policy NAT.

Give the order of preference between different types of NAT?


1.Nat exemption.
2.Existing translation in Xlate.
3.Static NAT
- Static Identity NAT
- Static Policy NAT
- Static NAT
- Static PAT
4.Dynamic NAT
- NAT Zero
- Dynamic Policy NAT
- Dynamic NAT
- Dynamic PAT

What is the difference between Auto NAT & Manual NAT?


Auto NAT (Network Object NAT) - It only considers the source address while performing NAT. So, Auto NAT is
only used for Static or Dynamic NAT. Auto NAT is configured within an object.
Manual NAT (Twice NAT) - Manual NAT considers either only the source address or the source and destination
address while performing NAT. It can be used for almost all types of NAT like NAT exempt, policy NAT etc.
Unlike Auto NAT that is configured within an object, Manual NAT is configured directly from the global
configuration mode.

Give NAT Order in terms of Auto NAT & Manual NAT?


NAT is ordered in 3 sections.
Section 1 – Manual NAT
Section 2 – Auto NAT
Section 3 – Manual Nat After-Auto

What are the command to see NAT Translations?


# sh xlate
# sh nat

What is the command to see both NAT Table and Connection Table?
# sh local-host

VPN Interview Questions and Answers

What is VPN?
Virtual Private Network (VPN) creates a secure network connection over a public network such as the internet.
It allows devices to exchange data through a secure virtual tunnel. It uses a combination of security features
like encryption, authentication, tunneling protocols, and data integrity to provide secure communication
between participating peers.

What is Authentication, Confidentiality & Integrity?


Authentication - Verifies that the packet received is actually from the claimed sender. It verifies the
authenticity of sender. Pre-shared Key, Digital Certificate are some methods that can be used for
authentication.
Integrity - Ensures that the contents of the packet has not been altered in between by man-in-middle. Hashing
Algorithm includes MD5, SHA.
Confidentiality - Encrypts the message content through encryption so that data is not disclosed to
unauthorized parties. Encryption algorithms include DES (Data Encryption Standard), 3DES (Triple-DES), AES
(Advanced Encryption Standard).

What is Symmetric and Asymmetric Encryption?


In symmetric encryption, a single key is used both to encrypt and decrypt traffic. It is also referred as shared
key or shared secret encryption. Symmetric encryption algorithms include DES, 3DES, AES.
In Asymmetric encryption two keys are used to encrypt and decrypt traffic, one for encryption and one for
decryption. The most common asymmetric encryption algorithm is RSA.

What is IPSec VPN?


IP Security Protocol VPN means VPN over IP Security. It allows two or more users to communicate in a secure
manner by authenticating and encrypting each IP packet of a communication session. IPsec provides data
confidentiality, data integrity and data authentication between participating peers.

At what layer IPsec works?


IPsec secures IP traffic at the Layer 3 (Network Layer) of the OSI model.

Name a major drawback of IPSec?


IPSec only supports unicast IP traffic.

What is the difference between Transport and Tunnel mode?


Tunnel mode - Protects data in network-to-network or site-to-site scenarios. It encapsulates and protects the
entire IP packet—the payload including the original IP header and a new IP header (protects the entire IP
payload including user data).
Transport mode - Protects data in host-to-host or end-to-end scenarios. In transport mode, IPsec protects the
payload of the original IP datagram by excluding the IP header (only protects the upper-layer protocols of IP
payload (user data)).
IPSec protocols AH and ESP can operate in either transport mode and tunnel mode.

What are the three main security services that IPSec VPN provides?
IPsec offers the following security services:-
1.Peer Authentication.
2.Data confidentiality.
3.Data integrity.

Define Digital Signatures?


Digital signature is an attachment to an electronic message used for security purposes. It is used to verify the
authenticity of the sender.

What is Authorization?
Authorization is a security mechanism used to determine user/client privileges or access levels related to
network resources, including firewalls, routers, switches and application features. Authorization is normally
preceded by authentication and during authorization, It’s system that verifies an authenticated user’s access
rules and either grants or refuses resource access.

What is Site to Site and Remote Access VPN?


A site-to-site VPN allows offices in multiple locations to establish secure connections with each other over a
public network such as the Internet.
Remote Access VPN allows Remote users to connect to the Headquarters through a secure tunnel that is
established over the Internet. The remote user is able to access internal, private web pages and perform
various IP-based network tasks.
There are two primary methods of deploying Remote Access VPN:-
1.Remote Access IPsec VPN.
2.Remote Access Secure Sockets Layer (SSL) VPN.

What are the 3 protocols used in IPSec?


1.Authentication Header (AH).
2.Encapsulating Security Payload (ESP).
3.Internet Key Exchange (IKE).

Explain IPsec Protocol Headers?


1.Encapsulating Security Payload (ESP) - It is an IP-based protocol which uses port 50 for communication
between IPsec peers. ESP is used to protect the confidentiality, integrity and authenticity of the data and
offers anti-replay protection.
Drawback - ESP does not provide protection to the outer IP Header
2.Authentication Header (AH) - It is also an IP-based protocol that uses port 51 for communication between
IPsec peers. AH is used to protect the integrity and authenticity of the data and offers anti-replay protection.
Unlike ESP, AH provides protection to the IP header also.
Drawback - AH does not provide confidentiality protection.

How ESP & AH provides anti-replay protection?


Both ESP and AH protocols provide an anti-reply protection based on sequence numbers. The sender
increments the sequence number after each transmission, and the receiver checks the sequence number and
reject the packet if it is out of sequence.

What is IKE?
It is a hybrid protocol that implements Oakley and SKEME key exchanges inside the Internet Security
Association and Key Management Protocol (ISAKMP) framework. It defines the mechanism for creating and
exchanging keys. IKE derives authenticated keying material and negotiates SAs that are used for ESP and AH
protocols.

At what protocol does IKE works?


IKE uses UDP port 500.

Explain how IKE/ISAKMP Works?


IKE is a two-phase protocol-
Phase 1
IKE phase 1 negotiates the following:-
1.It protects the phase 1 communication itself (using crypto and hash algorithms).
2.It generates Session key using Diffie-Hellman groups.
3.Peers will authenticate each other using pre-shared, public key encryption, or digital signature.
4.It also protects the negotiation of phase 2 communication.

There are two modes in IKE phase 1:-


Main mode - Total Six messages are exchanged in main mode for establishing phase 1 SA.
Aggressive mode - It is faster than the main mode as only three messages are exchanged in this mode to
establish phase 1 SA. It is faster but less secure.

At the end of phase 1, a bidirectional ISAKMP/IKE SA (phase 1 SA) is established for IKE communication.

Phase 2
IKE phase 2 protects the user data and establishes SA for IPsec.
There is one mode in IKE phase 2:-
Quick mode - In this mode three messages are exchanged to establish the phase 2 IPsec SA.
At the end of phase 2 negotiations, two unidirectional IPsec SAs (Phase 2 SA) are established for user data—
one for sending and another for receiving encrypted data.

Explain the messages exchange between the peers in IKE/ISAKMP?


Phase 1 - Main Mode

MESSAGE 1: Initiator offers Policy proposal which includes encryption, authentication, hashing algorithms (like
AES or 3DES, PSK or PKI, MD5 or RSA).
MESSAGE 2: Responder presents policy acceptance (or not).
MESSAGE 3: Initiator sends the Diffie-Helman key and nonce.
MESSAGE 4: Responder sends the Diffie-Helman key and nonce.
MESSAGE 5: Initiator sends ID, preshare key or certificate exchange for authentication.
MESSAGE 6: Responder sends ID, preshare key or certificate exchange for authentication.
Only First Four messages were exchanged in clear text. After that all messages are encrypted.

Phase 2 - Quick Mode

MESSAGE 7: Initiator sends Hash, IPSec Proposal, ID, nonce.


MESSAGE 8: Responder sends Hash, IPSec Proposal, ID, nonce.
MESSAGE 9: Initiator sends signature, hash, ID.
All messages in Quick mode are encrypted.

What is Diffie-Hellman?
DH is a public-key cryptography protocol which allows two parties to establish a shared secret over an
insecure communications channel. Diffie-Hellman is used within IKE to establish session keys and is a
component of Oakley.
How Diffie-Hellman works?
Each side have a private key which is never passed and a Diffie-Hellman Key (Public Key used for encryption).
When both side wants to do a key exchange they send their Public Key to each other. for example Side A get
the Public Key of Side B, then using the RSA it creates a shared key which can only be opened on Side B with
Side B's Private Key So, even if somebody intercepts the shared key he will not be able to do reverse
engineering to see it as only the private key of Side B will be able to open it.

What are Security Associations?


The SAs define the protocols and algorithms to be applied to sensitive packets and specify the keying material
to be used by the two peers. SAs are unidirectional and are established per security protocol (AH or ESP).

What is Transform set?


An IKE transform set is a combination of security protocols and algorithms. During the IPsec SA negotiation,
the peers agree to use a particular transform set for protecting a particular data flow.

What are Crypto access lists?


Crypto access lists specifies which IP traffic is protected by crypto and which traffic is not protected by crypto.
To protect IP traffic "permit" keyword is used in an access list. If the traffic is not to be protected than "deny"
keyword is used in access list.

What are Crypto map?


Crypto map is used to pull together the various parts used to set up IPsec SAs including:-
1.Which traffic should be protected by IPsec (crypto access list).
2.Where IPsec-protected traffic should be sent (remote IPsec peer).
3.What IPsec SA should be applied to this traffic (transform sets).
Multiple interfaces can share the same crypto map set in case we want to apply the same policy to multiple
interfaces.
If more than one crypto map is created for a given interface than use the sequence number of each map
entry to rank the map entries, the lower the seq-num argument the higher the priority.

How do you check the status of the tunnel’s phase 1 & 2 ?


Use following commands to check the status of tunnel phases:-
Phase 1- show crypto isakmp sa
Phase 2 - show crypto ipsec sa

What is IPsec Virtual Tunnel Interface?


IPSec VTI is the concept of using a dedicated IPsec interface called IPsec Virtual Tunnel Interface for highly
scalable IPsec-based VPNs. IPsec VTI provides a routable interface for terminating IPsec tunnels. VTI also
allows the encrypting of multicast traffic with IPsec.

What is the difference between Static Crypto Maps and Dynamic Crypto Maps?
Static Crypto Maps are used when peers are predetermined. It is basically used in IPSec site to site VPNs.
Dynamic crypto maps are used with networks where the peers are not always predetermined. It is basically
used in IPSEC Remote Access VPNs.
There are two types of IPsec VTI interfaces:
1.Static VTI (SVTI): This can be used for site-to-site IPsec-based VPNs.
2.Dynamic VTI (DVTI): DVTI replaces dynamic crypto maps. It can be used for remote-access VPNs.

What is Cisco Easy VPN?


Remote Access VPN when implemented with IPsec is called Cisco Easy VPN. The Easy VPN is easy to set up,
with minimal configuration required at the remote client site. Cisco Easy VPN allows us to define centralized
security policies at the head-end VPN device (VPN Server) which are then pushed to the remote site VPN
device upon connection.

What is DMVPN?
DMVPN allows IPsec VPN networks to better scale hub-to-spoke and spoke-to-spoke topologies optimizing the
performance and reducing latency for communications between sites.
It offers following benefits:-
1. It Optimizes network performance.
2. It Reduces router configuration on the hub.
3.Support for dynamic routing protocols running over the DMVPN tunnels.
4.Support for multicast traffic from hub to spokes.
5.The capability of establishing direct spoke-to-spoke IPsec tunnels for communication between sites without
having the traffic to go through the hub.

What are the three phases of DMVPN?


Phase 1 - In phase 1 we use NHRP so that spokes can register themselves with the hub. Only Hub uses a
multipoint GRE interface, all spokes will be using regular point-to-point GRE tunnel interfaces which means
that there will be no direct spoke-to-spoke communication, all traffic has to go via hub.
The only advantage of the phase I setup is the fact the hub router’s configuration is much simpler.
Summarization is possible in phase 1.

Phase 2 - In phase 2 all spokes routers also use multipoint GRE tunnels so we do have direct spoke to spoke
tunneling. When a spoke router wants to communicate to another spoke it will send an NHRP resolution
request to the hub to find the NBMA IP address of the other spoke. Summarization is not possible in phase 2.
Full Process
1.Spoke 1 forwards a packet with a next hop which is another spoke (spoke 2). There is no NHRP map entry
for this spoke so an NHRP resolution request is sent to the hub.
2.The request from spoke 1 contains the tunnel IP address of the spoke 2 so the hub relays the request to
spoke 2.
3.Spoke 2 receives the request, adds its own address mapping to it and sends it as an NHRP reply directly to
spoke 1.
4.Spoke 2 then sends its own NHRP resolution request to the hub that relays it to spoke 1.
5.Spoke 1 receives the request from spoke 2 via the hub and replies by adding its own mapping to it and
sending it directly to spoke 2.
Spoke to Spoke tunnel is established.
Phase 3 - In phase 3 NHRP redirect configured on the hub tells the initiator spoke to look for a better path to
the destination spoke. On receiving the NHRP redirect message the spokes communicate with each other over
the hub and they have their NHRP replies for the NHRP Resolution Requests that they sent out.
NHRP Shortcut configured on the spoke updates the CEF table. It basically changes the next-hop value for a
remote spoke from the initial hub tunnel IP address to the NHRP resolved tunnel IP address of remote spoke.
Summarization is possible in phase 3.

Explain Next Hop Resolution Protocol (NHRP)?


It is a Layer 2 protocol which is used to map a tunnel IP address to an NBMA address. It functions similar to
ARP. Hub maintains NHRP database of the public addresses for each spoke. When the spoke boots up, it
registers its real address to the hub and queries the NHRP database for real addresses of other spokes so that
they can build direct tunnels.

What is GRE?
Generic Routing Encapsulation Protocol is a tunneling protocol developed by Cisco designed to encapsulate IP
unicast, multicast and broadcast packets. It uses IP protocol number 47.

Name a major drawback of both GRE & L2TP?


No encryption.

What is SSL VPN? How it is different from IPsec VPN?


SSL VPN provides remote access connectivity from any internet enabled device through a standard web
browser and its native SSL encryption. It does not require any special client software at a remote site.In IPsec
VPN connection is initiated using a preinstalled VPN client software so it requires installation of a special client
software. In SSL VPN connection is initiated through a web browser so it does not requires any special
purpose VPN client software, only a web browser is required.

At which Layer does SSL VPN operates?


SSL is an Application layer (Layer 7) cryptographic protocol that provides secure communications over the
Internet for web browsing, e-mail and other traffic. It uses TCP port 443.

What are different SSL VPN Modes?


SSL VPN can be deployed in one of the following three modes:-
1.Clientless mode - It works at Layer 7, Clientless mode provides secure access to web resources and web-
based content. This mode can be used for accessing most content that you would expect to access in a web
browser such as Internet, databases and online tools. Clientless mode also supports common Internet file
system (CIFS). Clientless mode is limited to web-based content only. It does not provide access to TCP
connections such as SSH or Telnet.

2.Thin client mode - It works at Layer 7 and is also known as port forwarding. Thin client mode provides
remote access to TCP-based services such as Telnet, Secure Shell (SSH), Simple Mail Transfer Protocol (SMTP),
Internet Message Access Protocol (IMAP) and Post Office Protocol (POP3) applications. Thin client is delivered
via a Java applet that is dynamically downloaded from the SSL VPN appliance upon session establishment.
3.Thick client mode - It works at Layer 3 and is also known as tunnel mode or full tunneling client. The thick
client mode provides extensive application support through dynamically downloaded SSL VPN Client software
or the Cisco AnyConnect VPN client software from the VPN server appliance. This mode delivers a lightweight,
centrally configured, and easy-to-support SSL VPN tunneling client that provides full network layer (Layer 3)
access to virtually any application.

Explain SSL Handshake?


1.Client initiates by sending a CLIENT HELLO message which contains SSL version that the client supports, in
what order the client prefer the versions, Ciphersuits (Cryptographic Algorithms) supported by the client,
Random Number.
2.Server will send back a SERVER HELLO message Which contains Version Number (Server selects SSL version
that is supported by both the server and the client), Cipher Suits (selected by server the best cipher suite
version that is supported by both of them), Session ID, Random Data.
3.Server also sends PKI certificate for authenticating himself signed and verified by Certificate Authority along
with the public key for encryption.
4.Server will than send Server Hello Done indicating that the server has finished sending its hello message,
and is waiting for a response from the client.
5.Client will sends its certificate if the server has also requested for client authentication in server hello
message.
6.Client will sends Client Key Exchange message after calculating the premaster secret with the help of the
random values of both the server and the client. This message is sent by encrypting it with the server's public
key which was shared through the hello message.
Server will decrypt the premaster secret with its private key. Now both client and server will perform series of
steps to generate session keys (symmetric) which will be used for encryption and decryption of data
exchanges during SSL session and also to verify its integrity.
7.Client will send CHANGE CIPHER SUITE message informing the server that future messages will be encrypted
using session key.
8.Client will send CLIENT FINISH (DONE) message indicating that client is done.
9.Server will also send CHANGE CIPHER SUITE message.
10.Client will also send CLIENT FINISH (DONE) message.