CCSE Q - Need clarification

summer9uy · #1 (**permalink**) 2008-03-26

Hi Gurus,

I have doubt on the answer provided by simulation question. Kindly please advice. I plan to take my CCSE exam somewhere next week. Do hope some answers from you all. Thanks.

Your current VPN-1 NG Application Intelligence (AI) R55 stand-alone VPN-1 Pro Gateway and SmartCenter Server run on SecurePlatform. You plan to implement VPN-1 NGX in a distributed environment, where the existing machine will be the SmartCenter Server, and a new machine will be the VPN-1 Pro Gateway only. You need to migrate the NG with AI R55 SmartCenter Server configuration, including such items as Internal Certificate Authority files, databases, and Security Policies. How do you request a new
license for this VPN-1 NGX upgrade?
A. Request a VPN-1 NGX SmartCenter Server license, using the new machine's
IP addres. Request a new local license for the NGX VPN-1 Pro Gateway.
B. Request a VPN-1 NGX SmartCenter Server license, using the new machine's
IP addres. Request a new central license for the NGX VPN-1 Pro Gateway.
C. Request a new VPN-1 NGX SmartCenter Server license, using the NG with
AI SmartCenter Server IP address. Request a new central license for the
NGX VPN-1 Pro Gateway.
D. Request a VPN-1 NGX SmartCenter Server license, using the NG with AI
SmartCenter Server IP address. Request a new central license for the NGX
VPN-1 Pro Gateway, licenses for the existing SmartCenter Server IP
address.

My answer is C.

ABC is a Security Administrator for ABC.com. ABC.com has two
sites using pre-shared secrets in its VPN. The two sites are Boston and New York. Jack has just been informed that a new office is opening in Houston, and she must enable all three sites to connect via the VPN to each other. Three Security Gateways are managed by the same SmartCenter Server, behind the New York Security Gateway. Mrs. Bill decides to switch from a pre-shared secrets to Certificates issued by the Internal Certificate Authority (ICA). After creating the Houston gateway object with the proper VPN domain, what are ABC's remaining steps?
1. Disable "Pre-shared Secret" on the Boston and New York gateway
objects.
2. Add the Houston gateway object into the New York and Boston's mesh VPN
Community.
3. Manually generate ICA Certificates for all three Security Gateways.
4. Configure "Traditional mode VPN configuration" in the Houston gateway
object's VPN screen.
5. Reinstall the Security Policy on all three Security Gateways

My answer: 1,2,3,5

In a Load Sharing Unicast mode, the internal cluster IP Add is 10.4.8.3. The internal interfaces on two members are 10.4.8.1 and 10.4.8.2. Internal host 10.4.8.108 Pings 10.4.8.3 and receives replies. The following is the ARP table from the internal Windows host 10.4.8.108: c:>arp According to the output, which member is the Pivot?

C:>arp
Interface 10.4.8.108 on interface 0x4

Internet Add Physical Address Type
10.4.8.1 00-b0-d0-b7-b5-d5 dynamic
10.4.8.2 00-01-03-34-e3-9d dynamic
10.4.8.3 00-01-03-34-e3-9d dynamic

A. 10.4.8.108
B. 10.4.8.3
C. 10.4.8.2
D. 10.4.8.1

My Question: How do I determine which is PIVOT?
Virtual test answer is C

kr1m1n4l · #2 (**permalink**) 2008-03-28

Hi Summer9uy

regarding your question about the pivot,

Well the pivot is the member that will receive the packet first and then decide if it will itself deal with the packet or forward to another member to handle the packet.

The pivot uses an algorithm to decide which member is the best qualified to process the packet (depending on how you want to use it : round robbin etc...).

the main thing to understand is that it is the pivot member that receives the packet first.

In the question, it mentions the IP 10.4.8.3, but that is IP address of the Cluster (ie : virtual IP regrouping all members) so this cannot be the correct answer, however if we take my example that the pivot receives the packet first, you see in the example that 10.4.8.3 and 10.4.8.2 have the same MAC address.

so you are fairly sure to know that 10.4.8.2 is the pivot .

hope this make sense and helps.

Regards

summer9uy · #3 (**permalink**) 2008-04-01

Hello kr1m1n4l,

Thanks for the reply. Understand your explanation. Thank You.

rfalario · #4 (**permalink**) 2008-04-02

Quote:

Originally Posted by summer9uy

In a Load Sharing Unicast mode, the internal cluster IP Add is 10.4.8.3. The internal interfaces on two members are 10.4.8.1 and 10.4.8.2. Internal host 10.4.8.108 Pings 10.4.8.3 and receives replies. The following is the ARP table from the internal Windows host 10.4.8.108: c:>arp According to the output, which member is the Pivot?

C:>arp
Interface 10.4.8.108 on interface 0x4

Internet Add Physical Address Type
10.4.8.1 00-b0-d0-b7-b5-d5 dynamic
10.4.8.2 00-01-03-34-e3-9d dynamic
10.4.8.3 00-01-03-34-e3-9d dynamic

A. 10.4.8.108
B. 10.4.8.3
C. 10.4.8.2
D. 10.4.8.1

My Question: How do I determine which is PIVOT?
Virtual test answer is C

The pivot is 10.4.8.2 due too it has the same Physical Address (MAC Address) 00-01-03-34-e3-9d of the internal cluster IP that is 10.4.8.3. :)

Hope it help you:)

summer9uy · #5 (**permalink**) 2008-04-03

rfalario

Thanks for the explanation.

summer9uy · #6 (**permalink**) 2008-04-04

Hi Guys,

Pass CCSE Today. Thanks for the feedback and explanation given.
Please have your VMs working to get better understanding, it does
help alot in CCSE and thanks to prasad for the dump.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode