I'll try to answer some of these question right now.
1. only the port is question would need to be configured to another vlan, lets say 99.. Rest of the ports do not need to changed. 2.a.IP Source guard is on SWITCHES, and Reverse path forwarding is for Routers. The loose and strict mode is in RPF and NOT in IP Source Guard. The question is usually very clear what it wants e.g (again not breaking an NDA).... check reverse path on the same interface the traffic was received, so that is STRICT mode i.e. RX and not ANY. Also, may be the question would say that use the new method of RPF and not the legacy method, then it would mean to use ip very source unicast............... and not ip verify reverse-path (legacy) 2.b IP source guard is related to switches, it checks the IP address and Mac address of the host connected to it. 3. later, or may be some one else can better explain 4. Correct 6. Control-plane is used for policing traffic..... queue-threshold is a feature of control-plane host. On Thu, Mar 15, 2012 at 5:31 PM, Castro, Allan <[email protected]> wrote: > Please help me clarify this:**** > > ** ** > > **1) **VLAN hopping attack --> In order to mitigate this attack we > would configure the switchport to be an access port (switchport mode > access). It also says by reading the documentation that UNUSED ports should > be assigned to another vlan other than 1. So for this mitigation I need > configure the port in question to be an access port and ALL other ports > that are unused I would need to configure them in another vlan other than > 1. Is this correct?**** > > ** ** > > **2) **IP Source Guard --> We have Strict and loose mode. What kind > of wording can we identify when they are asking us to configure strict (ip > verify unicast reverse-path) or loose mode (ip verify unicast source > reachable-via any)**** > > ** ** > > **3) **FPM --> In my notes I have that we need to be careful when > applying the policy to the interface using FPM as it could crash the > device. In what situation this could happen and what sort of things we need > to be aware of?**** > > When doing FPM it is a matter of breaking down the parts of the question. > Layer 3 and Layer 4 for example on Yusuf lab book. Lab 1 question 8.3.**** > > First class-map is of type access-control which matches port 23 and > destination ip which we are detailing here the IP and service to be used > (Layer 3 and 4)**** > > Second class.map is of type STACK in which we define what protocol the > service runs on which is TCP. I think that once you have the class-maps > done the policy-maps are easy and applying it to the control-plane is > easier. Please comment and whats is the difference between class-maps type > access-control and STACK ?**** > > ** ** > > **4) **MQC match-any & match-all --> When using either option I want > to make sure my understaing is correct. If we use the match-any then it > means that under the class-map it can match ANY of the options we have > configured, it can match 1, 2 or all at once and it would still work? > Using the match-all it means that it MUST match all the rules we have > configured else it would not apply, is this correct?**** > > ** ** > > **5) **control-plane host --> We would apply a policy configured on > this if we needed to allow/drop etc any management traffic or routing > protocols, correct?**** > > ** ** > > **6) **control-plane --> We would apply a policy configured on this > if we needed to police specific traffic or set a queue-threshold for > example?**** > > ** ** > > **7) **Important HEX codes --> Any other ones that we need to know > besides the following?**** > > ARP: 0x806 IP: 0x800 IPX: 0x8137 STP: 0x4242 IPV6: 0x86DD STP LSAP: > 0xAAAA**** > > ** ** > > **8) **DHCP snooping --> When is it neccesary to use the command in > the switch: no ip dhcp snooping information option**** > > ** ** > > **9) **ACL configuration --> if the question does NOT say to be > specific when configuring ACLs to open traffic for let´s say TCP 23, 49, 22 > etc. Can we do a permit tcp any any eq 23 etc etc?**** > > ** ** > > **10) **On the Yusof practice labs, LAB 2 question 2.4 it says: Your > solution must have CBAC inspection applied to any one interface only. I am > unclear as to what this means?**** > > ** ** > > *Strategy: *What I am thinking on doing when i start the lab is drawing > in a piece of paper the # of routers, ASAs, and switches one below the > other one and writting next to it important things to note for example:*** > * > > ** ** > > router1 --> ZBF, CoPP**** > > Asa1 --> nat-control, cut-through proxy (http)**** > > switch1 --> Vlan access map (v 51)**** > > ** ** > > Things that I could easily forget but having it on paper makes it easier > while facing a new taks that traffic will be going through any other > device. What do you think ?**** > > ** ** > > *Thanks!***** > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
