CCNA EXPLORATION
ACCESSING THE WAN
Study Guide
Chapter 6: Teleworker Services
6.0.1 What is meant by Teleworking?
It is a broad term referring to conducting work by connecting
to a workplace from a remote location, with the assistance of
telecommunications.
How is efficient Teleworking made possible?
Because of broadband Internet connections, virtual private
networks (VPN), and more advanced technologies, including
Voice over IP (VoIP) and videoconferencing.
6.1.1 What are the organizational, social, &
Organizational benefits:
environmental benefits of Teleworking?
Continuity of operations
Increased responsiveness
Secure, reliable, and manageable access to
information
Cost-effective integration of data, voice, video, and
applications
Increased employee productivity, satisfaction, and
retention
Social benefits:
Increased employment opportunities for marginalized
groups
Less travel and commuter related stress
Environmental benefits:
Reduced carbon footprints, both for individual
workers and organizations
6.1.2 What are three remote connection
Traditional private WAN Layer 2 technologies, including
technologies available to organizations for
Frame Relay, ATM, and leased lines, provide many remote
supporting teleworker services?
connection solutions. The security of these connections
depends on the service provider.
IPsec Virtual Private Networks (VPNs) offer flexible and
scalable connectivity.
Site-to-site connections can provide a secure, fast, and
reliable remote connection to teleworkers. This is the most
common option for teleworkers, combined with remote
access over broadband, to establish a secure VPN over the
public Internet. (A less reliable means of connectivity using
the Internet is a dialup connection.)
What does the term broadband refer to?
To advanced communications systems capable of providing
high-speed transmission of services, such as data, voice, and
video, over the Internet and other networks.
What components are needed for
 Home Office Components - The required home office
telecommuting?
components are a laptop or desktop computer,
CCNA EXP 4
CH.6 Teleworker Services
APRIL 2009
What is Quality of Service (QoS)?
6.2.1 What are the main connection methods used
by home and small business users Teleworkers
to connect to an ISP to access the Internet?
6.2.2 Describe accessing the Internet through a cable
network by teleworkers.
What is a drop cable?
What are some of the advanced
telecommunications services offered by Cable
operators?
How do they deploy these services?
broadband access (cable or DSL), and a VPN router or
VPN client software installed on the computer.
Additional components might include a wireless
access point. When traveling, teleworkers need an
Internet connection and a VPN client to connect to
the corporate network over any available dialup,
network, or broadband connection.
 Corporate Components - Corporate components are
VPN-capable routers, VPN concentrators,
multifunction security appliances, authentication, and
central management devices for resilient aggregation
and termination of the VPN connections
QoS refers to the capability of a network to provide better
service to selected network traffic, as required by voice and
video applications.
Dialup access - An inexpensive option that uses any phone
line and a modem. To connect to the ISP, a user calls the ISP
access phone number. Dialup is the slowest connection
option, and is typically used by mobile workers in areas where
higher speed connection options are not available.
DSL - Typically more expensive than dialup, but provides a
faster connection. DSL also uses telephone lines, but unlike
dialup access, DSL provides a continuous connection to the
Internet. DSL uses a special high-speed modem that separates
the DSL signal from the telephone signal and provides an
Ethernet connection to a host computer or LAN.
Cable modem - Offered by cable television service providers.
The Internet signal is carried on the same coaxial cable that
delivers cable television. A special cable modem separates the
Internet signal from the other signals carried on the cable and
provides an Ethernet connection to a host computer or LAN.
Satellite - Offered by satellite service providers. The computer
connects through Ethernet to a satellite modem that
transmits radio signals to the nearest point of presence (POP)
within the satellite network.
The cable system uses a coaxial cable that carries radio
frequency (RF) signals across the network.
Generally, a cable that connects a network device to a
physical medium. A type of AUI.
High-speed Internet access, digital cable television, and
residential telephone service.
Cable operators typically deploy hybrid fiber-coaxial (HFC)
networks to enable high-speed transmission of data to cable
modems located in a SOHO.
What are some of the major components of a
Antenna site, transportation system, headend, trunk cable,
cable system?
amplifier, distribution cable/feeder, subscriber drop cable
What is frequency?
The rate at which current (or voltage) cycles occur, computed
as the number of "waves" per second.
What is wavelength?
The speed of propagation of the electromagnetic signal
divided by its frequency in cycles per second.
What portion of the electromagnetic spectrum Between approximately 1 kilohertz (kHz) through 1 terahertz.
CCNA EXP 4
CH.6 Teleworker Services
APRIL 2009
do radio waves, generally called RF, constitute?
Describe frequency scope used by a cable
network.
What is DOCSIS?
How do cable operators employ DOCSIS?
Describe how DOCSIS specifies the OSI Layer 1
and Layer 2 requirements?
What is CDMA?
What is S-CDMA?
Recap the features of DOCSIS.
What are the two types of equipment are
required to send digital modem signals
upstream and downstream on a cable system?
What is a CMTS?
CCNA EXP 4
Downstream - The direction of an RF signal transmission (TV
channels and data) from the source (headend) to the
destination (subscribers). Transmission from source to
destination is called the forward path. Downstream
frequencies are in the range of 50 to 860 megahertz (MHz).
Upstream - The direction of the RF signal transmission from
subscribers to the headend or the return or reverse path.
Upstream frequencies are in the range of 5 to 42 MHz.
The Data-over-Cable Service Interface Specification (DOCSIS)
is an international standard developed by CableLabs, a nonprofit research and development consortium for cable-related
technologies.
DOCSIS defines the communications and operation support
interface requirements for a data-over-cable system, and
permits the addition of high-speed data transfer to an existing
CATV system.
To provide Internet access over their existing hybrid fibercoaxial (HFC) infrastructure.
Physical layer - For data signals that the cable operator can
use, DOCSIS specifies the channel widths (bandwidths of each
channel) as 200 kHz, 400 kHz, 800 kHz, 1.6 MHz, 3.2 MHz, and
6.4 MHz. DOCSIS also specifies modulation techniques (the
way to use the RF signal to convey digital data).
MAC layer - Defines a deterministic access method, timedivision multiple access (TDMA) or synchronous code division
multiple access method (S-CDMA).
Code division multiple access (CDMA) employs spreadspectrum technology and a special coding scheme in which
each transmitter is assigned a specific code.
a proprietary version of CDMA developed by Terayon
Corporation for data transmission across coaxial cable
networks. S-CDMA scatters digital data up and down a wide
frequency band and allows multiple subscribers connected to
the network to transmit and receive concurrently. S-CDMA is
secure and extremely resistant to noise.
 DOCSIS is a standard for certification of cable
equipment vendor devices (cable modem and cable
modem termination system).
 DOCSIS specifies the physical and MAC layers.
 DOCSIS defines RF interface requirements for a dataover-cable system.
 Cable equipment vendors must pass certification
conducted by CableLabs.
 Euro-DOCSIS is a variation adapted for use in Europe.
Cable modem termination system (CMTS) at the headend of
the cable operator
Cable modem (CM) on the subscriber end
A component that exchanges digital signals with cable
modems on a cable network. A headend CMTS communicates
with CMs that are located in subscriber homes. The headend
CH.6 Teleworker Services
APRIL 2009
What is a CM?
Describe how data is sent over cable.
Discuss access speed on a modern HFC
network.
How do cable operators handle congestion?
6.2.3 What is DSL?
What are the two basic types of DSL
technologies?
Describe how DSL is deployed.
The two key components are the DSL
transceiver and the DSLAM. Describe them.
CCNA EXP 4
is actually a router with databases for providing Internet
services to cable subscribers.
A cable modem that enables you to receive data at high
speeds. Typically it attaches to a standard 10BASE-T Ethernet
card in the computer.
A headend CMTS communicates with CMs located in
subscriber homes. The architecture is relatively simple, using a
mixed optical-coaxial network in which optical fiber replaces
the lower bandwidth coaxial.
A web of fiber trunk cables connects the headend to the
nodes where optical-to-RF signal conversion takes place. The
fiber carries the same broadband content for Internet
connections, telephone service, and streaming video as the
coaxial cable carries. Coaxial feeder cables originate from the
node that carries RF signals to the subscribers.
Typically 500 to 2,000 active data subscribers are connected
to a cable network segment, all sharing the upstream and
downstream bandwidth. The actual bandwidth for Internet
service over a CATV line can be up to 27 Mb/s on the
download path to the subscriber and about 2.5 Mb/s of
bandwidth on the upload path. Based on the cable network
architecture, cable operator provisioning practices, and traffic
load, an individual subscriber can typically get an access speed
of between 256 kb/s and 6 Mb/s.
They can add additional bandwidth for data services by
allocating an additional TV channel for high-speed data.
They can reduce the number of subscribers served by each
network segment. To reduce the number of subscribers, the
cable operator further subdivides the network by laying the
fiber-optic connections closer and deeper into the
neighborhoods.
Digital Subscriber Line: a means of providing high-speed
connections over installed copper wires.
Asymmetric (ADSL) and Symmetric (SDSL).
ADSL provides higher downstream bandwidth to the user than
upload bandwidth. SDSL provides the same capacity in both
directions.
Service providers deploy DSL connections in the last step of a
local telephone network, called the local loop or last mile. The
connection is set up between a pair of modems on either end
of a copper wire that extends between the customer premises
equipment (CPE) and the DSL access multiplexer (DSLAM). A
DSLAM is the device located at the central office (CO) of the
provider and concentrates connections from multiple DSL
subscribers.
Transceiver - Connects the computer of the teleworker to the
DSL. Usually the transceiver is a DSL modem connected to the
computer using a USB or Ethernet cable. Newer DSL
transceivers can be built into small routers with multiple
10/100 switch ports suitable for home office use.
DSLAM - Located at the CO of the carrier, the DSLAM
combines individual DSL connections from users into one
CH.6 Teleworker Services
APRIL 2009
What is the major advantage DSL has over
cable?
What is the major advantage of ADSL?
How is this deployed?
What are the two ways to separate ADSL from
voice at the customer premises?
Describe a microfilter.
high-capacity link to an ISP, and thereby, to the Internet.
DSL is not a shared medium. Each user has a separate direct
connection to the DSLAM. Adding users does not impede
performance, unless the DSLAM Internet connection to the
ISP, or the Internet, becomes saturated.
The ability to provide data services along with POTS voice
services.
When the service provider puts analog voice and ADSL on the
same wire, the provider splits the POTS channel from the
ADSL modem using filters or splitters. This setup guarantees
uninterrupted regular phone service even if ADSL fails. When
filters or splitters are in place, the user can use the phone line
and the ADSL connection simultaneously without adverse
effects on either service.
Using a microfilter or using a splitter.
A microfilter is a passive low-pass filter with two ends. One
end connects to the telephone, and the other end connects to
the telephone wall jack. This solution eliminates the need for
a technician to visit the premises and allows the user to use
any jack in the house for voice or ADSL service.
Describe a splitter.
POTS splitters separate the DSL traffic from the POTS traffic.
The POTS splitter is a passive device. In the event of a power
failure, the voice traffic still travels to the voice switch in the
CO of the carrier. Splitters are located at the CO and, in some
deployments, at the customer premises. At the CO, the POTS
splitter separates the voice traffic, destined for POTS
connections, and the data traffic destined for the DSLAM.
Describe a NID.
Network Interface Device—the actual device where the local
loop terminates on the customer premises at the demarcation
point.
What is the advantage(s) of using a microfilter
Splitters incur additional labor and technical support, so most
vs. a splitter?
home installations today use microfilters. Using microfilters
also has the advantage of providing wider connectivity
through the residence. Since the POTS splitter separates the
ADSL and voice signals at the NID, there is usually only one
ADSL outlet available in the house.
6.2.4 Describe 802.11 networking standards.
Data travels from place to place on radio waves. What makes
802.11 networking relatively easy to deploy is that it uses the
unlicensed radio spectrum to send and receive data. Most
radio and TV transmissions are government regulated and
require a license to use.
What are the benefits of Wi-Fi?
not having to use or install wired network connections
mobility
increased flexibility
productivity to the teleworker
What is a hotspot?
The area covered by one or more interconnected access
points. By overlapping access points, hotspots can cover many
square miles.
What are some of the types of Broadband
Municipal Wi-Fi
Wireless Access?
WiMAX
Satellite Internet
CCNA EXP 4
CH.6 Teleworker Services
APRIL 2009
Describe a typical home deployment.
Describe a wireless network uses a mesh
topology.
What is the advantage of mesh vs. single router
deployment?
Describe WiMAX.
What are the two main components if a WiMAX
network?
How does the tower connect to the Internet?
Where are satellite internet services used?
Describe the three ways to connect to the
Internet using satellites.
In two-way connections what is the most
important factor?
Describe IP multicasting technology as used by
two-way satellite Internet
CCNA EXP 4
A typical home deployment uses a single wireless router. This
deployment uses the hub-and-spoke model. If the single
wireless router fails, all connectivity is lost.
A mesh is a series of access points (radio transmitters) as
shown in the figure. Each access point is in range and can
communicate with at least two other access points. The mesh
blankets its area with radio signals. Signals travel from access
point to access point through this cloud.
Mesh installation is easier and can be less expensive because
there are fewer wires. Deployment over a large urban area is
faster. From an operational point of view, it is more reliable. If
a node fails, others in the mesh compensate for it.
WiMAX (Worldwide Interoperability for Microwave Access) is
telecommunications technology aimed at providing wireless
data over long distances in a variety of ways, from point-topoint links to full mobile cellular type access. WiMAX operates
at higher speeds, over greater distances, and for a greater
number of users than Wi-Fi.
A tower that is similar in concept to a cellular telephone
tower. A single WiMAX tower can provide coverage to an area
as large as 3,000 square miles, or almost 7,500 square
kilometers.
A WiMAX receiver that is similar in size and shape to a
PCMCIA card, or built into a laptop or other wireless device.
A WiMAX tower station connects directly to the Internet using
a high-bandwidth connection (for example, a T3 line). A tower
can also connect to other WiMAX towers using line-of-sight
microwave links.
in locations where land-based Internet access is not available,
or for temporary installations that are continually on the
move. Internet access using satellites is available worldwide,
including for vessels at sea, airplanes in flight, and vehicles
moving on land.
One-way multicast satellite Internet systems are used for IP
multicast-based data, audio, and video distribution. Even
though most IP protocols require two-way communication, for
Internet content, including web pages, one-way satellitebased Internet services can be "pushed" pages to local storage
at end-user sites by satellite Internet. Full interactivity is not
possible.
One-way terrestrial return satellite Internet systems use
traditional dialup access to send outbound data through a
modem and receive downloads from the satellite.
Two-way satellite Internet sends data from remote sites via
satellite to a hub, which then sends the data to the Internet.
The satellite dish at each location needs precise positioning to
avoid interference with other satellites.
The antenna has to have a clear view toward the equator,
where most orbiting satellites are stationed. Trees and heavy
rains can affect reception of the signals.
IP multicasting technology allows one satellite to serve up to
5,000 communication channels simultaneously. IP multicast
CH.6 Teleworker Services
APRIL 2009
Wireless networking complies with a range of
standards that routers and receivers use to
communicate with each other. What are the
most common standard?
Why are the terms 802.11 and Wi-Fi not really
interchangeable?
What is the Wi-Fi Alliance?
sends data from one point to many points at the same time by
sending data in a compressed format. Compression reduces
the size of the data and the bandwidth.
The IEEE 802.11 wireless local area network (WLAN) standard,
which addresses the 5 GHz and 2.4 GHz public (unlicensed)
spectrum bands.
Wi-Fi is an industry-driven interoperability certification based
on a subset of 802.11.
Organization that offers certification for interoperability
between vendors of 802.11 products. It helps to market
WLAN technology interoperability between vendors.
Certification includes all three 802.11 RF technologies and
WPA.
Describe the most popular access approaches
IEEE 802.11b – IEEE WLAN standard for 11 Mbps at 2.4 GHz
to connectivity used by teleworkers.
IEEE 802.11g – IEEE WLAN standard for 54 Mbps at 2.4 GHz
Describe 802.11n.
The latest standard is a proposed amendment that builds on
the previous 802.11 standards by adding multiple-input
multiple-output (MIMO).
Describe 802.16 (or WiMAX).
This standard allows transmissions up to 70 Mb/s, and has a
range of up to 30 miles (50 km). It can operate in licensed or
unlicensed bands of the spectrum from 2 to 6 GHz.
6.3.1 Describe VPNs.
Virtual Private Networks - enables organizations to create
private networks over the public Internet infrastructure that
maintain confidentiality and security.
Describe their basic deployment.
Organizations use VPNs to provide a virtual WAN
infrastructure that connects branch offices, home offices,
business partner sites, and remote telecommuters to all or
portions of their corporate network. To remain private, the
traffic is encrypted. Instead of using a dedicated Layer 2
connection, such as a leased line, a VPN uses virtual
connections that are routed through the Internet.
What are some of the benefits of VPNs?
Fast
Mobile
Secure
Dependable
Scalable
Little additional cost after initial setup
How can they be both virtual & private?
Virtual: Information within a private network is transported
over a public network.
Private: The traffic is encrypted to keeo the data confidential.
6.3.2 What are the types of VPNs?
Site-to-site & remote access
Describe site-to-site VPNs.
Site-to-site VPNs connect entire networks to each other.
In a site-to-site VPN, hosts send and receive TCP/IP traffic
through a VPN gateway, which could be a router, PIX firewall
appliance, or an Adaptive Security Appliance (ASA). The VPN
gateway is responsible for encapsulating and encrypting
outbound traffic for all of the traffic from a particular site and
sending it through a VPN tunnel over the Internet to a peer
VPN gateway at the target site. On receipt, the peer VPN
gateway strips the headers, decrypts the content, and relays
the packet toward the target host inside its private network.
CCNA EXP 4
CH.6 Teleworker Services
APRIL 2009
When are remote access VPNs used?
Describe remote access VPNs.
Remote access VPNs can be terminated at the
central site using the same type of equipment
as site-to-site VPNs with the addition of what
other equipment?
6.3.3 How do VPNs ensure confidentiality and
security?
By mobile users and telecommuters. Most teleworkers now
have access to the Internet from their homes and can
establish remote VPNs using broadband connections.
Similarly, a mobile worker can make a local call to a local ISP
to access the corporation through the Internet.
In a remote-access VPN, each host typically has VPN client
software. Whenever the host tries to send any traffic, the VPN
client software encapsulates and encrypts that traffic before
sending it over the Internet to the VPN gateway at the edge of
the target network. On receipt, the VPN gateway handles the
data in the same way as it would handle data from a site-tosite VPN.
You can use an VPN concentrator to terminate a VPN.
VPNs use cryptographic tunneling protocols to provide
protection against packet sniffing, sender authentication, and
message integrity.
What are the components required to establish
 An existing network with servers and workstations
a VPN?
 A connection to the Internet
 VPN gateways, such as routers, firewalls, VPN
concentrators, and ASAs, that act as endpoints to
establish, manage, and control VPN connections
 Appropriate software to create and manage VPN
tunnels
Describe encapsulating or encrypting the data
Encapsulation is also referred to as tunneling, because
within a VPN.
encapsulation transmits data transparently from network to
network through a shared network infrastructure.
Encryption codes data into a different format using a secret
key. Decryption decodes encrypted data into the original
unencrypted format.
6.3.4 Describe the three characteristics of secure
Data Confidentiality - Protects data from eavesdroppers
VPNs.
(spoofing).
Data Integrity - Guarantees that no tampering or alterations
occur.
Authentication - Ensures that only authorized senders and
devices enter the network.
6.3.5 Describe tunneling.
It allows the use of public networks like the Internet to carry
data for users as though the users had access to a private
network. Tunneling encapsulates an entire packet within
another packet and sends the new, composite packet over a
network.
What are the three classes of protocols that
Carrier protocol
tunneling uses?
The protocol over which the information is traveling
(Frame Relay, ATM, MPLS).
Encapsulating protocol
The protocol that is wrapped around the original data
(GRE, IPSec, L2F, PPTP, L2TP).
Passenger protocol
The protocol over which the original data was being
carried (IPX, AppleTalk, IPv4, IPv6).
CCNA EXP 4
CH.6 Teleworker Services
APRIL 2009
Describe GRE.
6.3.6 Describe encryption.
Describe some of the more common encryption
algorithms and the length of keys used.
Describe Symmetric Encryption.
What is the main disadvantage of symmetric
encryption?
How can you overcome the above
disadvantage?
Describe Asymmetric Encryption.
Describe a hash.
How does a hash work?
CCNA EXP 4
Generic Route Encapsulation (GRE) packet. GRE is a tunneling
protocol developed by Cisco Systems that can encapsulate a
wide variety of protocol packet types inside IP tunnels,
creating a virtual point-to-point link to Cisco routers at remote
points over an IP internetwork.
For encryption to work, both the sender and the receiver must
know the rules used to transform the original message into its
coded form. VPN encryption rules include an algorithm and a
key. An algorithm is a mathematical function that combines a
message, text, digits, or all three with a key. The output is an
unreadable cipher string. Decryption is extremely difficult or
impossible without the correct key.
Data Encryption Standard (DES) algorithm - Developed by
IBM, DES uses a 56-bit key, ensuring high-performance
encryption. DES is a symmetric key cryptosystem. Symmetric
and asymmetric keys are explained below.
Triple DES (3DES) algorithm - A newer variant of DES that
encrypts with one key, decrypts with another different key,
and then encrypts one final time with another key. 3DES
provides significantly more strength to the encryption
process.
Advanced Encryption Standard (AES) - The National Institute
of Standards and Technology (NIST) adopted AES to replace
the existing DES encryption in cryptographic devices. AES
provides stronger security than DES and is computationally
more efficient than 3DES. AES offers three different key
lengths: 128, 192, and 256-bit keys.
Rivest, Shamir, and Adleman (RSA) - An asymmetrical key
cryptosystem. The keys use a bit length of 512, 768, 1024, or
larger.
Shared secret key cryptography
Encryption & decryption use the same key
Typically used to encrypt the content of a message
Examples: DES, 3DES, AES
The question is, how do the encrypting and decrypting devices
both have the shared secret key? You could use e-mail,
courier, or overnight express to send the shared secret keys to
the administrators of the devices
Another easier and more secure method is asymmetric
encryption.
Public key cryptography
Encryption & decryption use different keys
Typically used in digital certification & key management
Example: RSA
A hash, also called a message digest, is a number generated
from a string of text. The hash is smaller than the text itself. It
is generated using a formula in such a way that it is extremely
unlikely that some other text will produce the same hash
value.
The original sender generates a hash of the message and
sends it with the message itself. The recipient decrypts the
message and the hash, produces another hash from the
CH.6 Teleworker Services
APRIL 2009
What is HMAC?
What are the two parameters of a HMAC?
Describe how a HMAC works.
Describe two common HMAC algorithms.
What are two peer authentication methods
used by VPNs?
6.3.7 Describe IPSec.
Describe the two main IPsec framework
protocols.
CCNA EXP 4
received message, and compares the two hashes. If they are
the same, the recipient can be reasonably sure the integrity of
the message has not been affected.
A keyed hashed message authentication code (HMAC) is a
data integrity algorithm that guarantees the integrity of the
message.
A message input and a secret key known only to the message
originator and intended receivers.
The message sender uses a HMAC function to produce a value
(the message authentication code), formed by condensing the
secret key and the message input. The message
authentication code is sent along with the message. The
receiver computes the message authentication code on the
received message using the same key and HMAC function as
the sender used, and compares the result computed with the
received message authentication code. If the two values
match, the message has been correctly received and the
receiver is assured that the sender is a member of the
community of users that share the key.
Message Digest 5 (MD5) - Uses a 128-bit shared secret key.
The variable length message and 128-bit shared secret key are
combined and run through the HMAC-MD5 hash algorithm.
The output is a 128-bit hash. The hash is appended to the
original message and forwarded to the remote end.
Secure Hash Algorithm 1 (SHA-1) - Uses a 160-bit secret key.
The variable length message and the 160-bit shared secret key
are combined and run through the HMAC-SHA-1 hash
algorithm. The output is a 160-bit hash. The hash is appended
to the original message and forwarded to the remote end.
Pre-shared key (PSK) - A secret key that is shared between the
two parties using a secure channel before it needs to be used.
PSKs use symmetric key cryptographic algorithms. A PSK is
entered into each peer manually and is used to authenticate
the peer. At each end, the PSK is combined with other
information to form the authentication key.
RSA signature - Uses the exchange of digital certificates to
authenticate the peers. The local device derives a hash and
encrypts it with its private key. The encrypted hash (digital
signature) is attached to the message and forwarded to the
remote end. At the remote end, the encrypted hash is
decrypted using the public key of the local end. If the
decrypted hash matches the recomputed hash, the signature
is genuine.
IPsec is protocol suite for securing IP communications which
provides encryption, integrity, and authentication. IPsec spells
out the messaging necessary to secure VPN communications,
but relies on existing algorithms.
Authentication Header (AH) - Use when confidentiality is not
required or permitted. AH provides data authentication and
integrity for IP packets passed between two systems. It
verifies that any message passed from R1 to R2 has not been
modified during transit. It also verifies that the origin of the
CH.6 Teleworker Services
APRIL 2009
data was either R1 or R2. AH does not provide data
confidentiality (encryption) of packets. Used alone, the AH
protocol provides weak protection. Consequently, it is used
with the ESP protocol to provide data encryption and tamperaware security features.
Encapsulating Security Payload (ESP) - Provides
confidentiality and authentication by encrypting the IP packet.
IP packet encryption conceals the data and the identities of
the source and destination. ESP authenticates the inner IP
packet and ESP header. Authentication provides data origin
authentication and data integrity. Although both encryption
and authentication are optional in ESP, at a minimum, one of
them must be selected.
What are some of the standard algorithms that DES - Encrypts and decrypts packet data.
IPSec uses?
3DES - Provides significant encryption strength over 56-bit
DES.
AES - Provides stronger encryption, depending on the key
length used, and faster throughput.
MD5 - Authenticates packet data, using a 128-bit shared
secret key.
SHA-1 - Authenticates packet data, using a 160-bit shared
secret key.
DH - Allows two parties to establish a shared secret key used
by encryption and hash algorithms, for example, DES and
MD5, over an insecure communications channel.
When configuring IPSec, what are the four IPsec
 When configuring an IPsec gateway to provide
framework squares that are to be filled?
security services, first choose an IPsec protocol. The
choices are ESP or ESP with AH.
 The second square is an encryption algorithm if IPsec
is implemented with ESP. Choose the encryption
algorithm that is appropriate for the desired level of
security: DES, 3DES, or AES.
 The third square is authentication. Choose an
authentication algorithm to provide data integrity:
MD5 or SHA.
 The last square is the Diffie-Hellman (DH) algorithm
group which establishes the sharing of key
information between peers. Choose which group to
use, DH1 or DH2.
CCNA EXP 4
CH.6 Teleworker Services
APRIL 2009