Cisco Secure VPN Exam Certification Guide - Cisco press

Chapter 3— Do I Know This Already? 499

4On a Cisco VPN 3005 Concentrator, what does a blinking green system LED indicate?

On a Cisco VPN 3005 Concentrator, a blinking green system LED indicates that the system is in a shutdown (halted) state and is ready to be powered off.

5What is the maximum encryption throughput rate for the VPN 3000 series?

The VPN 3000 series of concentrators can sustain a maximum encryption throughput of 100 Mbps.

6What tunneling protocols do Cisco VPN 3000 Concentrators support?

The Cisco VPN 3000 Concentrators support the following tunneling protocols: Internet Protocol Security (IPSec), Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP), L2TP/IPSec, and Network Address Translation (NAT) Transparent IPSec.

7How do VPN concentrators reduce communications expenses?

VPN concentrators reduce communications expenses by allowing remote users to connect to the corporate network through the Internet by dialing into local ISP connections rather than by using expensive long-distance or 800 numbers. Digital subscriber line (DSL) or cable modem users can also use broadband connections with VPN concentrators to gain security for their high-speed data circuits.

8What other authentication capability exists if standard authentication servers are not available?

When authentication servers are not available, the VPN concentrators have the ability to authenticate users from an internal database.

9What routing protocols do the Cisco VPN 3000 Concentrators support?

The Cisco VPN 3000 Concentrators support Routing Information Protocol 1 (RIP1), RIP2, and Open Shortest Path First (OSPF). In addition to these dynamic routing protocols, the concentrators also support static routing.

10What protocol permits multichassis redundancy and failover?

The Virtual Router Redundancy Protocol (VRRP) permits multichassis redundancy and failover support.

11List some of the methods that can be used to interface with the embedded Cisco VPN Manager software on VPN concentrators?

You can access the Cisco VPN Manager through the console port, Telnet, SSH, HTTP, and Secure HTTP.

12What four options are available under the Configuration menu of the VPN Manager?

The four options on the Configuration menu are Interfaces, System, User Management, and Policy Management.

Chapter 3— Q&A 501

2What are two of the standard authentication servers that Cisco VPN 3000 Concentrators can use for authentication?

These concentrators can work with existing RADIUS, TACACS+, NT Domain, internal authentication, digital certificates, or Security Dynamics servers, which are also known as RSA Security International (SDI) servers. You could choose any two of these for the correct answer.

3What other authentication capability exists if standard authentication servers are not available?

When authentication servers are not available, the VPN concentrators have the ability to authenticate users from an internal database.

4With respect to firewalls, where can you install Cisco VPN 3000 Concentrators?

These powerful concentrators can be installed in front of, behind, or in parallel with existing firewalls, or even in the DMZ when the firewall provides one.

5What routing protocols do the Cisco VPN 3000 Concentrators support?

The Cisco VPN Concentrators support RIP1, RIP2, and OSPF. In addition to these dynamic routing protocols, the concentrators also support static routing.

6During large-scale implementations, how can Cisco VPN 3000 Concentrators be configured to simplify client configuration?

Cisco VPN 3000 Concentrators can push the client policies and configurations to the clients upon initial login to the system.

7What is the maximum encryption throughput rate for the VPN 3000 Concentrator Series?

The Cisco VPN 3000 Concentrator Series can sustain a maximum encryption throughput of 100 Mbps.

8What hardware device is required to achieve maximum encryption throughput on the Cisco VPN 3000 Concentrators?

When Cisco VPN 3000 Concentrators use Scalable Encryption Processors (SEPs), they can attain maximum encryption throughput.

9What element on SEPs permits them to be so fast and flexible?

SEPs are designed around digital signal processors (DSPs), which are programmable, high-speed processors.

10Why are Cisco VPN Concentrators so good at supporting VPN communications?

These VPN concentrators were purposely designed to provide only VPN support. They do not perform any other major network functions. Additionally, Scalable Encryption Processor (SEP) modules can be installed in most models to perform encryption routines, providing further support for VPN processes.

502 Appendix A: Answers to the “Do I Know This Already?” Quizzes and Q&A Sections

11What tunneling protocols do Cisco VPN 3000 Concentrators support?

The Cisco VPN 3000 Concentrators support the following tunneling protocols: Internet Protocol Security (IPSec), Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP), L2TP/IPSec, and Network Address Translation (NAT) Transparent IPSec.

12In addition to RIP and OSPF, what other routing capabilities do Cisco VPN Concentrators have?

Cisco VPN Concentrators also support static routes, automatic endpoint discovery, Network Address Translation (NAT), and classless interdomain routing (CIDR).

13What encryption and authentication protocols do Cisco VPN 3000 Concentrators support?

Cisco VPN 3000 Concentrators support IPSec Encapsulating Security Payload (ESP) using DES/3DES (56/168-bit) with MD5 or SHA, or MPPE using 40/128-bit RC4.

14What protocol permits multichassis redundancy and failover?

The Virtual Router Redundancy Protocol (VRRP) permits multichassis redundancy and failover support.

15What hardware items can be made redundant on Cisco VPN 3000 Concentrators?

Cisco VPN 3000 Concentrators support redundant fans and can have redundant SEP modules and power supplies.

16What are some of the methods that can be used to interface with the embedded Cisco VPN Manager software on VPN concentrators?

You can access the Cisco VPN Manager through the console port, Telnet, SSH, HTTP, and Secure HTTP.

17What are the most secure forms of authentication that can be used with Cisco VPN 3000 Series Concentrators?

Digital certificates and tokens are the most secure form of authentication that can be used with Cisco VPN 3000 Series Concentrators.

18What mechanism is used by Cisco VPN Clients to monitor firewall activity between the client and the concentrator?

The Cisco VPN Clients use the Are You There (AYT) mechanism to monitor firewall activity.

19What is the rated mean time between failure (MTBF) for Cisco VPN 3000 Concentrators?

Cisco VPN 3000 Concentrators have an MTBF of 200,000 hours.

Chapter 3— Q&A 503

20You have installed two Cisco VPN 3000 Concentrators in parallel on your network. Both devices have redundant power supplies, fans, and SEPs. You need to ensure 99.9% uptime. How can you achieve this rate of fault tolerance?

Configure both VPN concentrators into the same VRRP group, permitting one of the devices to become the active unit and the other to take a role as a hot standby concentrator.

21During the initial configuration of the VPN concentrators, what management interface must you use?

You must use the command-line interface (CLI) to configure initial network settings on the concentrator.

22What do you need to do to activate configuration changes to Cisco VPN Concentrators that are made through the Cisco VPN Manager?

Configuration changes are stored within the memory of the VPN concentrator and take effect immediately.

23What four options are available under the Configuration menu of the VPN Manager?

The four available options on the Configuration menu are Interfaces, System, User Management, and Policy Management.

24What is the hierarchical order of property inheritance on Cisco VPN Concentrators?

The Base Group is the root element in the property inheritance hierarchy. Next come specific groups, which inherit default properties from the Base Group. After specific groups come users, who inherit default properties from specific groups or from the Base Group if the user has not been assigned to a specific group.

25What options are available on the Administration menu of the Cisco VPN Manager?

The options available from the Administration menu are Administer Sessions, Software Update, System Reboot, Ping, Monitoring Refresh, Access Rights, File Management, and Certificate Management.

26What options are available on the Monitoring menu of the Cisco VPN Manager?

The options available from the Monitoring menu are Routing Table, Filterable Event Log, System Status, Sessions, and Statistics.

27Where in the Cisco VPN Manager could you go to view the current IP address for the private interface on a Cisco VPN 3000 Concentrator?

To view the current IP settings for all Cisco VPN 3000 Concentrator interfaces, click the Interfaces option from the Configuration menu of the Cisco VPN Manager.

Chapter 4— Do I Know This Already? 505

38On a Cisco VPN 3000 Concentrator, what does a blinking amber system LED indicate?

On any of the Cisco VPN 3000 Concentrators, a blinking amber system LED indicates that the system has crashed and halted.

39What does a blinking green Ethernet link status LED indicate on a Cisco VPN Concentrator?

A blinking green Ethernet link status LED indicates that the interface is connected to the network and configured, but the interface has been disabled.

40What does an amber SEP status LED indicate?

An amber SEP status LED indicates that the module failed during operation.

41Which of Cisco’s client offerings has no limitations with regard to the types of client operating systems it can support?

The Cisco VPN 3002 Hardware Client works with every type of client operating system, as long as the system speaks TCP/IP.

42What optional feature on the Cisco VPN 3002 Hardware Client allows you to connect Ethernet devices to the client?

The Cisco VPN 3002 Hardware Client can be configured with an optional 8-port Ethernet switch.

43What two operating modes can a Cisco VPN 3002 Hardware Client be configured to support?

The Cisco VPN 3002 Hardware Client can be configured to support either Client mode or Network Extension mode.

44What operating systems does the Cisco VPN Client support?

The Cisco VPN Client supports the full range of Microsoft Windows operating systems, including Windows 95, 98, Me, NT 4.0, 2000, and XP. The Cisco VPN Client also supports Linux (Intel), Solaris (UltraSparc-32bit), and MAC OS X 10.1.

Chapter 4—Do I Know This Already?

1What methods can you use for user authentication on the Cisco VPN 3000 Series Concentrators?

You can configure the VPN concentrators to use RADIUS, NT Domain, Security Dynamics International (SDI), and internal user authentication.

2What methods can you use for device authentication between VPN peers?

You can accomplish device authentication between VPN peers by using either preshared keys or digital certificates.

Chapter 4— Do I Know This Already? 507

13From where do users inherit attributes on the VPN concentrator?

VPN concentrator users inherit their attributes from their groups. If a user is not a member of a group, the user inherits attributes from the Base Group.

14How many groups can a user belong to in the VPN concentrator’s internal database?

A VPN concentrator user can belong to only one group.

15What is an external group in the VPN Manager system?

An external group is a group from an external authentication server such as RADIUS or NT Domain.

16When reviewing the list of attributes for a group, what does it mean when an attribute’s Inherit? box is checked?

Checking the Inherit? box for an attribute means that the attribute is always inherited from the Base Group.

17What are the nine subcategories under the Configuration | System option in the VPN Manager’s table of contents?

The Configuration | System subcategories are Servers, Address Management, Tunneling Protocols, IP Routing, Management Protocols, Events, General, Client Update, and Load Balancing Cisco VPN Clients.

18Where would you configure information for Network Time Protocol (NTP) and Dynamic Host Configuration Protocol (DHCP) servers within the VPN Manager?

NTP, DHCP, and other servers are configured in the Configuration | System | Servers section of the VPN Manager.

19What tunneling protocol can you configure on the VPN concentrator to support the Microsoft Windows 2000 VPN Client?

L2TP over IPSec is the protocol required to support Microsoft Windows 2000 VPN clients. This option is available on the VPN concentrators.

20What dynamic routing protocols are available on the VPN 3000 Concentrators?

The Cisco VPN 3000 Concentrators support RIP and OSPF routing protocols. RIP is configured on the interface.

21What Microsoft Windows operating systems can support the Cisco VPN Client?

The Cisco VPN Client can operate on Microsoft Windows 95, 98, 98 SE, Me, NT, 2000, and XP operating systems.

22How do you start the Cisco VPN Client on a Windows system?

From the Windows Desktop, choose Start, Programs, Cisco Systems VPN Client, VPN Dialer.