Tony,
if you don't add the RSA keys it will create generic keys and you may not have control over what it adds. For instance when you start working with Certificates when you get into Lab 4 and on without predefining the RSA keys you can't for instance use different keys for authentication versus encryption like you can when you use "usage-keys". I personally just think it is a good habit to get into but it is not required as you have already pointed out. 2. It depends on the question. I think generally you are safe not to. I don't always include the gt 1024. But it is a good security practice. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com <http://www.ipexpert.com/> From: [email protected] [mailto:[email protected]] On Behalf Of Tony Molica Sent: Thursday, September 30, 2010 6:32 PM To: [email protected] Subject: [OSL | CCIE_Security] CCIE Sec 2a step 2.3 crypto command on R4 Hi Scott Great job on your video labs - much appreciated. Quick Q. On R4 you did a crypto key generate rsa module....... command just before the domain name ipexpert.com command. when I turn on http secure-server on a router, I usually don't those extra steps and it works. I just type ip http secure-server and it's up. There's probably a reason you took those extra commands. Would you mind explaining why? Sorry, if that was a dumb question. I don't mean to do it but it would be nice to know. Also - generally speaking if I'm permitting at TCP-based protocol like BGP, i would use "permit tcp any host ... eq 179". I usually don't add the permit tcp any gt 1024 any eq 179". Now in reality, if I did it my old habit way, is it really possible I could get it wrong? As you know source TCP ports are with higher-number, and I don't see a TCP connection using anything lower than 1024 for source and with a dest port at 179. Again, I apologize if this is an obvious q for you. The most important q is if I would in fact get it wrong on my ccie lab if I used the good ole "permit tcp any host ... eq 179". THat would in fact work. Again, great job on Videos. Thanks Tony Molica
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
