2 ISCW-related questions

BennyLavaBennyLava Member Posts: 60 ■■□□□□□□□□
I'm currently studying for the ISCW exam and have a couple questions that I haven't been able to find an answer to:

1. The Network Academy module on MPLS says "A received labeled packet is dropped if the label is not found in the LFIB table, even if the IP destination exists in the IP forwarding table, also called the FIB. A received IP packet is dropped if the destination is not found in the IP forwarding table (FIB table), even if there is an MPLS label-switched path toward the destination." However a question on the Cisco Press exam engine says "If a label switch router receives a labeled packet for which there is no label, what does it do?" and the answer given is "Send the packet based on a layer 3 lookup". Which of these is correct?

2. When using SDM to create a site-to-site VPN, I've noticed it adds the default ISAKMP policy (Policy #1) to the config, even if a custom policy is created. From what I understand, the lowest policy number is used if 2 peers have multiple policies in common. Wouldn't this make any other policies that are configured useless if SDM is used to configure both sides of the VPN, unless the default policies created by SDM are deleted? Or am I missing something here?

Comments

  • jezg76jezg76 Member Posts: 97 ■■□□□□□□□□
    1. Page 195 of the ISCW Official Exam Cert Guide says this (not that this is the Word of God or anything :D):

    "If a received labeled packet is dropped, this is symptomatic of a lack of LFIB entry, even if the destination exists in the routing table.

    Similarly, a received IP packet might be dropped if there is no routing entry in the routing table even if the entry does exist in the LFIB for the destination."

    I am thinking the question in the Cisco Prep exam engine is referring to a case of PHP maybe?

    ==============================================================

    2. Threw that into GNS3 with 2 VMs on the end of a SDM-created VPN setup. You are 100% correct. Letting the default policy in there will, in fact, match for IKE Phase I.

    *Mar 1 00:24:22.739: ISAKMPicon_sad.gif0:0:N/A:0):found peer
    BRANCH(config-line)#pre-shared key matching 64.64.64.65
    *Mar 1 00:24:22.743: ISAKMPicon_sad.gif0:0:N/A:0): local preshared key found
    *Mar 1 00:24:22.743: ISAKMPicon_sad.gif0:0:N/A:0):Checking ISAKMP transform 1 against pri
    ority 1 policy
    *Mar 1 00:24:22.743: ISAKMP: encryption 3DES-CBC
    *Mar 1 00:24:22.743: ISAKMP: hash SHA
    *Mar 1 00:24:22.743: ISAKMP: default group 2
    *Mar 1 00:24:22.743: ISAKMP: auth pre-share
    *Mar 1 00:24:22.747: ISAKMP: life type in seconds
    *Mar 1 00:24:22.747: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
    *Mar 1 00:24:22.747: ISAKMPicon_sad.gif0:0:N/A:0):atts are acceptable. Next payload is 0
    *Mar 1 00:24:22.831: ISAKMPicon_sad.gif0:1:SW:1): processing vendor id payload
    *Mar 1 00:24:22.835: ISAKMPicon_sad.gif0:1:SW:1): vendor ID seems Unity/DPD but major 245
    mismatch
    *Mar 1 00:24:22.835: ISAKMP (0:134217729): vendor ID is NAT-T v7

    Instead of deleting the policy you could always give it a higher priority on each end...or just delete it. :D
    policy-map type inspect TACO
    class type inspect BELL
    drop log
  • BennyLavaBennyLava Member Posts: 60 ■■□□□□□□□□
    Thanks for the reply
    jezg76 wrote:
    1. Page 195 of the ISCW Official Exam Cert Guide says this (not that this is the Word of God or anything :D):

    "If a received labeled packet is dropped, this is symptomatic of a lack of LFIB entry, even if the destination exists in the routing table.

    Similarly, a received IP packet might be dropped if there is no routing entry in the routing table even if the entry does exist in the LFIB for the destination."

    I am thinking the question in the Cisco Prep exam engine is referring to a case of PHP maybe?

    I have the Cert Guide also and saw this part, which seems to agree with the Network Academy information. This wouldn't be the first mistake I've seen in either of them though so I'm trying to find a definite answer. The question didn't mention PHP at all and I can't really see how PHP would change the outcome - Could you explain that more maybe?
    jezg76 wrote:
    2. Threw that into GNS3 with 2 VMs on the end of a SDM-created VPN setup. You are 100% correct. Letting the default policy in there will, in fact, match for IKE Phase I.

    Guess I have another reason not to like SDM now icon_lol.gif
Sign In or Register to comment.