Please help me clarify this:
1) VLAN hopping attack --> In order to mitigate this attack we would configure the switchport to be an access port (switchport mode access). It also says by reading the documentation that UNUSED ports should be assigned to another vlan other than 1. So for this mitigation I need configure the port in question to be an access port and ALL other ports that are unused I would need to configure them in another vlan other than 1. Is this correct? 2) IP Source Guard --> We have Strict and loose mode. What kind of wording can we identify when they are asking us to configure strict (ip verify unicast reverse-path) or loose mode (ip verify unicast source reachable-via any) 3) FPM --> In my notes I have that we need to be careful when applying the policy to the interface using FPM as it could crash the device. In what situation this could happen and what sort of things we need to be aware of? When doing FPM it is a matter of breaking down the parts of the question. Layer 3 and Layer 4 for example on Yusuf lab book. Lab 1 question 8.3. First class-map is of type access-control which matches port 23 and destination ip which we are detailing here the IP and service to be used (Layer 3 and 4) Second class.map is of type STACK in which we define what protocol the service runs on which is TCP. I think that once you have the class-maps done the policy-maps are easy and applying it to the control-plane is easier. Please comment and whats is the difference between class-maps type access-control and STACK ? 4) MQC match-any & match-all --> When using either option I want to make sure my understaing is correct. If we use the match-any then it means that under the class-map it can match ANY of the options we have configured, it can match 1, 2 or all at once and it would still work? Using the match-all it means that it MUST match all the rules we have configured else it would not apply, is this correct? 5) control-plane host --> We would apply a policy configured on this if we needed to allow/drop etc any management traffic or routing protocols, correct? 6) control-plane --> We would apply a policy configured on this if we needed to police specific traffic or set a queue-threshold for example? 7) Important HEX codes --> Any other ones that we need to know besides the following? ARP: 0x806 IP: 0x800 IPX: 0x8137 STP: 0x4242 IPV6: 0x86DD STP LSAP: 0xAAAA 8) DHCP snooping --> When is it neccesary to use the command in the switch: no ip dhcp snooping information option 9) ACL configuration --> if the question does NOT say to be specific when configuring ACLs to open traffic for let´s say TCP 23, 49, 22 etc. Can we do a permit tcp any any eq 23 etc etc? 10) On the Yusof practice labs, LAB 2 question 2.4 it says: Your solution must have CBAC inspection applied to any one interface only. I am unclear as to what this means? Strategy: What I am thinking on doing when i start the lab is drawing in a piece of paper the # of routers, ASAs, and switches one below the other one and writting next to it important things to note for example: router1 --> ZBF, CoPP Asa1 --> nat-control, cut-through proxy (http) switch1 --> Vlan access map (v 51) Things that I could easily forget but having it on paper makes it easier while facing a new taks that traffic will be going through any other device. What do you think ? Thanks!
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
