With regards
Kings
CCNA,CCSP,CCNP,CCIP,CCIE 35914 (Security)
On Mon, Oct 29, 2012 at 11:32 PM, Castro, Allan <[email protected]> wrote:
> Hello,****
>
> ** **
>
> Below are a list of questions I need some input on for exam purposes.
> Thanks!
>
> *DMVPN*****
>
> ** **
>
> **· **If the question doesn’t say anything should we configure
> the dmvpn tunnel interface to have a mtu of 1400 ?
>
Always have the following under tunnel interface configured:
ip mtu 1400
bandwidth 1000
delay 1000
ip tcp adjust-mss 1360
> ****
>
> **· **If the question doesn’t say anything about the mode either
> transport or tunnel do we leave it to the default?
>
Use transport mode. I see all Cisco docs using them which is recommended
and is critical when NAT is sitting between hub and spoke.
> ****
>
> **· **When specifying the vpn endpoints on the crypto isakmp key
> WORD address x.x.x.x command if not specified it would not matter if we use
> the endpoint address to the ip of the serial interface or loopback right?
>
They will mentioned which interface should act as source for the tunnel
interface, based on that configure the isakmp key.
> ****
>
> **· **If the HUB is being natted, is it ok and good for the exam
> purpose to use Transport mode?
>
Yes, you need to use Transport mode.
> ****
>
> ** **
>
> *EZVPN*
>
> ** **
>
> **· **What is the difference of configuring the address pool on
> the group policy or the tunnel group.?
>
Group policy takes preference over tunnel group, if I remember correctly.
> ****
>
> **· **I found a note that said: "Keep in mind that an EZVPN
> client requires DH group 2 for 3des and DH group 5 for AES-256. --> This is
> actually done on the EZVPN server and not the client, right?
>
I guess that will be mentioned in the task else use this, if not mentioned.
Always has worked for me.
Hash - sha or md5
Group - 2
encryption - 3des
> ****
>
> ** **
>
> *IPS*
>
> ** **
>
> **· **Just configured rate limiting using the IPS to fa0/0 of a
> router in the inbound direction. This works fine. For the Pre-Block and
> Post-Block ACL what are the use of these?
>
The pre-block and post ACEs are appended before and after the IPS ACEs.
> ****
>
> **· **If we want the IPS to block NSLOOKUP and NETSTAT commands
> to not run on a linux or windows machine can this two work?
>
> NSLOOKUP
>
> STRING UDP engine
> Service Port 53
> Direction TO service
> regex [Nn][Ss][Ll][Oo][Oo][Kk][Uu][Pp]
>
> NETSTAT
>
> STRING TCP engine
> Service Port 15
> Direction TO service
> regex [Ss][Uu]" "[Nn][Ee][Tt][Ss][Tt][Aa][Tt]
>
> also, what is the "su" used for? I have seen this many times...****
>
> ** **
>
> **· **if the question says: configure a custom based signature to
> alert when r5 telnets to r6 and issues the command cisco: Is it ok two
> create 2 different signatures. One that catches the word cisco on the
> telnet connection and another signature that that catches the TCP
> connection on port 23 from r5 to r6. Once these 2 are create then merge
> them together on a signature with the META engine?****
>
> ** **
>
> *NBAR*
>
> ****
>
> **· **If the question just says to match *root.exe* on http. Do
> we configure the regex string like “root.exe” or
> “[Rr][Oo][Oo][Tt]\.[Ee][Xx][Ee]
>
Both should work unless they ask to check for case sensitive.
> ****
>
> **· **If I use this class map and whatever is on the ACL named
> NBAR generates traffic either Kazaa, Morpheus or Grokster it would work
> right? or do I have to use the match-any as the fastrack protocol contains
> 3 types of traffic?****
>
> ** **
>
> class-map match-all P2P****
>
> match access-group name NBAR****
>
> match protocol fasttrack****
>
> ** **
>
> *GENERAL
>
> *
>
> **· **For ACLs configuration, if the questions *doesn’t* say to
> be specific what is the recommended way? create host specific ACLs or do
> the any any eq # ?****
>
> ** **
>
> *BGP*
>
> ** **
>
> **· **If the questions says: Configure BGP between R1 and R4 to
> make sure they peer. Question doesn’t says anything about authentication
> and R1 is on the inside and R4 on the outside. I would just need to
> configure an ACL on the outside to allow R4 to connect to R1 on TCP 179.
> The connection from R1 to R4 should be allowed as there are no acls on the
> inside and the return traffic should be permitted too.****
>
> **· **Also, what is the IPS signature # that we need to remember
> in case BGP traffic with authentication passes through an Inline IPS?
>
> ****
>
> *Routing updates*
>
> ** **
>
> **· **Is it safe to use the clear ip route * command after we do
> some kind of change to a router like ZBF or CoPP to make sure routing is
> not disturbed by what we configured and that the router learns the routes
> again?****
>
> ** **
>
> *Marking*
>
> ** **
>
> **· **Question says: modify the ip precedence field for packets
> arriving from vlan46 to an ip precedence of immediate (2). The solution
> shows an ACL applied to a route map and then the immediate precedence set
> there. Then the route map applied to the interface. However the solution i
> came up was this one. Would this one work the same way?****
>
> ** **
>
> Extended IP access list VLAN46****
>
> 10 permit ip 46.46.46.0 0.0.0.255 any (147 matches)****
>
> ** **
>
> class-map match-all PRECEDENCE****
>
> match access-group name VLAN46****
>
> ** **
>
> policy-map MARKING****
>
> class PRECEDENCE****
>
> set precedence 2****
>
> ** **
>
> interface FastEthernet0/0****
>
> ip address 46.46.46.4 255.255.255.0****
>
> duplex auto****
>
> speed auto****
>
> service-policy input MARKING****
>
> end****
>
> ** **
>
> **· **What is the difference of "match dscp 5" and "match ip dscp
> 5" ?
>
> ****
>
> *Posture Validation*
>
> ** **
>
> **· **When enabling Posture validation on the ACS. Is this
> correct as a first steps?****
>
> When generating the self-signed certificate do we use any info on the
> self-signed certificate fields if not specified ?****
>
> ** **
>
> **· **System Configuration -> Global Authentication Setup ->
> Check marks ****
>
> **·******
>
> **·**CHAPv2****
>
> Allow Posture Validation****
>
> ** **
>
> Is EAP-TLS needed? ****
>
> ** **
>
> *DHCP snooping.*
>
> ** **
>
> **· **If we are asked to configure DHCP snooping on a switch and
> trust a port where a DHCP server is can we as part of the steps go ahead
> and configure this command? "no ip dhcp snooping information option"****
>
> ** **
>
> *Yusofs Lab*
>
> ** **
>
> **· **On Yusofs lab1 question 5.3 to use NAP for MAC based
> authentication. On the answer it says that if no MAC is used then assign to
> the default group. Answer shows "If a MAC address is not defined or there
> is no matched mapping:" then it shows the default group.****
>
> My ACS which is running 4.1 does not have this option so what I did is
> that I added a second rule and left the MAC address field blank, would this
> be counted as a wildcard MAC address if it is different from the other 2
> selected?****
>
> ** **
>
> *
> ---------------------------------------------------------------------*****
>
> *Allan Castro** *CCNP-Security | HP AIS certified *
>
> *****
>
> ** **
>
> _______________________________________________
> For more information regarding industry leading CCIE Lab training, please
> visit www.ipexpert.com
>
> Are you a CCNP or CCIE and looking for a job? Check out
> www.PlatinumPlacement.com
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
