Hello,
Below are a list of questions I need some input on for exam purposes. Thanks!
DMVPN
* If the question doesn't say anything should we configure the dmvpn
tunnel interface to have a mtu of 1400 ?
* If the question doesn't say anything about the mode either transport
or tunnel do we leave it to the default?
* When specifying the vpn endpoints on the crypto isakmp key WORD
address x.x.x.x command if not specified it would not matter if we use the
endpoint address to the ip of the serial interface or loopback right?
* If the HUB is being natted, is it ok and good for the exam purpose to
use Transport mode?
EZVPN
* What is the difference of configuring the address pool on the group
policy or the tunnel group.?
* I found a note that said: "Keep in mind that an EZVPN client requires
DH group 2 for 3des and DH group 5 for AES-256. --> This is actually done on
the EZVPN server and not the client, right?
IPS
* Just configured rate limiting using the IPS to fa0/0 of a router in
the inbound direction. This works fine. For the Pre-Block and Post-Block ACL
what are the use of these?
* If we want the IPS to block NSLOOKUP and NETSTAT commands to not run
on a linux or windows machine can this two work?
NSLOOKUP
STRING UDP engine
Service Port 53
Direction TO service
regex [Nn][Ss][Ll][Oo][Oo][Kk][Uu][Pp]
NETSTAT
STRING TCP engine
Service Port 15
Direction TO service
regex [Ss][Uu]" "[Nn][Ee][Tt][Ss][Tt][Aa][Tt]
also, what is the "su" used for? I have seen this many times...
* if the question says: configure a custom based signature to alert
when r5 telnets to r6 and issues the command cisco: Is it ok two create 2
different signatures. One that catches the word cisco on the telnet connection
and another signature that that catches the TCP connection on port 23 from r5
to r6. Once these 2 are create then merge them together on a signature with the
META engine?
NBAR
* If the question just says to match root.exe on http. Do we configure
the regex string like "root.exe" or "[Rr][Oo][Oo][Tt]\.[Ee][Xx][Ee]
* If I use this class map and whatever is on the ACL named NBAR
generates traffic either Kazaa, Morpheus or Grokster it would work right? or do
I have to use the match-any as the fastrack protocol contains 3 types of
traffic?
class-map match-all P2P
match access-group name NBAR
match protocol fasttrack
GENERAL
* For ACLs configuration, if the questions doesn't say to be specific
what is the recommended way? create host specific ACLs or do the any any eq # ?
BGP
* If the questions says: Configure BGP between R1 and R4 to make sure
they peer. Question doesn't says anything about authentication and R1 is on the
inside and R4 on the outside. I would just need to configure an ACL on the
outside to allow R4 to connect to R1 on TCP 179. The connection from R1 to R4
should be allowed as there are no acls on the inside and the return traffic
should be permitted too.
* Also, what is the IPS signature # that we need to remember in case
BGP traffic with authentication passes through an Inline IPS?
Routing updates
* Is it safe to use the clear ip route * command after we do some kind
of change to a router like ZBF or CoPP to make sure routing is not disturbed by
what we configured and that the router learns the routes again?
Marking
* Question says: modify the ip precedence field for packets arriving
from vlan46 to an ip precedence of immediate (2). The solution shows an ACL
applied to a route map and then the immediate precedence set there. Then the
route map applied to the interface. However the solution i came up was this
one. Would this one work the same way?
Extended IP access list VLAN46
10 permit ip 46.46.46.0 0.0.0.255 any (147 matches)
class-map match-all PRECEDENCE
match access-group name VLAN46
policy-map MARKING
class PRECEDENCE
set precedence 2
interface FastEthernet0/0
ip address 46.46.46.4 255.255.255.0
duplex auto
speed auto
service-policy input MARKING
end
* What is the difference of "match dscp 5" and "match ip dscp 5" ?
Posture Validation
* When enabling Posture validation on the ACS. Is this correct as a
first steps?
When generating the self-signed certificate do we use any info on the
self-signed certificate fields if not specified ?
* System Configuration -> Global Authentication Setup -> Check marks
*
*CHAPv2
Allow Posture Validation
Is EAP-TLS needed?
DHCP snooping.
* If we are asked to configure DHCP snooping on a switch and trust a
port where a DHCP server is can we as part of the steps go ahead and configure
this command? "no ip dhcp snooping information option"
Yusofs Lab
* On Yusofs lab1 question 5.3 to use NAP for MAC based authentication.
On the answer it says that if no MAC is used then assign to the default group.
Answer shows "If a MAC address is not defined or there is no matched mapping:"
then it shows the default group.
My ACS which is running 4.1 does not have this option so what I did is that I
added a second rule and left the MAC address field blank, would this be counted
as a wildcard MAC address if it is different from the other 2 selected?
---------------------------------------------------------------------
Allan Castro CCNP-Security | HP AIS certified
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
