Jump to content
xyber85

YES! We Passed !!

Recommended Posts

7) Infra Sec - Don't worried on snooping and mine got no issue, and control plane remember NOT TO USE ANY DENY!!! Control plane ACL i has enter permit udp range 30000 40000 to avoid 3rd packet drop.

 

 

Hello xyber85,

 

Could you please clarify point 7? Do you mean something like that:

 

ip access-list extended WANTED_PROTOCOLS

permit gre any any

permit esp any any

permit udp any any eq isakmp

permit udp any eq isakmp any

permit udp any eq non500-isakmp any

pemrit tcp any eq bgp any

permit pim any any

permit tcp any any eq bgp

permit ospf any any

permit icmp any any ttl-exceeded

permit icmp any any port-unreachable

 

ip access-list extended TTL

permit ip any any ttl lt 2

 

class-map match-all WANTED_PROTOCOLS

match access-group WANTED_PROTOCOLS

 

class-map match-all TTL

match access-group name TTL

 

policy-map CoPP

class WANTED_PROTOCOLS

police 10000 1500 1500 conform-action transmit exceed-action transmit

class TTL

drop

 

control-plane

service-policy input CoPP

 

As oposed to the solution provided by C4C or Spoto?

 

Could please clarify as well the porpose of the following you said?

 

7) ... Control plane ACL i has enter permit udp range 30000 40000 to avoid 3rd packet drop.

 

 

 

Thanks.

Share this post


Link to post
Share on other sites

i/? - BGP origin code

 

Hidden Content

    Give reaction to this post to see the hidden content.

 

I had redistribute static preconfigured in my H3

 

thanks, you mentioned Check the routing table of 3.1 what is 3.1 ?

Share this post


Link to post
Share on other sites

thanks, you mentioned Check the routing table of 3.1 what is 3.1 ?

 

H3 config Section 3.1: MPLS VPN

Share this post


Link to post
Share on other sites

Hello xyber85,

 

Could you please clarify point 7? Do you mean something like that:

 

ip access-list extended WANTED_PROTOCOLS

permit gre any any

permit esp any any

permit udp any any eq isakmp

permit udp any eq isakmp any

permit udp any eq non500-isakmp any

pemrit tcp any eq bgp any

permit pim any any

permit tcp any any eq bgp

permit ospf any any

permit icmp any any ttl-exceeded

permit icmp any any port-unreachable

 

ip access-list extended TTL

permit ip any any ttl lt 2

 

class-map match-all WANTED_PROTOCOLS

match access-group WANTED_PROTOCOLS

 

class-map match-all TTL

match access-group name TTL

 

policy-map CoPP

class WANTED_PROTOCOLS

police 10000 1500 1500 conform-action transmit exceed-action transmit

class TTL

drop

 

control-plane

service-policy input CoPP

 

As oposed to the solution provided by C4C or Spoto?

 

Could please clarify as well the porpose of the following you said?

 

 

 

 

Thanks.

 

SPOTO, but i applied another line into "WANTED_PROTOCOLS" ACL, and my ACL not allow to add eq bgp, so i used tcp eq 179

 

THE ACL TRY TO ALLOW OSPF AND BGP ON TOP!

 

ip access-list extended WANTED_PROTOCOLS

permit ospf any any

permit tcp any any eq 179

permit tcp any eq 179 any

permit gre any any

permit esp any any

permit pim any any

permit udp any any eq isakmp

permit udp any any eq non500-isakmp

permit udp any any range 30000 40000

!

ip access-list extended TTL

permit ip any any ttl eq 0

permit ip any any ttl eq 1

!

class-map match-all WANTED_PROTOCOLS

match access-group name WANTED_PROTOCOLS

!

class-map match-all TTL

match access-group name TTL

!

policy-map CoPP

class WANTED_PROTOCOLS

class TTL

drop

!

control-plane

service-policy input CoPP

Edited by xyber85

Share this post


Link to post
Share on other sites

i/? - BGP origin code

 

Hidden Content

    Give reaction to this post to see the hidden content.

 

I had redistribute static preconfigured in my H3

 

H3 CFG

 

4) L2L - Check the routing table of 3.1 if 10.7.x.x is AS with "i" use bgp network statement, if "?" use redistribute static on R24 L2L.

 

What you mean by this ? can you please explain

 

Please check the H3 3.1 MPLS VPN Chapter, its has R3,R4,R5,R6 bgp vpnv4 table, check this out!

 

TQ genzor for the bgp origin code explain

Hidden Content

    Give reaction to this post to see the hidden content.
/uploads/emoticons/default_sml.gif">

Edited by xyber85

Share this post


Link to post
Share on other sites

Xyber, thanks for superb feedback and of course congratulations!

Hidden Content

    Give reaction to this post to see the hidden content.
/uploads/emoticons/default_smile.png">. When you've been informed about the exam result. The same day or the next day (mornig/evening)?

Share this post


Link to post
Share on other sites

they have 48h to send you exam results. my friend got result 1h after exam, i got few hours later

  • Like 1

Share this post


Link to post
Share on other sites

Hello xyber85

 

Did you use on H3 this prefix list for filtering ????

 

ip prefix-list FILTER seq 5 deny 10.0.0.0/16

ip prefix-list FILTER seq 10 permit 10.0.0.0/13 ge 16 le 16

ip prefix-list FILTER seq 15 permit 0.0.0.0/0

 

Thanks!!!

Share this post


Link to post
Share on other sites

Xyber, thanks for superb feedback and of course congratulations!

Hidden Content

    Give reaction to this post to see the hidden content.
/uploads/emoticons/default_smile.png">. When you've been informed about the exam result. The same day or the next day (mornig/evening)?

 

TQ!

When I received is the next day 1am.

Hidden Content

    Give reaction to this post to see the hidden content.
/uploads/emoticons/default_smile.png">

Edited by xyber85

Share this post


Link to post
Share on other sites

Hello xyber85

 

Did you use on H3 this prefix list for filtering ????

 

ip prefix-list FILTER seq 5 deny 10.0.0.0/16

ip prefix-list FILTER seq 10 permit 10.0.0.0/13 ge 16 le 16

ip prefix-list FILTER seq 15 permit 0.0.0.0/0

 

Thanks!!!

 

for sec 2.7 yes, that's my bro feedback to me

Share this post


Link to post
Share on other sites

6) VPN - Understand the Diagram 6, very important !!! my diagram is BGP AS 65001 inclusive ipv4 and vpnv4 on R1, R3, R4, R5, R6, R7, R8, R50, R51, R52, therefore I has delete R50, R51, and R52 from preconfig BGP AS 65006 and configure ipv4 and vpnv4 like Spoto H2+ with BGP AS 65001, neighbor x.x.x.x with local-as 65006

 

xyber85, can u plz explain more how to decide removing AS65006? Diagram is ok but how was the question? workbooks not clear at all.

Edited by heavenix

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...