DMVPN: Dynamic Multipoint Virtual Private Network (DMVPN)[1] is a dynamic tunneling form of a virtual private network (VPN) supported on Cisco IOS-based routers based on the standard protocols, GRE, NHRP and IPsec. DMVPN provides the capability for creating a dynamic-mesh VPN network without having to pre-configure (static) all possible tunnel end-point peers, including IPsec (Internet Protocol Security) and ISAKMP (Internet Security Association and Key Management Protocol) peers. DMVPN is initially configured to build out a hub-and-spoke network by statically configuring the hubs (VPN headends) on the spokes, no change in the configuration on the hub is required to accept new spokes. Using this initial hub-and-spoke network, tunnels between spokes can be dynamically built on demand (dynamic-mesh) without additional configuration on the hubs or spokes. This dynamic-mesh capability alleviates the need for and load on the hub to route data between the spoke networks.
DMVPN is combination of the following technologies: Multipoint GRE (mGRE)Next-Hop Resolution Protocol (NHRP)Dynamic Routing Protocol (EIGRP, RIP, OSPF, BGP)Dynamic IPsec encryptionCisco Express Forwarding (CEF) Date: Tue, 30 Oct 2012 09:55:06 +0530 From: [email protected] To: [email protected] CC: [email protected] Subject: Re: [OSL | CCIE_Security] Some questions ... With regards Kings CCNA,CCSP,CCNP,CCIP,CCIE 35914 (Security) On Mon, Oct 29, 2012 at 11:32 PM, Castro, Allan <[email protected]> wrote: Hello, Below are a list of questions I need some input on for exam purposes. Thanks! DMVPN · If the question doesn’t say anything should we configure the dmvpn tunnel interface to have a mtu of 1400 ? Always have the following under tunnel interface configured: ip mtu 1400 bandwidth 1000 delay 1000 ip tcp adjust-mss 1360 · If the question doesn’t say anything about the mode either transport or tunnel do we leave it to the default? Use transport mode. I see all Cisco docs using them which is recommended and is critical when NAT is sitting between hub and spoke. · When specifying the vpn endpoints on the crypto isakmp key WORD address x.x.x.x command if not specified it would not matter if we use the endpoint address to the ip of the serial interface or loopback right? They will mentioned which interface should act as source for the tunnel interface, based on that configure the isakmp key. · If the HUB is being natted, is it ok and good for the exam purpose to use Transport mode? Yes, you need to use Transport mode. EZVPN · What is the difference of configuring the address pool on the group policy or the tunnel group.?Group policy takes preference over tunnel group, if I remember correctly. · I found a note that said: "Keep in mind that an EZVPN client requires DH group 2 for 3des and DH group 5 for AES-256. --> This is actually done on the EZVPN server and not the client, right? I guess that will be mentioned in the task else use this, if not mentioned. Always has worked for me. Hash - sha or md5 Group - 2 encryption - 3des IPS · Just configured rate limiting using the IPS to fa0/0 of a router in the inbound direction. This works fine. For the Pre-Block and Post-Block ACL what are the use of these? The pre-block and post ACEs are appended before and after the IPS ACEs. · If we want the IPS to block NSLOOKUP and NETSTAT commands to not run on a linux or windows machine can this two work? NSLOOKUP STRING UDP engine Service Port 53 Direction TO service regex [Nn][Ss][Ll][Oo][Oo][Kk][Uu][Pp] NETSTAT STRING TCP engine Service Port 15 Direction TO service regex [Ss][Uu]" "[Nn][Ee][Tt][Ss][Tt][Aa][Tt] also, what is the "su" used for? I have seen this many times... · if the question says: configure a custom based signature to alert when r5 telnets to r6 and issues the command cisco: Is it ok two create 2 different signatures. One that catches the word cisco on the telnet connection and another signature that that catches the TCP connection on port 23 from r5 to r6. Once these 2 are create then merge them together on a signature with the META engine? NBAR · If the question just says to match root.exe on http. Do we configure the regex string like “root.exe” or “[Rr][Oo][Oo][Tt]\.[Ee][Xx][Ee]Both should work unless they ask to check for case sensitive. · If I use this class map and whatever is on the ACL named NBAR generates traffic either Kazaa, Morpheus or Grokster it would work right? or do I have to use the match-any as the fastrack protocol contains 3 types of traffic? class-map match-all P2P match access-group name NBAR match protocol fasttrack GENERAL · For ACLs configuration, if the questions doesn’t say to be specific what is the recommended way? create host specific ACLs or do the any any eq # ? BGP · If the questions says: Configure BGP between R1 and R4 to make sure they peer. Question doesn’t says anything about authentication and R1 is on the inside and R4 on the outside. I would just need to configure an ACL on the outside to allow R4 to connect to R1 on TCP 179. The connection from R1 to R4 should be allowed as there are no acls on the inside and the return traffic should be permitted too. · Also, what is the IPS signature # that we need to remember in case BGP traffic with authentication passes through an Inline IPS? Routing updates · Is it safe to use the clear ip route * command after we do some kind of change to a router like ZBF or CoPP to make sure routing is not disturbed by what we configured and that the router learns the routes again? Marking · Question says: modify the ip precedence field for packets arriving from vlan46 to an ip precedence of immediate (2). The solution shows an ACL applied to a route map and then the immediate precedence set there. Then the route map applied to the interface. However the solution i came up was this one. Would this one work the same way? Extended IP access list VLAN46 10 permit ip 46.46.46.0 0.0.0.255 any (147 matches) class-map match-all PRECEDENCE match access-group name VLAN46 policy-map MARKING class PRECEDENCE set precedence 2 interface FastEthernet0/0 ip address 46.46.46.4 255.255.255.0 duplex auto speed auto service-policy input MARKING end · What is the difference of "match dscp 5" and "match ip dscp 5" ? Posture Validation · When enabling Posture validation on the ACS. Is this correct as a first steps? When generating the self-signed certificate do we use any info on the self-signed certificate fields if not specified ? · System Configuration -> Global Authentication Setup -> Check marks · ·CHAPv2 Allow Posture Validation Is EAP-TLS needed? DHCP snooping. · If we are asked to configure DHCP snooping on a switch and trust a port where a DHCP server is can we as part of the steps go ahead and configure this command? "no ip dhcp snooping information option" Yusofs Lab · On Yusofs lab1 question 5.3 to use NAP for MAC based authentication. On the answer it says that if no MAC is used then assign to the default group. Answer shows "If a MAC address is not defined or there is no matched mapping:" then it shows the default group. My ACS which is running 4.1 does not have this option so what I did is that I added a second rule and left the MAC address field blank, would this be counted as a wildcard MAC address if it is different from the other 2 selected? --------------------------------------------------------------------- Allan Castro CCNP-Security | HP AIS certified _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
