DMVPN:

Dynamic Multipoint Virtual Private Network (DMVPN)[1] is a dynamic tunneling 
form of a virtual private network (VPN) supported on Cisco IOS-based routers 
based on the standard protocols, GRE, NHRP and IPsec.
 DMVPN provides the capability for creating a dynamic-mesh VPN network 
without having to pre-configure (static) all possible tunnel end-point 
peers, including IPsec (Internet Protocol Security) and ISAKMP
 (Internet Security Association and Key Management Protocol) peers. 
DMVPN is initially configured to build out a hub-and-spoke network by 
statically configuring the hubs (VPN headends) on the spokes, no change 
in the configuration on the hub is required to accept new spokes. Using 
this initial hub-and-spoke network, tunnels between spokes can be 
dynamically built on demand (dynamic-mesh) without additional 
configuration on the hubs or spokes. This dynamic-mesh capability 
alleviates the need for and load on the hub to route data between the 
spoke networks.





DMVPN is combination of the following technologies:

Multipoint GRE (mGRE)Next-Hop Resolution Protocol (NHRP)Dynamic Routing 
Protocol (EIGRP, RIP, OSPF, BGP)Dynamic IPsec encryptionCisco Express 
Forwarding (CEF)

Date: Tue, 30 Oct 2012 09:55:06 +0530
From: [email protected]
To: [email protected]
CC: [email protected]
Subject: Re: [OSL | CCIE_Security] Some questions ...



With regards
Kings
CCNA,CCSP,CCNP,CCIP,CCIE 35914 (Security)

On Mon, Oct 29, 2012 at 11:32 PM, Castro, Allan <[email protected]> wrote:









Hello,
 
Below are a list of questions I need some input on for exam purposes. Thanks!



DMVPN
 
·        
If the question doesn’t say anything should we configure the dmvpn tunnel 
interface to have a mtu of 1400 ?     Always have the following under  tunnel 
interface configured:


     ip mtu 1400
     bandwidth 1000
     delay 1000     


     ip tcp adjust-mss 1360

 
·        
If the question doesn’t say anything about the mode either transport or tunnel 
do we leave it to the default?
   Use transport mode. I see all Cisco docs using them which is recommended and 
is critical when NAT is sitting between hub and spoke.
 

·        
When specifying the vpn endpoints on the crypto isakmp key WORD address x.x.x.x 
command if not specified it would not matter if we use the endpoint address to 
the ip of the serial interface or loopback right?

They will mentioned which interface should act as source for the tunnel 
interface, based on that configure the isakmp key.
 

·        
If the HUB is being natted, is it ok and good for the exam purpose to use 
Transport mode?
Yes, you need to use Transport mode.
    


 
EZVPN
 
·        
What is the difference of configuring the address pool on the group policy or 
the tunnel group.?Group policy takes preference over tunnel group, if I 
remember correctly. 

 
·        
I found a note that said: "Keep in mind that an EZVPN client requires DH group 
2 for 3des and DH group 5 for AES-256. --> This is actually done on the EZVPN 
server and not the client, right?

I guess that will be mentioned in the task else use this, if not mentioned. 
Always has worked for me.

Hash - sha or md5
Group - 2
encryption - 3des
 

 
IPS
 
·        
Just configured rate limiting using the IPS to fa0/0 of a router in the inbound 
direction. This works fine. For the Pre-Block and Post-Block ACL what are the 
use of these?
The pre-block and post ACEs are appended before and after the IPS ACEs.
 

·        
If we want the IPS to block NSLOOKUP and NETSTAT commands to not run on a linux 
or windows machine can this two work?



NSLOOKUP



STRING UDP engine

Service Port 53 

Direction TO service

regex [Nn][Ss][Ll][Oo][Oo][Kk][Uu][Pp]



NETSTAT



STRING TCP engine

Service Port 15 

Direction TO service

regex [Ss][Uu]" "[Nn][Ee][Tt][Ss][Tt][Aa][Tt]



also, what is the "su" used for? I have seen this many times...
 
·        
if the question says: configure a custom based signature to alert when r5 
telnets to r6 and issues the command cisco: Is it ok two create 2 different 
signatures. One that catches the word cisco on the telnet connection and another
 signature that that catches the TCP connection on port 23 from r5 to r6. Once 
these 2 are create then merge them together on a signature with the META engine?
 
NBAR




·        
If the question just says to match root.exe on http. Do we configure the regex 
string like “root.exe” or “[Rr][Oo][Oo][Tt]\.[Ee][Xx][Ee]Both should work 
unless they ask to check for case sensitive.

 
·        
If I use this class map and whatever is on the ACL named NBAR generates traffic 
either Kazaa, Morpheus or Grokster it would work right? or do I have to use the 
match-any as the fastrack protocol contains 3 types of traffic?

 
class-map match-all P2P
match access-group name NBAR
match protocol fasttrack
 
GENERAL




·        
For ACLs configuration, if the questions doesn’t say to be specific what is the 
recommended way? create host specific ACLs or do the any any eq # ?
 
BGP
 
·        
If the questions says: Configure BGP between R1 and R4 to make sure they peer. 
Question doesn’t says anything about authentication and R1 is on the inside and 
R4 on the outside. I would just need to configure an ACL on the outside
 to allow R4 to connect to R1 on TCP 179. The connection from R1 to R4 should 
be allowed as there are no acls on the inside and the return traffic should be 
permitted too.
·        
Also, what is the IPS signature # that we need to remember in case BGP traffic 
with authentication passes through an Inline IPS?




Routing updates
 
·        
Is it safe to use the clear ip route * command after we do some kind of change 
to a router like ZBF or CoPP to make sure routing is not disturbed by what we 
configured and that the router learns the routes again?

 
Marking
 
·        
Question says: modify the ip precedence field for packets arriving from vlan46 
to an ip precedence of immediate (2). The solution shows an ACL applied to a 
route map and then the immediate precedence set there. Then the route
 map applied to the interface. However the solution i came up was this one. 
Would this one work the same way?
 
Extended IP access list VLAN46
  10 permit ip 46.46.46.0 0.0.0.255 any (147 matches)
 
class-map match-all PRECEDENCE
match access-group name VLAN46
 
policy-map MARKING
class PRECEDENCE
  set precedence 2
 
interface FastEthernet0/0
ip address 46.46.46.4 255.255.255.0
duplex auto
speed auto
service-policy input MARKING
end
 
·        
What is the difference of "match dscp 5" and "match ip dscp 5" ?




Posture Validation
 
·        
When enabling Posture validation on the ACS. Is this correct as a first steps?
When generating the self-signed certificate do we use any info on the 
self-signed certificate fields if not specified ?
 
·        
System Configuration -> Global Authentication Setup -> Check marks

·
·CHAPv2
               Allow Posture Validation
 
Is EAP-TLS needed? 
 
DHCP snooping.
 
·        
If we are asked to configure DHCP snooping on a switch and trust a port where a 
DHCP server is can we as part of the steps go ahead and configure this command? 
 "no ip dhcp snooping information option"

 
Yusofs Lab
 
·        
On Yusofs lab1 question 5.3 to use NAP for MAC based authentication. On the 
answer it says that if no MAC is used then assign to the default group. Answer 
shows "If a MAC address is not defined or there is no matched mapping:"
 then it shows the default group.
My ACS which is running 4.1 does not have this option so what I did is that I 
added a second rule and left the MAC address field blank, would this be counted 
as a wildcard MAC address if it is different from the
 other 2 selected?
 


---------------------------------------------------------------------
Allan Castro CCNP-Security | HP AIS certified





 




_______________________________________________

For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com



Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com



_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com                                         
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com

Reply via email to