From: Petr Lapukhov (petr@internetworkexpert.com)
Date: Mon Jan 22 2007 - 03:12:02 ART
Hi Vic,
Like I used to say many times, with every lab task you should ask youself
a simple question "how could this be verified?". Once you know the answer,
you know the solution.
Remember that many parts of the lab are graded with an automated scripts,
hence there exist pretty simple way to test most of your work. Quite often
this
is done by using the "show" command output & simple regexp matching;
sometimes with a bit more complex test commands like "ping" and
"traceroute".
With respect to this, think of overconfiguring twice - I mean if it won't
required,
why bother? Most of the times overconfiguring won't probably hurt. But then
again,
think of what could happen if you'll authenticate BGP session running across
NAT.
In the old Security Lab you should had consider whether to configure BGP
auth
very carefully ;)
With your task, it's unclear - what's the original goal. If you need just
to have
the clocks synced - run "show ntp assoc" or "show ntp assoc detail". If
it
shows everything like it "should be" - you're fine - with md5
authentication or
without :) However, if authentication is configured incorrectly at some
point and
it breaks the sync - you lose the points!
Also, have you configured "ntp authenticate" "ntp trusted-key" with a
special
purpose on the "ntp server" router (R1)? :)
Finally, try to stick with a few simple rules: "how could I verify this?",
"keep it simple", "manage your time" and "this 20 points of margin are
your friends" ;)
PS
Truly enough, there are some tasks in the lab, that could be only verified
by
executing "show run | inc ". That's too bad; however, we are not the ones
who set the rules of the game. Therefore, try to shift these task to your
"20 points defense zone" and don't waste too much time on them in case
you're stuck.
-- Petr Lapukhov, CCIE #16379 (R&S/Security) petr@internetworkexpert.comInternetwork Expert, Inc. http://www.InternetworkExpert.com
2007/1/22, Victor Cappuccio <vcappuccio@desca.com>: > > Hi Segey, many thanks for the information, Just one question, since > over configuration is not penalized > > What about over configuring something like this > > @ R1: > > R1#clock set 00:00:00 1 Jan 2000 > R1#conf t > Enter configuration commands, one per line. End with CNTL/Z. > R1(config)#ntp master 1 > R1(config)#ntp authentication-key 1 md5 CISCO > > ********** over configuration added *************** > R1(config)#ntp authenticate > R1(config)#ntp authentication-key 1 md5 CISCO > R1(config)#ntp trusted-key 1 > > > @ R2: > > R2#clock set 00:00:00 1 Jan 2000 > R2#conf t Enter configuration commands, one per line. End with CNTL/Z. > R2(config)#ntp authenticate > R2(config)#ntp authentication-key 1 md5 CISCO > R2(config)#ntp trusted-key 1 > R2(config)#ntp server 12.0.0.1 key 1 > > > Many thanks for your replies > Victor.- > > -----Original Message----- > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of > Sergey Golovanov > Sent: Saturday, January 20, 2007 3:01 AM > To: secondie; Jeffrey Fry > Subject: Re: security portion of the ccie lab > > I would disagree with that statement!! I always tell my students, if you > configure something extra, and that configuration wasn't explicitely > prohibited... then you won't lose any points!!! > > Example. You are asked to setup BGP between two peers. You setup BGP > peers with MD5 password. They didn't ask you to configure secure BGP > sessions. And they didn't tell you not to configure them. You will not > lose your points. > > As long as you achieve the task "correctly", you are ok. > > Anyone else have thoughts on this? > > -------------------------------------------------------------------- > Sergey Golovanov, CCIEx5 (R&S/Security/Voice/Service Provider/Storage) > "Please, don't ask me for my ccie #, there are reasons why I can't > release it" > ieMentor Instructor and Content Developer > sergey.golovanov@iementor.com > http://www.iementor.com > > > > -------Original Message------- > > From: secondie <secondie@gmail.com> > > Subject: Re: security portion of the ccie lab > > Sent: Jan 19 '07 23:14 > > > > Good for trouble shooting but you can loose points if you leave the > deny > > there. Unless requirements say log the denied traffic, I would not > it. > > > > -Manjeet > > > > Jeffrey Fry wrote: > > > One piece of advice is that the last line in your ACL should be: > > > > > > Access-list x Deny any any log > > > > > > The Log command will allow you to see what is hitting the DENY > > > statement. This way you can make sure that what you want is being > > > denied, and if something is getting through, you will see it. > > > > > > Just my .02 cents. > > > > > > -----Original Message----- > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On > Behalf Of > > > Robert Watson > > > Sent: Friday, January 19, 2007 4:11 PM > > > To: 'Michael Zuo'; ccielab@groupstudy.com > > > Subject: RE: security portion of the ccie lab > > > > > > Sometimes its not a ripple out effect but a reverse ripple, heh is > that > > > a > > > new term. Where enabling an acl but forgetting to add in that > permit > > > because of a previous requirement, or enabling aaa but forgetting > to add > > > the > > > login default or login line portion so that console and telnet > access > > > doesn't change. Or port security but forgetting the hsrp mac > address. > > > Security and qos to me is one of the holistic approach if I > configure > > > this > > > what happens to all the other requirements. > > > > > > > > > > > > -----Original Message----- > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On > Behalf Of > > > Michael Zuo > > > Sent: Friday, January 19, 2007 12:41 PM > > > To: ccielab@groupstudy.com > > > Subject: security portion of the ccie lab > > > > > > Hi Group, > > > > > > > > > > > > I need some advice on how to approach the security portion of the > lab > > > (tricks, lessons and words of wisdom are also appreciated). I > think I > > > have a fairly good understanding of various security features and > how > > > they work and ACLs are never a problem when I do practice exams > from > > > different vendors. But my exam score is 33% even though I did not > > > encounter any difficulties in that section (I didn't even have to > look > > > at the Docs). Also, security section of the exam is not like the > core > > > topics where one mistakes can ripple throughout the setup, so my > problem > > > most likely is not something I missed in one section and affected > > > everything else. I am scratching my head trying to figure out what > the > > > problem could be? Because I know covering the same topics in my > studies > > > will not give me more points if I don't approach it differently. > > > > > > > > > > > > > > > > > > Any thoughts? > > > > > > > > > > > > Thanks a lot > > > > > > > _______________________________________________________________________ > > > Subscription information may be found at: > > > http://www.groupstudy.com/list/CCIELab.html > > > > > > > _______________________________________________________________________ > > > Subscription information may be found at: > > > http://www.groupstudy.com/list/CCIELab.html > > > > > > > _______________________________________________________________________ > > > Subscription information may be found at: > > > http://www.groupstudy.com/list/CCIELab.html > > > > > _______________________________________________________________________ > > Subscription information may be found at: > > http://www.groupstudy.com/list/CCIELab.html > > _______________________________________________________________________ > Subscription information may be found at: > http://www.groupstudy.com/list/CCIELab.html > > _______________________________________________________________________ > Subscription information may be found at: > http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Thu Feb 08 2007 - 23:46:57 ART