Jump to content

Recommended Posts

I think when Rahul said UK, he means Europe o exactly Bru., because it's the only site exist in Europe.

Edited by uomoInNero

Share this post


Link to post
Share on other sites

it's the same comment like #365, but I don't know how to delete it, sorry for that.

Edited by uomoInNero

Share this post


Link to post
Share on other sites

For lab purpose...just do "10.100.6.0 0.0.0.255"

 

Thanks MrRob0t.

Any idea about this in this Task?

"Loopback1 interfaces on R9,R10 and R11 should be included in the EIGRP routing domain."

Including the R9 Lo1 is easy, because we don't neet to include the /24 network in the EIGRP routing domain

But, how can we include the /32 Lo1 of R10 and R11 in the EIGRP routing domain ?

I am asking this because, in my understanding we need to advertise the 192.168.10.0/24 and the 192.168.10.10/32 in the EIGRP domain.

Share this post


Link to post
Share on other sites

Thanks MrRob0t.

Any idea about this in this Task?

"Loopback1 interfaces on R9,R10 and R11 should be included in the EIGRP routing domain."

Including the R9 Lo1 is easy, because we don't neet to include the /24 network in the EIGRP routing domain

But, how can we include the /32 Lo1 of R10 and R11 in the EIGRP routing domain ?

I am asking this because, in my understanding we need to advertise the 192.168.10.0/24 and the 192.168.10.10/32 in the EIGRP domain.

 

iirc, all of the loopback interfaces are configured with /24 mask in lab so advertise those also with /24. Infact since its classful subnet, you can just do "network 192.168.x.0" without specifying mask and EIGRP will advertise accordingly.

 

And i must say you are being obsessed with these things for no reason. Based on config version we have, no question ask for advertising specific route so just advertise the route with same mask as its configured.

Edited by MrR0b0t

Share this post


Link to post
Share on other sites

iirc, all of the loopback interfaces are configured with /24 mask in lab so advertise those also with /24. Infact since its classful subnet, you can just do "network 192.168.x.0" without specifying mask and EIGRP will advertise accordingly.

 

And i must say you are being obsessed with these things for no reason. Based on config version we have, no question ask for advertising specific route so just advertise the route with same mask as its configured.

 

Yes, I am obsessed, because I don't have the economic capability to attend the lab multiple times. And I would like to be sure 100% for all the tasks.

Don't get me wrong, you had done a great job in this threat, much appreciated.

 

But to me, the solution for task 3.5 does not look good. Saying this because Cisco puts those description in purpose, because you have to configure something specific. Otherwise they wouldn't say anything.

The Loopback pre-configured as /24 does not mean anything, because you can always re-configured them as /32.

In the CFG section, there is no restriction in regards to re-configuring something that is wrongly pre-configured.

 

Anyway, if i come up with a solution, I will let you know.

 

Thanks

Edited by tonythetiger

Share this post


Link to post
Share on other sites

Hi,

 

It could be tricky question regarding protected sources. From my prospective I think that they want from candidate to configure network statment with /0 wild card . Altrough it is trough that just enables eigrp on interface and automaticly take into consider mask of interface whic is on that network. Without route map you can not filter what will be advertised in IGP. Only thing that could ai think for not getting points here if you put statment for 10/8 network without mask whic would turn on eigrp on interfaces with 10.x IP. Also using passive interface command makes you save regarding eigrp updates on that inter.

But as you pointed out details can be critical for getting (or losing) points and passing exam.

But if you will figure out some other options please share with us.

Share this post


Link to post
Share on other sites

Hello @tonytiger, let me clear you one thing you are attempting ccie *sec* exam not rns. And they don't expect you to correct routing or interface config yes they can ask you to put or correct routing authentication. For more info you can watch cisco live's BRKCCIE video for secv5

 

Another thing mr. Robot already passed his exam with what he is suggesting you.

Edited by rahulkashyap

Share this post


Link to post
Share on other sites

Hi,

 

It could be tricky question regarding protected sources. From my prospective I think that they want from candidate to configure network statment with /0 wild card . Altrough it is trough that just enables eigrp on interface and automaticly take into consider mask of interface whic is on that network. Without route map you can not filter what will be advertised in IGP. Only thing that could ai think for not getting points here if you put statment for 10/8 network without mask whic would turn on eigrp on interfaces with 10.x IP. Also using passive interface command makes you save regarding eigrp updates on that inter.

But as you pointed out details can be critical for getting (or losing) points and passing exam.

But if you will figure out some other options please share with us.

 

Network statement with /0 wild card will not work. At least, from what I have tried in my lab...

 

 

Hello @tonytiger, let me clear you one thing you are attempting ccie *sec* exam not rns. And they don't expect you to correct routing or interface config yes they can ask you to put or correct routing authentication. For more info you can watch cisco live's BRKCCIE video for secv5

 

Another thing mr. Robot already passed his exam with what he is suggesting you.

 

Passing the exam with this "suggestion" does not mean that mr. Robot got the points from the Task 3.5, correct?

Hidden Content

    Give reaction to this post to see the hidden content.
/uploads/emoticons/default_confused.gif">

Expect, if he failed once and on the fail attempt he got 100% on section 3. Then yes, his suggestion is the correct resolution to the task.

 

I am not arguing with anyone, just expressing my concerns in regards to this task

Hidden Content

    Give reaction to this post to see the hidden content.
/uploads/emoticons/default_biggrin.png">

Edited by tonythetiger
  • Like 1

Share this post


Link to post
Share on other sites

Passing the exam with this "suggestion" does not mean that mr. Robot got the points from the Task 3.5, correct?

Hidden Content

    Give reaction to this post to see the hidden content.
/uploads/emoticons/default_confused.gif">

 

I agree with you but isn't it a good idea to keep using passable solution... maybe making more changes in it make people fail. but definitely you are free to do make changes in the lab as it is your exam and yes we are not arguing we are discussing.

Share this post


Link to post
Share on other sites

Network statement with /0 wild card will not work. At least, from what I have tried in my lab...

 

 

 

 

Passing the exam with this "suggestion" does not mean that mr. Robot got the points from the Task 3.5, correct?

Hidden Content

    Give reaction to this post to see the hidden content.
/uploads/emoticons/default_confused.gif">

Expect, if he failed once and on the fail attempt he got 100% on section 3. Then yes, his suggestion is the correct resolution to the task.

 

I am not arguing with anyone, just expressing my concerns in regards to this task

Hidden Content

    Give reaction to this post to see the hidden content.
/uploads/emoticons/default_biggrin.png">

 

I did fail once before passing in second attempt and i can assure you that based on my failed attempt report, i did not fail because of using /24 for advertised routes.

 

And let me give you one tip, if you really do not wish to fail your lab exam then do not even think about changing pre-configuration for e.g changing mask on loopback addresses UNLESS explicitly asked.

 

Above all, there is a reason why people are using these dump workbooks and that is "passing the exam". Its good to work on these stuffs and learn them properly but as far as exam is concerned, you are wasting your energy.

 

If you think about it, these lab dumps have been around for over two years now helping numerous candidates to pass the exam. Believe me if Cisco really wanted candidates to use specific route advertisements then we would have found out about that by now.

 

And as Rahul mentioned, its a security and not R&S plus like i said it never says anywhere about advertising specific route.

Share this post


Link to post
Share on other sites

Right in the balls!!!

Hidden Content

    Give reaction to this post to see the hidden content.
/uploads/emoticons/default_sml.gif">

 

my friend could you pls help me setup EVE LAB

L2/L3 images are working fine with ASA 8XX

only IOUL are not working ?!

generate iourc key and fixpermissions for warpper still these images are not working

 

appreciate your support ..

Share this post


Link to post
Share on other sites

no question ask for advertising specific route so just advertise the route with same mask as its configured.

 

I agree with you regarding the routes. But the question asks to secure the traffic between a subnet and a host, i.e. what traffic to allow on the tunnel. Since it's a FlexVPN task, this is possible to implement using an authorization policy:

 

Spoke:

 

Hidden Content

    Give reaction to this post to see the hidden content.

 

Hub:

 

Hidden Content

    Give reaction to this post to see the hidden content.

 

 

This config works but I'm not sure if it is really needed though. If the grading script checks the output of 'show crypto ikev2 sa detailed' then the requirement will be missed if not using authorization policies, if it's just a matter of pinging, then it should be fine.

Edited by cheesy

Share this post


Link to post
Share on other sites

I agree with you regarding the routes. But the question asks to secure the traffic between a subnet and a host, i.e. what traffic to allow on the tunnel. Since it's a FlexVPN task, this is possible to implement using an authorization policy:

 

Spoke:

 

Hidden Content

    Give reaction to this post to see the hidden content.

 

Hub:

 

Hidden Content

    Give reaction to this post to see the hidden content.

 

 

This config works but I'm not sure if it is really needed though. If the grading script checks the output of 'show crypto ikev2 sa detailed' then the requirement will be missed if not using authorization policies, if it's just a matter of pinging, then it should be fine.

 

As far as lab exam is concerned, this is wastage of valuable time and not required at all. You are missing the point that even through you advertise whole /24 subnet, the ASA still has the server specific ACL which only allows NAT address 10.100.6.1 (server 5 original IP) so only other address that anyone could access from that /24 subnet is R9 ip address and thats it! And ASA will not allow any other traffic so i really do not understand fuss behind advertising specific route.

 

And again, the question asks about securing traffic between R10 subnet and host 10.100.6.1 because thats the only address already being asked to allow in ASA task. They are basically giving you hint that "Oi remember we asked you to create NAT rule where server 5 should only be accessible via Outside Interface"

Edited by MrR0b0t
  • Like 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...