Hi Guys,
Can you clarify the answer #1? Cause I've just tested the scenario and found out the followings: WEP works with "encryption vlan 12 mode ciphers wep40" command. Output of the "show dot11 ass all" actually shows that WEP is currently used. As per Cisco command reference guide, "encryption mode wep" is a kind of old or legacy command which can be used for clients which are not supporting key management and cisco recommends to use "encryption mode ciphers"instead. Hence we should not use these two commands together and as per my understanding we can use both in that case. Am I right? P.S. shared authentication depends on the ssid's configuration (authentication shared) and not on the radio interface configuration I think. From: [email protected] [mailto:[email protected]] On Behalf Of Jason Boyers Sent: Tuesday, March 29, 2011 1:30 AM To: Raul Manzano Cc: [email protected] Subject: Re: [CCIE Wireless] Questions about the lab 3 for DSG Workbook 1. Raul My responses are inline below. Very good observations. With the updates made, the latest version number for the CCIEW Workbook Vol 1 DSG will be v2947 (as seen in the footer of the doc.) Give it a bit of time for that to be posted, as the doc needs to be properly reformatted, converted to PDF, etc by the support team. Jason Boyers - CCIE #26024 (Wireless) Technical Instructor - IPexpert, Inc. Mailto: [email protected] On Mon, Mar 28, 2011 at 8:37 AM, Raul Manzano <[email protected]> wrote: Hi guys. Making the tasks about the lab 3 I have some doubts about the solution done. Point 3.2: For the configuration of SSID Test2 on AAP2: "The least version of WEP encryption, using a key of...."; if you are talking about the "wep encryption" Why don't also use the command" encryption vlan Test2 mode wep mandatory"? because if not, you only pass a passphrasse to "authenticate" but your traffic without this command is not cipher with WEP. *** Yes, it does require "mode wep mandatory" command. I have updated the DSG to reflect that. *** Also, in looking at that, I noticed that SSID Test3 was also partially incorrect in the DSG. It should have the "optional" keyword after "authentication open" and before "eap eap_methods." Without that keyword, the AP will attempt to use AAA instead of simply using the WEP key. Point 3.2: For the configuration of SSID Test6 on AAP1: "Use the highest encryption level allowed for CCKM for the version of software on the AP". In the SSID configuration, Why not "authentication key-management wpa cckm"?. If you are using the "highest" (aes in this case) and CCKM I think this is correct, unless the meaning of this command is allow both WPA and CCKM key-management allowing non CCKM clients to connect . Is this OK? *** There is no requirement for WPA listed. WPA and CCKM are different key-management methods, with CCKM adding the creation of a Base Transient Key (BTK) to WPA (simplified version.) For the encryption piece, CCKM on 12.3(8)JE(X) as listed in the equipment list does support AES as a cipher. Normally, CCKM is listed with TKIP, because older versions of the 7921G required CCKM wth TKIP for fast, secure roaming. Point 3.6: "On AAP2, only permit the laptop to connect". if you use in int d0 "l2-filter bridge-group-acl" and apply in all the sub-interfaces the command "bridge-group xx input-address-list 700" you should apply the same commands to 5Ghz radio, because is only applied to the sub.interfaces but not in "d1" interface (I'm assume this is a mistake). *** Yes, that was previously corrected. Please check with our support team if the latest version available under your account does not have that correction. Thanks. Best Regards. _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com <http://www.ipexpert.com/>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
