RE: Passed Security IE

From: Joseph Brunner (joe@affirmedsystems.com)
Date: Wed Sep 19 2007 - 02:36:21 ART

• Next message: Lamine BOUAFIA: "RE: [Bulk] Core WB v4, task 4.5 :virtual-link does not come up,"
• Previous message: WorkerBee: "Re: Passed Security IE"
• Maybe in reply to: Nick Payton: "Passed Security IE"
• Next in thread: Alexei Monastyrnyi: "Re: Passed Security IE"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Actually you just need to know how to configure dmvpn...

It's as simple as forcing fragmentation before encryption, so the decryption
is done in the cef path.

The "problem" with mpls is you need provisioning time and in a dynamic
business that frequently uses executive office suites (like Regus executive
suites, etc.) you can get a leased line installed, or you can't get one fast
enough.

Also I know many carriers sell a "vpn" back into a mpls network, sort of
where the "matrix" meets a "hardline". Such carriers as MCI and Virtela sell
this service. However it still does not offer a fully-meshed solution for
networks/offices completely off the mpls network, seeking any-to-any
connectivity, and MCI for one I know charges quite a premium for this
service.

I noticed you specifically mentioned ICMP/UDP traffic, as we both know the
"ip tcp adjust-mss" feature will handle tcp. Well I don't see this type of
traffic as being necessary in any production network I have ever worked on,
and I'll be more than happy to fast switch it to null with some policy
routing on the F0/0/G0/0 at each site.

Were you just suggesting MPLS better handles a dos-attack/test scenario
where this type of traffic is abound?

Thanks,

Joe

-----Original Message-----
From: WorkerBee [mailto:ciscobee@gmail.com]
Sent: Wednesday, September 19, 2007 1:12 AM
To: Joseph Brunner
Cc: darth router; Nick Payton; ccielab@groupstudy.com
Subject: Re: Passed Security IE

DMVPN is not that great either. Additional GRE + ESP headers is going
to reduce the MTU size to less than 1500 bytes MTU. PMTUD only works
on TCP applications and provided your Firewall allows ICMP packets.

If I send a stream of ICMP/UDP packets into DMVPN network with MTU
1500 bytes, your routers are going to process switch/frag/de-frag like
mad...check it out using "show ip traffic" Cisco router is really
disappointing in CPU performance... I am still wondering why....Hence
MPLS any-to-any is better solution as compared to DMVPN any-to-any
topology.

Have you ever do a "show tech-support" and see the CPU jump to 99%?
That's crazy....

On 9/19/07, Joseph Brunner <joe@affirmedsystems.com> wrote:
> My old company gave the unique pleasure of configuring and MANAGING 50
FULLY
> meshed VPN Tunnels with the vpn concentrator!
>
>
>
> (this to support a voip solution).. Do you have any idea how long this
took?
> (1,225 tunnels!!!!)
>
>
>
> God the day dmvpn and the 2811 came out, I partied heavily!
>
>
>
> LOL
>
>
>
> _____
>
> From: darth router [mailto:darklordrouter@gmail.com]
> Sent: Tuesday, September 18, 2007 11:43 PM
> To: Joseph Brunner
> Cc: Nick Payton; ccielab@groupstudy.com
> Subject: Re: Passed Security IE
>
>
>
> Joe,
>
> quit player hating on the VPN box. You know you love it :P
>
> Grats on the pass Nick!
>
> DR
>
> On 9/18/07, Joseph Brunner < joe@affirmedsystems.com
> <mailto:joe@affirmedsystems.com> > wrote:
>
> Very nice Nick. Congratulations!
>
> Last time you'll have to mess with that lame vpn concentrator, huh?
> Web vpn is a joke on Cisco products? Huh?
>
> LOL
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Nick
> Payton
> Sent: Tuesday, September 18, 2007 10:35 PM
> To: ccielab@groupstudy.com
> Subject: Passed Security IE
>
> I passed the Security IE yesterday on my second attempt. I wanted to
> recognize the following for helping me pass:
>
>
>
> CCBootcamp - GREAT rack rentals, and I can't say enough about their
support
> (Brad and Scott thank you!!). I also used their technology workbook and it
> proved to be very helpful.
>
>
>
> Ramy Sisy w/ CCBootcamp - awesome instructor who can basically recite
> configs from memory and more importantly can explain what each command
does.
>
> Thanks Ramy!!
>
>
>
> InternetworkExperts - this is the second CCIE I have passed using their
> materials and I found their Security workbook to be top notch! Excellent
as
> always Brian's and keep up the good work.
>
>
>
> It's was a lot of work, and I am glad to be done with the grind.for now at
> least. =)
>
>
> Good luck to all of you still in the process. Stay focused and positive
and
> you will get your number!
>
>
>
> Regards,
>
> Nick Payton
>
> CCIE #13356 (R&S / Security)
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Lamine BOUAFIA: "RE: [Bulk] Core WB v4, task 4.5 :virtual-link does not come up,"
• Previous message: WorkerBee: "Re: Passed Security IE"
• Maybe in reply to: Nick Payton: "Passed Security IE"
• Next in thread: Alexei Monastyrnyi: "Re: Passed Security IE"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Oct 06 2007 - 12:01:13 ART