Tuesday, July 14, 2009

Dead Peer Detection - Default And "On-Demand"

I was preparing for ISCW paper and question appear in front of me and i was unable to identify what he is asking about as i saw the DPD term for the first time, question was

Q: What are the default parameters when configuration backup IPSec VPN with Cisco IOS Release 12.2(8)T or Later?

Ans: DPD Hello messages are sent every 10 seconds if the router has traffic to send

After this i google the DPD term and i came to know about the following information about DPD.

With all things Cisco, we just have to have a keepalive, and with our IPSec peers, that keepalive is Dead Peer Detection.

I feel silly telling you what the DPD does, since if any networking feature has a "the name is the recipe" name, it's this one! As with any keepalive, there are a few basics we need to know....

The CCNP exams generally aren't IOS-version specific, certainly not like the CCIE exams are, but we should know that DPD was introduced with IOS version 12.3(7)T. Older IOS versions do not use DPD, obviously, and you may run into routers with earlier IOS versions out in the field.

According to Cisco's website, the following devices support DPD:

* The Cisco VPN 3000 concentrator
* Cisco PIX firewalls
* Cisco VPN client
* Easy VPN Remote
* Easy VPN Server

DPD can run in two different ways, the default setting and "on-demand". The default setting is much like the routing protocol hellos we've studied in the past. According to Cisco's website, the router will send a DPD Hello every 10 seconds "unless the router receives a hello message from the peer".

As with routing protocols, the drawback of the regularly-scheduled hello packet is that it results in more packets to be processed - and in this case, encrypted and decrypted. That's why DPD offers an on-demand configuration where a router will send a DPD Hello only in advance of sending traffic to a peer.

The second keepalive method is simply the keepalive method of the routing protocol you're using over the VPN. Of course, that timer depends on whether you're running RIP, OSPF, or EIGRP.

DPD can also be used as a mechanism to detect IPSec GRE tunnel failures.

Hope it will be informative.

3 comments:

nayyares said...

Nice finding ...

cheers

Unknown said...

replica watches, ugg boots, ralph lauren pas cher, oakley sunglasses, louis vuitton, nike roshe run, chanel handbags, burberry, kate spade outlet, louis vuitton outlet, nike outlet, longchamp, louboutin shoes, gucci outlet, ray ban sunglasses, air jordan pas cher, nike free, jordan shoes, sac longchamp, uggs on sale, louboutin, nike free, cheap oakley sunglasses, nike air max, prada outlet, air max, christian louboutin outlet, tory burch outlet, longchamp pas cher, polo ralph lauren outlet, ugg boots, polo ralph lauren outlet, louis vuitton, replica watches, nike air max, louboutin pas cher, oakley sunglasses, tiffany jewelry, oakley sunglasses, ray ban sunglasses, louis vuitton, prada handbags, michael kors, ray ban sunglasses, louis vuitton outlet, louboutin outlet, longchamp outlet, oakley sunglasses, longchamp outlet, tiffany and co

Unknown said...

bottes ugg, ugg boots uk, ugg,uggs,uggs canada, canada goose uk, canada goose outlet, pandora jewelry, moncler, hollister, marc jacobs, swarovski, juicy couture outlet, replica watches, canada goose, moncler, swarovski crystal, links of london, wedding dresses, moncler outlet, thomas sabo, karen millen, pandora jewelry, moncler, montre pas cher, juicy couture outlet, ugg pas cher, louis vuitton, moncler, moncler, louis vuitton, moncler, louis vuitton, supra shoes, coach outlet, canada goose, toms shoes, ugg,ugg australia,ugg italia, moncler, doudoune canada goose, canada goose, canada goose outlet, louis vuitton, pandora charms, canada goose, sac louis vuitton pas cher, pandora charms