2.1 OSPF - clairfication and possible alternative solution

Hi,

I seem to be getting stuck on semantics lately and I wanted to run another question by people.

The question asks, "Ensure that other devices running OSPF on the segment between R4 and R5 cannot intercept the OSPF communication between R4 and R5".

1) First does "segment" always mean Ethernet segment?  I interpreted the question to mean both serial links and Ethernet links as R4 and R5 both share those.

2) Second the solution in the book was to move from broadcast to unicast by changing the OSPF network type.  Would it also be ok to just encrypt the traffic between R4 and R5?  I ended up encrypting the traffic between R3, R4 and R5 and even the virtual link.  I interpreted the question to mean that if someone was sniffing the trunks (or frame-relay links) they should not be able to read the OSPF session information.

Thanks,

Andy

Comments

  • Hi,

    Segment refers to the directly connected data-link layer devices, so regardless of the media type, you can consider such a scenario as the "segment" where you usually have same network configured.  

    In the particular task you mentioned here, frame-relay could is used as layer to circuit and by default FR behaves like a Non broadcast network as it is an NBMA network. So, you need to have static neighbor configuration with "neighbor" command and it doesn't necessarily require broadcast/muticast packets when establishing neighborship between those OSPF routers where neighbor command is configured because hello packets are now unicast. So, in order to suppress broadcast and multicast, you can have the network type changed into unicast. Further, i'm not sure where the encryption came from in the OSPF task, please help re-checking it. 

    Hope this helps!

  • JoeMJoeM ✭✭✭

    2) Second the solution in the book was to move from broadcast to unicast by changing the OSPF network type.  Would it also be ok to just encrypt the traffic between R4 and R5?  I ended up encrypting the traffic between R3, R4 and R5 and even the virtual link.  I interpreted the question to mean that if someone was sniffing the trunks (or frame-relay links) they should not be able to read the OSPF session information.

    I think this is a common doubt for this task.  I did the lab twice, and I still think that the task wording suggests encryption and unicast.

    • Ensure that host devices running OSPF on the segment between R4 and
      R5 cannot intercept the OSPF communication between R4 and R5.

    BUT....what I have found with these labs, is that it means to use unicast (rather than multicast).  I guess that the solution in the lab test, is to "ask the proctor." [;)]



  • My take on this type of question is to use both unicast and authentication. If in doubt, ask the proctor....


    On 22/09/2013, at 22:49, "JoeM" <[email protected]> wrote:

    image alaporte:
    2) Second the solution in the book was to move from broadcast to unicast by changing the OSPF network type.  Would it also be ok to just encrypt the traffic between R4 and R5?  I ended up encrypting the traffic between R3, R4 and R5 and even the virtual link.  I interpreted the question to mean that if someone was sniffing the trunks (or frame-relay links) they should not be able to read the OSPF session information.

    I think this is a common doubt for this task.  I did the lab twice, and I still think that the task wording suggests encryption and unicast.

    • Ensure that host devices running OSPF on the segment between R4 and
      R5 cannot intercept the OSPF communication between R4 and R5.

    BUT....what I have found with these labs, it means to use unicast (rather than multicast).  I guess that the solution in the lab test, is to "ask the proctor."  ;-)




    INE - The Industry Leader in CCIE Preparation

    http://www.ine.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx




  • You can not count on asking the proctor
    to clarify a question like this. 



    Things you can ask the proctor:

    1) Where is the bathroom?

    2) What time is lunch?

    3) When will I get my score report?



    Things you are wasting your time asking the proctor:

    1) Should I configure X or Y for this task?

    2) Can you tell me what you want me to do for task X?

    3) I can solve this section two ways.   Which way should I use?
    -- 

    Brian Dennis, CCIEx5 #2210 (R&S/ISP-Dial/Security/SP/Voice)
    [email protected]

    INE, Inc.
    http://www.INE.com


    On 09/22/2013 07:09 PM, qqabdal wrote:







    My take on this type of question is to use both unicast and
    authentication. If in doubt, ask the proctor....






    On 22/09/2013, at 22:49, "JoeM" <[email protected]>
    wrote:





    alaporte:

    2)
    Second the solution in the book was to move from
    broadcast to unicast by changing the OSPF network type. 
    Would it also be ok to just encrypt the traffic between
    R4 and R5?  I
    ended up encrypting the traffic between R3, R4 and R5
    and even the virtual link.  I interpreted the
    question to mean that if someone was sniffing the trunks
    (or frame-relay links) they should not be able to read
    the OSPF session information.

    I think this is a common doubt for this task.  I did the
    lab twice, and I still think that the task wording suggests
    encryption and unicast.

    • Ensure
      that host devices running OSPF on the segment between
      R4 and

      R5 cannot intercept the OSPF communication between R4
      and R5.


    BUT....what I have found with these labs, it means to use
    unicast (rather than multicast).  I guess that the solution
    in the lab test, is to "ask the proctor."  ;-)







    INE - The Industry Leader in CCIE Preparation

    http://www.ine.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx








    INE - The Industry Leader in CCIE Preparation

    http://www.ine.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx






  • Yes, proctors usually don't tell anything about the question that is specific to technology & lab exam task. I remember, my proctor had denied to answer me when I asked whether or not I had to name the VLAN which was not mentioned in the question. So, its good if you don't ask the proctor for anything except the general stuffs. :)

    Thanks!

  • JoeMJoeM ✭✭✭

    You can not count on asking the proctor
    to clarify a question like this. 



    Things you can ask the proctor:

    1) Where is the bathroom?

    2) What time is lunch?

    3) When will I get my score report?



    Things you are wasting your time asking the proctor:

    1) Should I configure X or Y for this task?

    2) Can you tell me what you want me to do for task X?

    3) I can solve this section two ways.   Which way should I use?

    Thanks for the clarification. It does seem more logical.  Definitely a different twist on the "Ask the proctor" answers.

    So, for this type of task (wording), I am finding that the correct answer in the INE labs is always  to use unicast vs multicast.  It seems that the tasks are very explicit when encryption is required for any of the routing protocols.

  • Brian,

    If I encrypted the OSPF traffic would that satisfy the requirment of not allow the communication between R4 and R5 to be intercepted?  If not maybe you could explain why.

    Thanks,

    Andy

  • In this type of question I always used unicast + authentication.

Sign In or Register to comment.