May
07

Thank you to all those who have submitted questions and comments to our blog and our CCIE Instructors. If you have a question, please email them to blog@ine.com.

Question 1:

Can anyone explain what is VPN intercept?


Bhavik Joshi

VPN Intercept can mean a few different things, depending on the specific context.

One interpretation is from a driver perspective, where a VPN connection breaks the binding between TCP/IP and the physical interface, acting as a shim.  See also:

http://www.informit.com/articles/article.aspx?p=25042

Another meaning can be in regards to intercepting SSL traffic.

See also:
http://www.howtoforge.com/ssl_vpn_one_time_passcodes_mutual_authentication
PPTP attacks:
http://www.sans.org/security-resources/malwarefaq/pptp-vpn.php
Cisco – VPN-based IPv4 Lawful Intercept Taps -
https://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/lawful_intercept/76LIch2.html#wp1058552

Answered by: Marvin Greenlee, CCIE #12237

Question 2:

Dear Valuable Technical Teachers and Friends,

First of all , i wish and thank you for your great support to those who are
all preparing Network studies. I’ve completed my CCNA two years back.Now am
preparing for next step. At this point, i have bit confusion of deciding
whether can i do CCNP or CCIE(R&S). I would like to reach a top level in
Cisco Networking technology.So am requesting your suggestions, which is best
for me.

Also can you suggest any good simulators to improve my practical skills.


Thanks,
K.Saleem Jaffer

Thanks for the question.   Having the CCIE certification makes for an excellent stepping stone in a technical career.   An important aspect to successfully passing the CCIE lab exam, is a very solid understanding of all the technologies involved.    A great way to prepare for this is through the CCNP level of studies.   If a person chooses that path, they would do well to take time to learn the technologies while studying CCNP, and not have the feeling of just learning enough to pass a CCNP written exam.  By truly  learning the core technologies in CCNP, it will serve as a springboard into the CCIE studies.   Many candidates waste large amounts of time in complex configurations, because they are lacking the basic understanding of the protocols and technologies that make up the scenario.    I would recommend a 1-2 yr plan, that begins with CCNP, carries into CCIE studies, and end with you attaining your CCIE.    Best wishes in your studies and journey.

Keith

Answered by: Keith Barker, CCIE #6783

Question 3:

Hi.

would u mind please, explaining the benefit of command “area x nssa default-information-originate” ? i know how we use it but i don’t know its benefit? and do we use this command on ALL of the routers or just ABR? when we don’t use this what will happen?

thanks a lot
timaz mohsenzadeh

The benefit of having a default route is that you have somewhere to send traffic when you don’t have more specific information.

One point of using stub areas in OSPF is to minimize the information in the OSPF database.

With a stub area, you will have some OSPF routes, but not external routes (E1/E2) in the stub area.  So, if somewhere else across the topology, there is redistribution happening, the device in the stub area won’t know about the redistributed networks.  Having a default route out to the ABR can be all that a stub area needs, if the ABR has the routing information to send the traffic forward to the destination.

The R&S Advanced Technologies Class section on OSPF area types shows the difference of not having this command, as well as looking at the contents of the OSPF database.

Marvin

Answered by: Marvin Greenlee, CCIE #12237

Question 4:

Hi everybody
I have a question regarding ISDN Backup. I have two cisco routers 800 (IOS 12.4(15)T5) and 1600 (IOS 12.1(4)).
The 800 router is the primary link with SHDSL and the backup router is the 1600 with ISDN.
I have OSPF running between these two routers and HSRP. Now when the primary link (SHDSL) fails,
the Backup router (1600) should take over. How can I solve this problem. Or what is a suitable solution.
I have searched various forums and cisco, but I can’t find any sample according my example.
I am going to be an CCNA. But I guess there is much left to learn.

Thanks for your help.

Regards Alen

Firstly, you dont need OSPF unless you have IGP requirements for other routers behind the border rouers (the 800 and the 1600). You only need HSRP running between the routers and static reliable route on the primary gateway (SHDSL). Next, configure HSRP to track the static route object in the primary router, and lower the priority when the static route fails. Your Cisco 800 should support this functionaly, and the 1600 only needs to know if the active router changes. So here are the steps

1) Create an IP SLA object in the 800 router, pinging your provider’s IP (“ip sla” commad)
2) Create an object tracking the state of IP SLA ping object (“track” commad)
3) Create a static default route in the 800 pointing to you ISP and tracking the object above
4) Configure static default route in the 1600
5) Configure HSRP so that 800 is the primary gateway
6) Configure the HSRP to track the object you created before (“standby XX track” command)
7) Ensure HSRP is configured to preempt so primary router may kick back in when the link recovers

This will ensure automatic switchover upon the lost of primary connection and automatic retun back to normal. You may want to read

http://www.cisco.com/en/US/docs/ios/12_3/12_3x/12_3xe/feature/guide/dbackupx.html

for more information on reliable static routes.

Answered by: Petr Lapukhov’s, CCIE #16379


You can leave a response, or trackback from your own site.

One Response to “Ask INE #3”

 
  1. avinash says:

    Hi was doing the voice lab on the rack… had downloaded the VOIP integration software(free one)…. i was able to acces the phones but when i made calls from HQ to BR1 or BR2 i did not listen to the voice/ringtone though they were showing calls were dialing

    also not sure if we have to get the paid version to get all the features including voice or ring tone

    one more question wanted to know if we can run multiple instance of the software ex one for HQ and one for BR1/BR2 on the same pc and make test calls

    Please let me know if anybody has an idea. Thanks

    avinash

 

Leave a Reply

Categories

CCIE Bloggers