Networking Interview Questions

1. What is the Different between RIPv1 and RIPv2 2. What is Classful and classless routing 3. When the switch vlan interface shows UPDOWN error 4. What is STP and how it is working? 5. What is VTP?, What are all the parameters as to be match in VTP? 6. Pc1 connected to SW1 and PC2 connected to SW2 in both are connected to same V LAN, then how the packets are sending? 7. How we have to use HSRP as a Redundency as well as a Load Balancing? 8. How we have to configure the HSRP? 9. Explain about EIGRP? 10. Explain about OSPF? 11. Explain about EIGRP process in between 2 Routers. The primery, secondary add and AS should be match 12. What is the different between CAT5 and CAT6 cable? 13. Explain about the SVI method? and if diffrent VLAN pc's connected to L2 swit ch and L2 connected to L3 then how we config to comm. between pc's 14. How we need to configure DHCP helper address? and Explain about the process 15. What is the different between Native VLAN, Management VLAN, Default VLAN and private VLAN? 16. What is VTP pruning? 17. Which is the best mode the switch insert into VTP domain? 18. What is the Inconsistent State? and how we need to remove? 19. Tellme about all the Protocol AD value and What is AD? 20. How we come to know the port in inconsistent state? 21. Explain about Loop guard, BPDU guard and filter, Root guard.. 22. What is PAgP, and LAcP? 23. What is the technologies is using in BMA, NBMA, and Point to Point connectio n in OSPF. 24. Which router going to calculate the Fessiable Successor route, and Explain a bout all the table in EIGRP? 25. What is the Different between Linkstate and Distance Vector? 26. What is routing loop? and how to avoid ? 27. Types of tunneling 28. what are the trouble shoot we can do in internet is slow 29. what is the broadcast storm? 30. If 2 system are in different subnetmask means it can communicate or not? 31. What is diffrent between VTP and DTP? 32. Explain about all the layer in OSI model 33. How many valid IP is have in 10.10.10.0/25 network? 34. In OSPF database changed means which LSA is working? 35. What is inconsistent state in switch? 36. What is stuck in active, and when it hill happen in eigrp? 37. what is the throughport value in a/b/g/n band in WLAN? 38. 2 System connected back to back with different subnet mask will able to comm unicate? 39. what is ospf stub? when we will configure? What is the Use? 40. what is the different between standard and extended ACL? And give a syntax o f Extended ACL 41. what is the Wild card mask of /23? How many Host we can get in /28? 42. What is the parameter in contain in Hello packet? It's have a subnet with AS No. 43. Which are the RTP packets that the EIGRP will Use? Relaiable Transmit Protoc ol-use to ensure the garentied delivery of data 44. what route is palced in Active mode in EIGRP process?-which is not have suce ssor and Fessiable sucessor that will go to Stuck in active 45. what happen that the route go to stuck in active mode?-3min take to go into SIA, and it flush all details and recalculate again. 46. Why the EIGRP call as Hybrid Protocol?- few charecter/fechers are the same f

rom Distance Vector and Link State., 47. What is the Behavior of RIP? 48. When triggered and priodic update will work? 49. 45. Can you define protocol? 46. Can you explain the concept of OSI layer? 47. Can you explain the different layers in OSI model? 48. Can you explain Application layer in OSI model? 49. Can you explain Presentation layer in OSI model? 50. Is it compulsory that compression, encryption and translation functions will be used during communication? 51. Can you explain Session layer in OSI model? What s the concept of Simplex, Half Duplex and Full Duplex dialogs? What are the different types of dialogs in Session layer? Can you explain Transport layer in OSI model? Can you explain the concept of Congestion? Can you explain Network Layer? Can you explain Data link Layer? Can you explain the Physical layer? Can you explain what an IP address is? How to convert Decimal to Binary? How many IP addresses can come in IPV4? Can you explain the concept of Unicast IP address? Can you explain the concept of IP multicasting or multicast IP address? How many different types of subnet classful networks are present? What are the IP address ranges for public and private IP address? Why do we need class and how many different types of class exists? How are the IP addresses distributed between different classes? Can you explain what is classful IP addressing? Can you explain the concept of subnetting? What are the advantages of using subneting? If the host has the subnet ID why do we need a subnet mask? How is network address calculated from the subnet? What is the advantage of using classless addressing over classful addressing sc heme? Can you explain the concept of CIDR? Twist :- Can you explain superneting ? Can you explain concept of custom subneting? What is the implication of increasing and decreasing subnet Bits? Why do we need to subtract two from number of hosts? Can you explain the concept of VLSM? Can you explain IP protocol? Routers Can you explain the concept of DPU, Segments, Datagram, Frame and packet? What is IP datagram fragmentation and MTU? Can you explain in detail with example how data fragmentation works? Larger the IP datagram less the overhead, is it true or false? What is the minimum size of MTU bytes? Can you explain how optimal MTU size is calculated? How does the IP message finally reassemble? Can you explain the concept of Repeaters, Hubs, Bridges, Switches and Routers? On what layers do router , switched , bridges and hubs operate ? Can you explain the concept of Layer 3 switches? what are CSU, DSU and TSU? what are the basic components of the router? Can you explain the WAN and LAN Interface in Routers? What are DB-15, DB-60 and RJ-45 in CISCO routers? Can you explain the concept of TTL?

What is the concept of ICMP packets? Which operating system does CISCO have? Can you explain the concept of NAT? How is NAT implemented? Can you explain how actually NAT works? why does collision occur in HUBS and repeaters? Can you explain the concept of Collision domain? What is the concept of routing tables? what is the use of route print? Can you explain how in detail how routing table looks like? How can you see route tables on the router? Can you explain the concept of static and dynamic routing? When to use Static routes and dynamic routes? How do you configure static routes on a router? Can you explain static default routes? What is the advantage of using Static default routes? Why do workstations have route tables? What is the concept of gateway of last resort? Can you explain the concept of routing protocol? What activities does routing protocol perform? What metrics are used by routing protocols to determine the best path? Can you explain what is interior and exterior routing protocols? Can you explain the concept of intradomain and interdomain routing protocols? Can you explain the concept of internetwork and intranetwork routing protocols? Which method does routing protocol use to determine shortest path? What is distance vector routing protocol? How do router share information in Distance Vector routing? What is the main issue with routing by rumor? Can you explain the count-to-infinity problem in distance vector? How is metric or the cost calculated for Distance Vector routing protocol? What is the main issue with hop count metric issue? Can you explain how Link-State routing protocols work? Can you explain the concept of broad cast and multi-cast? Can you tell which protocols lie in Distance vector and which in Link-State? What s the difference between distance vector and link-state protocol? Can you explain difference between Single path and Multipath? Can you explain route summarization? How are the series of IP combined in to one route path in route summarization? Can you explain RIP protocol? How is route table populated by RIP protocol? Can you explain convergence in networks? Can you explain RIP timers in detail? Can you explain routing loop issue in RIP protocol? How do we avoid routing loop issue in RIP? In RIP why do we have HOP count of 15? How do we disable auto-summarization in RIP? Can you explain IGRP? How does IGRP work? How many timers does IGRP have? How does IGRP calculate metric? Can multiple instance of IGRP run on one physical router? How is load balancing done in IGRP? What s the command to configure IGRP? Can you explain EIGRP? What does neighbor terminology mean in EIGRP? What are different types of packets in EIGRP? How does EIGRP protocol update route information to its neighbors? What is the concept of successor in EIGRP? What is DUAL in EIGRP? Can you explain reported distance (RD), feasibility distance (FD) and Feasibili

ty condition (FC)? Can you explain the concept of successor and feasible successor? Can you explain passive and active route states? What is SIA or stuck in active? How do packets and timers in EIGRP work? What are the different tables used in EIGRP? Can you explain EIGRP metrics? Can you explain how EIGRP finds its successor and feasible successor? Can you explain Active and Passive route? Can you explain OSPF? How does OSPF populate route table? What are the different tables in OSPF? Can you explain different areas in OSPF? Can you explain different router types in OSPF? Can you explain Designated Router and Backup designated router? Can you explain different router states in OSPF? Can you explain different OSPF packet types? What are the different types of OSPF timers? How SPF algorithm does the route determination? Can you explain autonomous system? What are different types of dynamic protocols? Can you explain autonomous numbers in EGP? What is BGP? What is the concept of BGP speakers and Peers? What is EBGP and IBGP? What is RIB? Can you explain the concept of BGP confederations? What are BGP path attributes? What is the concept of NLRI? How are routing neighbors discovered in BGP? Can you explain how BGP does the decision process? What is the concept of redistribution? Can you explain the concept of one way redistribution and mutual distribution? How does metric translation takes place in redistributing routes? Firewall Can you define what a FIREWALL is? What are the different types of firewalls? Can you explain packet filtering firewall? Can you explain circuit level gateway? Can you explain stateful inspection? What is Application Gateway? Is NAT a firewall? Are personal firewall actually firewalls? Can you explain the concept of demilitarized zone? What is the meaning of bastion host? What are the different types of firewall architectures? Can you explain dual home architecture? Can you explain screened host architecture? Can you explain screened subnet architecture? What is the use of perimeter area? What is IP spoofing and how can it be prevented? VPN Can you explain the difference between trusted and untrusted networks? Can you define in short what VPN is? What are the different types of VPN? What requirements should a VPN fulfill? How many ways are there to implement VPN architecture? What are the different ways authentication mechanism in VPN?

Can you explain the basic of encryption in VPN? what s the difference between Symmetric and Asymmetric cryptosystem? what are the different symmetric algorithms? What are the disadvantages of symmetric algorithms? what are the different asymmetric algorithms? Can you explain different components in PKI? What is a digital certificate? Can you explain tunneling? what is the concept of HA and FA in VPN tunneling? Can you explain VPN tunneled packet in detail? Can you explain voluntary and compulsory tunnels? Can you explain static and dynamic tunnels? Can you explain encapsulating, carrier and passenger protocol? On which layer does L2F, PPTP and L2TP operate? Can you explain PPP protocol? Can you explain PPP link process step by step? Can you explain PPP packet format? How does PPP use LCP for link control? Can you explain PPTP (Point-to-Point Tunneling Protocol)? What is GRE in PPTP? How does PPTP encapsulate data? Can you explain CHAP? Can you explain PAP? what does PPTP use for encryption and authentication? What is a L2F protocol? Can you explain the broader steps of how L2F establishes the tunnel? Can you explain how L2F data tunneling process works? How do we do encryption and authentication in L2F? Can you explain L2TP? Can you define LAC and LNS? How does L2TP process? How do we do encryption and authentication in L2TP? Can you explain what IPSec is? Can you give an overview of various components in IPSec? In IPSec what is SAD, SPD and SA s? Can you explain in a generic manner the packet of IPSec? Can you describe the Authentication Header (AH) Protocol? what is ESP (Encapsulating Security Payload)? What is Transport and Tunnel mode? Can you explain IKE (Internet Key Exchange)? Can you explain IKE phases? Can you explain IKE modes? Can you explain transport and tunnel mode in detail with datagram packets? Protocols and other questions What is NetBIOS protocol? Can you explain what the use of IGMP Protocol is? What are the different types of host in multicasting? Can you explain Ping and Tracert? How do you continuously ping an IP Address? How does Tracert actually work? what is the use of RTP and RTCP Protocol? Can you explain RTP in Detail? Can you explain RTP multiplexing in detail? Can you explain format of RTP and RTCP packets? Can you explain RSVP? Can you explain in detail how RSVP actually works? Can you explain RPC (Remote Procedure Calls)? Can you explain the RPC and Client server Architecture? Can you explain TCP IP Protocol?

Can you explain the architecture of TCP IP Protocol? Can you explain TCP header in detail? Can you explain IP protocol? Can you explain the concept of CDMA? Can you explain the concept of DHCP? How does DHCP work? How can we configure DHCP? What is DNS? How do we control USB through a network? What is the difference between Windows 2000 and Windows 2003? What is a difference between a domain and workgroup? Part 1 1- Define Network? Communication, Resource sharing and Media (When multiple host share their resour ces with each other OR when multiple devices connect with each other for resourc e sharing ) 2 Types of communication in IPv4? Unicast, Multicast and Broad cast 3 Types of communication in IPv6 ? Unicast, Multicast and Anycast 4- Types of Resource Sharing? Intranet , Extranet and Internet . 5- What is Collision? When signal hits each other, collision accord. 6- Which Type of Transmission Bus Topology Support? Half Duplex 7- What is the difference between half duplex and full duplex? In half duplex, sender should b one. In full duplex, sender can be multiple. 8- Which way of communication bus topology use? Broadcast 9- If there is only 2 Host in Bus Topology is that possible collision accord? Yes, because end terminal will not absorb signals. Signal will be bounce back an d collision will accord. 10- HUB in Star topology or Bus Topology? In star topology, but logically works like a bus topology. 11- What is the difference between bus topology and HUB? Hub is Centralized device ( series ) .Bus topology is Decentralized device (in p arallel) 12- Is hub intelligent device? No; because it not use header 12- Which protocol switch use for filling its MAC-Table ? ARP Address Resolution Protocol 13- What is CAM ? Content Address Memory. its another name of MAC address table. 14- Which type for communication switch do? In case of any new event switch do broadcast, after that always do Unicast. 15- If line down and protocol also down; in this case which layer move problem? Physical Layer Layer 1 16 If line up, but protocol down which layer should be troubleshot? Data link problem Layer 2 17-On which base switches take decisions? Mac Address 18- How ARP brings MAC address for switch? Through Broadcast 19- How many collision domains are in switch? Equal number of ports 20- How many broadcast domains are in Switch ?

One Part 3 21- What is OSI? Open System Interconnection. t was first name of 7 Layer 22- What is the default size of Frame ? 1518 bytes 23- Which layer are called upper layer? a ) Application Layer - 7 b) Presentation Layer 6 c ) Session Layer 5 24- How many reserve ports ? 0 1023 25- Which decision called socket base? IP plus port (IP on layer 3 and port on Layer 4 In Encapsulation, socket base de cision on Network Layer -Layer 3) 26- How many types of Data? Voice, video, text 27 What is segmentation and fragmentation? To divide data in pieces is called segmentation and divide segmentation in piece s called Fragmentation. 28- Which layer called error detection layer ? Data link layer 29- What is FCS? Frame Check Sequence CRC (Cyclic Redundancy Check) algorithm runs in switch that called FCS (Frame Ch eck Sequence) 30- What is Encapsulation and De-encapsulation? To send data called encapsulation and receive data called De-encapsulation. Part 4 31- What is BIA ? Burn in Address other name is MAC address 32- What is Size of IPv4 MAC Address? 48 Bits 33- Why MAC address called Physical address? Because it s not changeable 34- Who controls MAC address uniqueness and how IEEE (Institute of Electrical Electronics and Engineering) Controls its uniquene ss. They divide 48 bits MAC address in two parts. First 24 bits part called OUI (Org anizational unique identifier) and other 24 bits are device code. 35- How we can see MAC address from DOS Prompt? ipconfig/all 36- Why IP address called logical address? Private IP called logical address because they are change able. 37- What is the size of IPV4? 32 bits 38-What is Syntax of IPV4 . DOT 39- How many types of IPS? Three Types of IP 1- Public 2- Private 3- Special IP 40- What are the ranges of private IPS? A Class = 10.0.0.0 10.0.0.255 B Class = 172.16.0.0 172.31.0.0 C Class = 192.168.0.0 192.168.0.255

Part 5 41- When we use loop back IP? For Self hardware test 42- When IP confliction accord in subnet which IP assigned automatically and wha t it called? 169.254.x.x APIPA (Automatic Private Internet Protocol address) 43- What is the minimum and maximum request timer? Minimum = 180 sec Maximum = 300 Sec 44- Which company mange IP s? IANA (Internet Assigned Number of Authority) 45- Which classes are assignable? A, B and C 46- How many potions of IP? Two portions of IP. Network and host 47-Do we subletting of IP? NO, we do subletting of NID 48- What is subnetting ? Subnetting is tool reduce the wastage of IP 49- What is CIDR ? Class Less Inter domain Routing Protocol another name of Supernetting. 50- What is difference between FLSM and VLSM? In FLSM subnet mask of all subnets will b same. But in FLSM it varies.

Part 6 51- What is the subnetmask of / 27 in network based and host based ? In network based 224 { 128+64+32}and in host based 248 (128+64+64+16+8) 52- What will be the prefix length of 224 in VLSM ? 27 (carry 3 bits from host (128+64+16=224) and add in network ports (24+3=27) ) 53-How many valid IP will b in /21 in route Summarization? 1044 54- In which protocol you manually enable route summarization ? OSPF 55 In which protocol supenetting is enable by default? RIPv2 and EIGRP 56- What is MAC address size of IPv6? 64 bits 57 Default Packet Size of IPv6? 8 Bytes = 16*8 =128 bit 58- How many fillers we can put in one IP of IPv6? ONE (:: called filler) 59- Which mathematically form used inIPv6? Hexadecimal 60- What is quality of IPv6? a) Router processing will rapid because field size wills 8 bytes (but in IPv4 it was 12 byres) b) No Fragmentation c) No Checksum Part 7 63 What we called 64 Bit Mac-address in IPV6? EUI= Enhanced universal identifier 16 bits add in IPv6 so it s called EUI 64 What is loop back IP in IPV6? ::1 and ping 6 65- Which command we use for ping in IPv6? Ping6 source IP -s Destination IP 66- How many types of router?

Two types i) Modular ii) Non-Modular 67- When we use Router? For communication between different networks 68- Which works router Do ? 1- Path selection and 2- Packet Switching {frame relay} 69 What cable called V.35 ? Serial Connectivity cable 70- How many types of Ethernet? 4 types i) Ethernet ii) Fast Ethernet iii) Gigabit iv) 10 Giga. 71 Which cable called roll-over? Console access able 72- Which cable we connect in DB-9 ? Roll over calbe 73- How many ways to access router? 3 ways i) Telnet (IP) ii) AUX (Telephone) iii) Console (cable) 74- What is IOS? Internet Operating system. Its router s operating system. 75 In which IOS version 182 people can access router through telenet ? Onward 12.2 version 76- Which mode called privilege mode? Second mode 77- When we use interface mode? For specific interface commands 78- On Which mode we give debug command? Privilege mode / live view (2nd mode) 79- Which command we give on privilege mode for coming back to user execution mo de? Disable 80- Which mode we can t skip when we come back from interface mode? 2nd mode we can t skip

Part 8 81 Interface 0/0 what does it mean? Card number / card interface number 82- When written what does it mean? Command complete 83- Which command we give if router IOS stucked? Crl +Shift+F6 and X 84- Which command we give for see routing table? Show ip route 85 What does synchronization mean ? Routers are ready to communication with each other 86- What does routing mean ? For best path selection 87- What is difference between static and dynamic routing? In Static route we add others connected network and in dynamic, we advertise our network

88- Which type of routing you did in CCNA? Traditional Routing 89 How many parts of Ping? Tow parts eco and eco reply 90- When we do default route? When there is multiple destination and single gateway. 91 What is difference between routing and routed protocols? i) Routing use for best path selection ii) Routed protocol keeps source and destination information. 92- What is difference between IGP and EIGRP? IGP = use in Autonomous and EIGP = use with multiple autonomous IGP= Interior gateway routing protocol. EIGRP= Enhanced Interior Gateway routing protocol 93 Why we use debug command? For live view 94 Which command we give for live view of remote site routers ? Terminal monitor 95- Which protocol used before part of CCNA? IGRP Part 9 96- What is protocol? Set of rules 97- What is difference between RIP and RIPv2 Rip Broadcast No authentication Support FLSM Ripv2 Multicast Authentication Support VLSM 98- Which protocols are link states? OSPF and IS- IS 99- Which Dynamic Type draw back is, if single link down, it removes its routing table. Distance Vector 100- What is matric? Formula of path selection 101- On which base distance vector choose best path? HOPE count 102-What is the name of distance vector algorithm? Belmanford 103- Why we use filter option? When we specifically block, one router update for other routers 104- What is load balancing? When data divide in different paths 105- How many maximum paths you can give on Latest IOS in RIP? 0 to 15 106- Define Class full Protocol? Which protocols advertise their networks without subnet mask. 107- How many hope count Rip or Rip2 can send updates? 15 hope count 108- What is Trigger RiP and from which IOS version it starts? As link down it removes from its routing table Version = 12.4 109- Which protocols do periodically updates? Distance vector 110- What is the difference between simple authentication and MD5? MD5 encrypted form and simple authentication in clear text form

Part 11 111- What is name of OSPF Algo? Dijecstra or SPF (shortest part first) 112 What is default size of Hello packets in OSPF? 50 bytes 113- What is default time of hello packets in OSPF? 10 sec 114- How many tables are in OSPF protocol? Three 1Neighbor 2Topology 3Routing 115- When OSPF protocol advertise its routing table? When it discover neighbor with the help of hello packets 116- Which table find best path? Routing table 117- Which updates called incremental updates? Change based 118- What are partial updates? Any change in network 119 After how long OSPF exchange its topology table? After 30 min 120 What is refresher? Every 30 min of topology table exchange time called refresher OR Exchange time of topology table in OSPF protocol called refresher 122- What s the formula for metric of OSPF? 10^8 part 12 123- On which bas OSPF take decision? LINK COST 124- What is default cost of serial interface in OSPF? 64 126- How many types of OSPF Configuration? There are Two Types A ) SINGLE AREA b) MULTI AREA 127- What is hold down time formula of OSPF? HELLO PACKETS*4=40SECONDS 128 What is the default bandwidth size of T1 Routers? 1544BYTES 129- If bandwidth will increase what will happen? SERIAL COST WILL DECREASE 130- What is the command for change serial cost? IP OSPF COST (which want to set) 131- When DR communicate with BDR which multicast ip it use ? 224.0.0.6 132- What is the draw back of OSPF protocol? i) Single Area ii) High Hardware Requirements iii) Troubleshooting 133- Which protocol comes under Hybrid dynamic type? EIGRP (ENHANCED INTERIOR GATEWAY ROUTING PROTOCOL) 134- Which protocol works only on Cisco routers? EIGRP (ENHANCED INTERIOR GATEWAY ROUTING PROTOCOL) 135- What is the size of Hello Packets in EIGREP protocol? 50 BYTES 136- How much hold down time of EIGREP protocol? 15 SECONDS

137- Formula of Hold down time of EIGRP protocol? HELLO PACKETS*5=15SECONDS 138- After how long EIGRP protocol Advertise its routing table? 5SECONDS 139- Which multicast IP EIGRP protocol use? 224.0.0.10 140- Which protocol called Rapid protocol? EIGRP 141-What is the name of Algorithm of EIGRP protocol? DUAL(DIFFUSING UPDATES ALGORITHM) 142- How many hop counts are by default and how much you can increase in EIGRP p rotocol? By default 100 counts, and maximum 25 143- How much internal and External AD of EIGRP protocol? Internal =90 and Externa =170 144- What is the name of best path in EIGRP protocol? SUCCESSOR 145- What is the second best path name of EIGRP? FEASIBLE SUCCESSOR Part 13 146- After how long keep alive messages exchange in EIGRP? 5 SECONDS 147- Which type of updates EIGRP protocol do? INCREMENTAL UPDATES (CHANGE BASE) 148- What is the draw back of EIGRP protocol? CONFIGURE ONLY ON CISCO ROUTERS 149- What is the matric of EIGRP protocol? i) Bandwidth ii) Load iii) Delay iv) Reliability v) MTU vi) Maximum Transmission Unit 150- In EIGRP metric parameters which 2 Options are enable by default? i) Bandwidth ii) Delay 151- Which protocol can do load balancing on unequal cost also? EIGRP 152- 1350 value in which type of Access-list? STANDARD ACCESS-LIST 153- 1900 value in which type of Access list? STANDARD ACCESS-LIST 154- 2500 value in which type of Access list? EXTENDED ACCESS-LIST 155- What is the difference between named and Extended ACL? In named Access-list we can edit and also give name 156- When we use standard Access-List? When there is no Destination 157- When we use extended Access-List? When there is source and Destination 158- What is the default behavior of Access-List? Deny 159- On which interface we always Apply Access-List? Fast Ethernet 160- Wild card mask always in odd value or even ODD Part 14 161- In stead of 0.0.0.0 wild card mask what u can write after IP?

Host 162- In which Access- list type you can t do editing? Standard and Extended 163- In port based Access-List which command u give instead of IP? TCP(TRANSMISSION CONTROL PROTOCOL) 164- What does EQ means? EQUAL TO 165- Which reserve port Number Talent use? 23 166- Which reserve port NO HTTP use? 80 167-How many types of NAT? i) Static ii) NAT iii) Dynamic NAT iv) PAT (Port Address Translation) 168- What is overlaod? It s another name of PAT (Port Address Translation) 170- Which 2 Protocols are in WAN technology? i) HDLC ( High Level Data Link Control ) ii) PPP (Point to Point Protocol) 171- How many types of ends in WAN? i) DTE (Data Terminal Equipment ii) DCE (Data Communication Equipment) (1)DTE (DATA TERMINAL EQUIPMENT)(2)DCE(DATA COMMUNICATION EQUIPMENT)

Types of Network Tunnels If all you want to do is run a tunnel using Windows, you can ignore this page. I t's for people who want to learn more about tunnels. Overview Each of the tunnel types we support is described in a section of it own below. The types we support are: MPPE/PPTP (Microsoft VPN) - Windows, UNIX/Linux, and Mac clients. CIPE - Linux clients and Windows (2000 & NT) clients OpenVPN - UNIX/Linux clients SSL-wrapped PPP - Linux clients (other UNIX clients?) GRE and IP/IP - Linux clients, Cisco routers IPSec, tunnel mode - Windows (2000 & NT) and UNIX/Linux clients IPSec/PPTP - Windows (2000 & NT) and UNIX/Linux clients IPSec/L2TP - Windows (2000 & NT) and UNIX/Linux clients Because the software comes with Windows, the most common tunnel type is MPPE/PPT P (Microsoft VPN). MPPE/PPTP tunnels also are very easy to configure and use. In the past, MPPE/PPTP tunnels from Windows clients have had marginal performanc e, but performance is no longer much of an issue with Windows 2000 and Windows X P. CIPE, OpenVPN, and SSL-wrapped PPP tunnels are primarily for clients in the UNIX family. CIPE and OpenVPN sport particularly good performance. VPNs (Virtual Private Networks) Our most common use of tunnels is for purposes other than VPNs. However, the tu nnel technologies we make use of were originally developed for VPNs, so we take a brief look at VPNs. To make part of a VPN, a tunnel does three basic things:

It provides a virtual link. It provides data encryption - it transmits the data in a secret code. It provides remote end authentication - it guarantees who is doing the sending a nd receiving. Tieing together several virtual links makes a virtual network. Encryption and a uthentication make the virtual network a private network, a VPN. Some tunnels bundle all three aspects into a single technology suite and make tu nnels that are inherently encrypted and authenticated. Others have two component s, one to establish a basic virtual link and another to provide private communic ation across it. MPPE/PPTP (Microsoft VPN) MPPE/PPTP is Microsoft Point-to-Point Encryption on tunnels using Microsoft's Po int-to-Point Tunnel Protocol. Authentication uses Microsoft's version 2 enhance d CHAP, MS-CHAPv2. MPPE comes in both 40-bit and 128-bit versions. (There's a 56-bit version as we ll, but we've never seen it.) Windows 95 and Windows 98 clients normally use 40 -bit encryption. They can be upgraded to 128-bit, but the upgrade can be hard t o find. More recent Windows versions normally use 128-bit encryption, known as Microsoft Strong Encryption. MPPE/PPTP client software is available for other systems, including an open sour ce PPTP client for Linux, FreeBSD and NetBSD, and a commercial PPTP client for M acs called "DigiTunnel" from Gracion, Inc. As of Jan 2003, Gracion's compatibility list still says (incorrectly) that their software is not compatible with UNIX/Linux server software. The incompatibilit y was resolved more than six months ago and requires only a minor configuration change that can be made at either the UNIX/Linux end or the Mac end. While MPPE/PPTP tunnels are a reasonable, easy-to-use solution for Windows clien ts and Mac clients, we do not recommend MPPE/PPTP tunnels for Linux/UNIX users u nless they need compatibility with Windows-based tunnel servers. Otherwise, the effort needed to get MPPE/PPTP installed and running on a Linux/UNIX platform i s better spent on a better tunnel technology, such as CIPE or OpenVPN (see below ). MPPE/PPTP performance depends a great deal on the client system. With Windows cl ients more recent than Windows 98, performance is good but not excellent. Data transfer rates run at about 80% to 85% of the speed of the underlying connection . MPPE/PPTP performance with Windows 95 and Windows 98 clients is not nearly as go od, particularly in the download direction. Until recently there was often a pr oblem just getting an MPPE/PPTP tunnel from Windows 95/98 clients established at all. However we've found a way to eliminate this problem. CIPE (Cryptographic IP Encapsulation) CIPE is a type of tunnel developed specifically for Linux. It has superior perf ormance, with measured data transfer rates consistently within one or two percen t of the rates for the same transfers done without using a tunnel. CIPE also has stronger encryption than MPPE/PPTP, and it supports public/private keypairs for authentication. Overall it is an excellent choice for people actu ally building VPNs, and its performance makes it a good choice for people whose use of a tunnel is just to obtain a static IP. CIPE has been ported to Windows NT and Windows 2000, but we have no experience y et with non-Linux clients.

Part of CIPE's performance comes from its use of UDP as the underlying transport protocol. This avoids several types of subtle interactions that can come from multiple TCP layers. These interactions are part of what keeps MPPE/PPTP perfor mance 15% to 20% below that of the underlying connection. CIPE tunnels also are very robust, often staying up for weeks at a time if the tunnel user's non-virt ual (carrier) IP address isn't changed. CIPE must be configured into the Linux kernel, usually as a module. Adding it i s easy for anyone familiar with building kernels, and at least two distributions , RedHat 7.x/8.x and Mandrake 8.x/9.x, come with CIPE. The CIPE that comes with RedHat is version 1.4, which uses fixed keys for authen tication. A newer version 1.5 supports authentication using a utility (pkcipe) for public-key exchange. We run version 1.5 and support pkcipe key exchange, bu t we also support version 1.4 tunnel clients and fixed keys. More information on CIPE can be found at the CIPE website and the CIPE for Windo ws NT/2000 website. OpenVPN OpenVPN is a relatively new multi-platform tunnel type with excellent performanc e. OpenVPN runs on Linux, Solaris, OpenBSD, FreeBSD, NetBSD, and Mac OS X. A W indows version is under development. Like CIPE, OpenVPN uses UDP for the underlying transport protocol and has perfor mance almost equal to that of the underlying connection. OpenVPN also includes optional compression, and with compression enabled OpenVPN tunnels can be even f aster than the underlying connection, although any speed gain from compression d epends a great deal on the type of data being transferred. Unlike CIPE, OpenVPN itself does not need to be configured into the kernel. The daemon runs in user space. However, it does require support in the kernel for the TUN/TAP driver. This is normally included with Linux distributions based on release 2.4 kernels (for example, RedHat 7.1 and later) and is easily added to the release 2.2 kernels of older Linux distributions. OpenVPN is proving to be a very robust tunnel technology, especially in the face of frequent dynamic-IP changes. Our demonstration tunnel between NetHeaven in the eastern US (upstate NY) and a small web server in Auckland, New Zealand uses OpenVPN. More information on OpenVPN is available at the OpenVPN website. SSL-wrapped PPP These tunnels are based on the open source UNIX stunnel and pppd programs. Thes e make tunnels with good performance that are easy to use with a wrapper script we provide. Although our own experience with these tunnels is only with Linux, they should r un equally well on any recent UNIX. Virtually all Linux/UNIX distributions incl ude more or less the same PPP daemon and have PPP support in the kernel. Some L inux distributions include stunnel. If not included, both PPP and stunnel are a vailable on the net in both tarball and RPM formats. The way SSL is used for these tunnels is similar to the way SSL is used for secu re web access in that only servers need certificates. However, tunnel clients d o need SSL libraries. The SSL we use and recommend is OpenSSL, which is open so urce and readily available. It is included with some Linux distributions. Whereas MPPE/PPTP first uses PPTP to set up a network-capable tunnel without enc

ryption and then uses MPPE to add encryption, SSL-wrapped PPP tunnels first set up an encrypted channel with stunnel and then use pppd to add network capability . SSL-wrapped PPP tunnels have performance approaching but not quite matching that of CIPE and OpenVPN. In general they are robust and are up weeks at a time, bu t we have seen one noisy cable connection over which SSL-wrapped PPP could not k eep a tunnel up but both CIPE and OpenVPN could. GRE (Generic Routing Encapsulation) and IP/IP GRE and IP/IP are unencrypted tunnels. They provide virtual connections and sta tic-IP assignment without hiding the communication. For connecting a server to the internet there is little point to encrypting the tunnel anyway, so these can be attractive alternatives due to their simplicity. However, IP/IP tunnels do not provide any authentication, and GRE tunnels provide only weak authentication . IP/IP tunneling is very simple-minded tunneling. The IP payload packet becomes the entire data payload for an IP tunnel carrier packet. Because the payload ca n be only IP packets, this kind of tunnel can carry only IP traffic. Because internet traffic is all IP traffic, this limitation is of no significanc e for tunneling internet traffic. However, people who want to tunnel other prot ocols (mostly IPX) need a more general tunnel protocol. GRE is essentially a pa ckaging protocol, intended to be able to package any protocol's packets into gen eric data packages that can be carried by any other protocol. GRE is a foundation protocol for other tunnel protocols. For example, MPPE/PPTP uses GRE to form the actual tunnel. Although GRE has generic tunneling capabil ity, its most common use is for tunnels that carry IP and are carried by IP, and the term "GRE" is often meant to be shorthand for this kind of tunnel. It's th is IP-in-GRE-in-IP kind of tunnel that we mean when we say we support "GRE" tunn els. Due to their lack of good authentication, GRE and IP/IP tunnels generally are no t very suitable for our users' tunnels uses. However, we do support them, and w e have considerable experience with GRE tunnels for our own use. They have exce llent performance. When good encryption and authentication are needed, IPSec ca n provide them. IPSec (IP Security) IPSec is a developing Internet standard. It has two modes, tunnel mode in which it provides its own tunnels and transport mode in which it provides encryption and authentication on tunnels created some other way (or on real network links). IPSec is the probable long-term direction for tunnels and secure data transmissi on in general due to its (intended) interoperability and its evolution toward an Internet standard. However, that interoperability is so far still hit-or-miss, mostly miss. IPSec communication has access controls as well as encryption and authentication . Whereas a normal network connection will transmit anything it's asked to, an IPSec tunnel will only transmit what its configuration specifies. This makes it considerably more complex to use than other types of tunnels. IPSec comes with Windows 2000 and is available as free open source for Linux (as FreeSWAN) and for BSD UNIXes (as KAME). These should all interoperate, but the world isn't quite there yet. We are using Linux FreeSWAN and have had it worki ng with a Windows 2000 client, but we don't regard the combination as robust.

Linux IPSec involves changes in the kernel's IP stack and must be built into the kernel. Linux users who build their own kernels will find adding IPSec easy. Those who are not comfortable compiling their own kernels should master that bef ore considering IPSec or should wait for kernel distributions including IPSec. FreeSWAN IPSec authentication/encryption can use SSL, RSA public/private key pai rs, or static PSK (Pre-Shared Keys). We support all three. We use IPSec in-hou se, and for our own use we prefer SSL. When using SSL with IPSec, both ends of the tunnel must have certificates. We can provide our users with certificates s uitable for this use. (Users with OpenSSL also can learn to generate their own private-use certificates.) IPSec tunnels can be any of several types. The three most commonly mentioned are : IPSec tunnel mode tunnels have lower overhead and higher performance compared to running IPSec on tunnels created some other way. However, they are usable only for IP. If a connection that can carry IPX is required, some other form of tun nel is needed. (We do not provide any support for use of IPX. It is mentioned here because we are discussing technologies.) The Windows 2000 implementation of IPSec requires that both ends' carrier IP add resses be known in advance. This makes Microsoft's implementation of tunnel-mod e IPSec unusable (or at least not easily usable[*]) for tunnels to give static I Ps to clients that don't have them. Linux clients do not need a fixed carrier a ddress in their tunnel configuration, so this type tunnel can be used to give th em a static IP. However, we have found this use troublesome, and we recommend u sing CIPE or OpenVPN instead. IPSec/PPTP tunnels use the same Microsoft PPTP tunnel protocol as MPPE/PPTP tunn els but with IPSec encryption. Windows 2000 includes support for PPTP. Older W indows versions support PPTP but not IPSec, so they cannot use this type of tunn el. Open source PPTP client software for Linux is available on the net. It is easy to build and does not require any kernel modifications, but IPSec does nee d to be built into the kernel. IPSec/L2TP tunnels use L2TP (Level-2 Tunnel Protocol) to establish the tunnel an d then run IPSec encryption on it. L2TP is very similar to PPTP but has a multi -vendor origin. Windows 2000 includes L2TP, but older Windows versions do not. An open source L2TP implementation is available on the net for Linux and BSD UN IX, is simple to build, and requires no kernel modification. However, Linux and BSD do need IPSec built into the kernel. L2TP/IPSec isn't a tunnel type, but it is a different way of using L2TP and IPSe c together that has become common and is described in RFC 3193. It's not releva nt to this page, but we've added this paragraph to stop people from saying our I PSec/L2TP description is wrong. The RFC 3193 use is analogous to using a condui t to run wires through a hazardous area, with the internet being the hazard zone , an ordinary IPSec tunnel being the conduit, and L2TP tunnels being the otherwi se unprotected wires. IPSec/GRE tunnels layer IPSec directly onto plain GRE tunnels as mentioned above under GRE and IP/IP tunnels. IPSec can be layered onto any kind of tunnel, just as it can be used over physic al network connections. However, in most cases there isn't much point to runnin g IPSec over a tunnel that's already encrypted and authenticated. Other There are other types of tunnels as well. We are still looking into some of the m and may support them in the future, especially if there are requests. We bega

n supporting OpenVPN because a prospective user asked for it.