RE: CCIE Practical Studies:Security Case Study

From: Roberts, Larry (Larry.Roberts@expanets.com)
Date: Sat Sep 06 2003 - 19:06:28 GMT-3

• Next message: Shafi, Shahid: "RE: CCIE Practical Studies:Security Case Study"
• Previous message: MMoniz: "RE: CCIE Practical Studies:Security Case Study"
• Maybe in reply to: Roberts, Larry: "CCIE Practical Studies:Security Case Study"
• Next in thread: Shafi, Shahid: "RE: CCIE Practical Studies:Security Case Study"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I'm more miffed about how the author states that he is doing "X" when he is
in fact doing "Y". In the 20-1 scenario, I would have just added the
networks to OSPF and removed all the GRE tunnel info. I mean, why add that
extra overhead? The configuration is simpler, you can still do the IPSec
encapsulation , however now you only apply your map to the Serial Interface.

I'm reading the Lab 20-2 now, and getting even more miffed....

I have 4 pages of errors that I have sent to Cisco Press and even a
notification of plagiarism. I have yet to get an answer.
I'm really afraid to trust ANYTHING that is in this book. Its become more of
an outline on what to study.

I think I gave up when the author implied that the OSPF process ID's needed
to match on all routers in an AS...
(The note on Pg 280 for those playing at home ..)

Thanks

Larry

-----Original Message-----
From: MMoniz [mailto:ccie2002@tampabay.rr.com]
Sent: Saturday, September 06, 2003 4:56 PM
To: Roberts, Larry; ccielab@groupstudy.com
Subject: RE: CCIE Practical Studies:Security Case Study

Well I have tried something similar. Never was the routing traffic itself
encrypted, in fact never matched on the acl for the crypto map.

I don't think it is possible to actually encrypt the routing traffic with
IPSEC. Even when it was uni-cast traffic defined by neighbor statements.

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Roberts, Larry
Sent: Saturday, September 06, 2003 5:42 PM
To: Ccielab Mailing List (ccielab@groupstudy.com)
Subject: CCIE Practical Studies:Security Case Study

OK,
Just curious if anyone else has looked at Case Study 20-1? They claim that
the configuration is Dynamic routing information over an IPSec VPN.

I have reviewed it a BUNCH and I don't think that this is what they are
doing at all. If you review, you will see that the private networks

12.12.12.12/32
13.13.13.13/32
14.14.14.14/32

Are all learned over the GRE Tunnels.

Your CryptoACL's are only encrypting data to/from those networks, so your
EIGRP data is just in GRE over the tunnel, while your Data between this
network is IPSec protected over the GRE tunnels. ( is it worth mentioning
that the mask of the ACL's don't match the mask of the Interface?)

What is worse is that your Multicast/broadcast traffic between these
networks still isn't going to cross the link.

Perhaps it would be better labeled as "concurrent GRE/IPSec tunnels with
IPSec protection of Data Flows" which is what they are really doing...

Thanks

Larry

• Next message: Shafi, Shahid: "RE: CCIE Practical Studies:Security Case Study"
• Previous message: MMoniz: "RE: CCIE Practical Studies:Security Case Study"
• Maybe in reply to: Roberts, Larry: "CCIE Practical Studies:Security Case Study"
• Next in thread: Shafi, Shahid: "RE: CCIE Practical Studies:Security Case Study"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Oct 01 2003 - 07:24:24 GMT-3