Jump to content
gfreeman

I passed TS2, DIAG H1+, CFG H3

Recommended Posts

Hello Guys,

 

I passed.

 

Location: Lambda Bunker.

 

Attemp: Episode X

 

 

Don't forget to save time for proper verificaton of the outputs. Save config regularly. As soon as you finish with TS start with Diag as the time for diag is 30 minutes Fixed time. I saved

45 minutes from TS to use in config. Some devices were misbeheaving and I had to restart them.

 

!=== TS ==========================================================

 

!=== T1 ===

 

!SW400/SW401

conf t

 

vlan access-map ATTACK 20

action forward

 

!=== T2 ===

 

 

!R14

conf t

router bgp 65001

neighbor DC1 next-hop-self

 

!=== T3 ===

 

!R22/R23

conf t

no access-list 1 permit 10.1.1.0 0.0.254.255

no access-list 2 permit 10.1.0.0 0.0.254.255

 

access-list 1 permit 10.2.1.0 0.0.254.255

access-list 2 permit 10.2.0.0 0.0.254.255

 

 

!SW101

conf t

int E0/1

ip ospf cost 10

 

!=== T4 ===

 

 

!R21

conf t

route-map LP permit 10

match ip address prefix-list LP

set local-pre 200

 

!=== T5 ===

 

!R14/R60/R51

conf t

int t0

ip ospf net point-to-mul

no shut

 

!=== T6 ===

 

!R15

conf t

router bgp 65001

address-family ipv6

network 2001:CC:1E:8BAD:154::/104

 

!=== T7 ===

 

 

!R1

conf t

interface Loopback0

ip ospf 10000 area 0

 

!R3

conf t

interface Ethernet0/1

mpls ip

 

!R4/R5/R6

conf t

 

!there were alot of wrong imports configured, hence I

!sho run | i 65003:3 yield no results

 

ip vrf HollyMaya

route-target import 65003:3

 

!=== T8 ===

 

!SW300/301

conf t

int vlan 2000

ip dhcp relay information trusted

 

!=== T9 ===

 

!R71

conf t

 

interface Tunnel0

tunnel key 10000

 

!=== T10 ===

 

!R24/R25

conf t

ip nat outside source static 201.99.70.2 <outside-local> (I cannot remember the correct IP)

 

!=== DIAG==========================================================

 

Just understand uRPF and you will be able to solve third ticket.

 

!=== CFG==========================================================

 

! === Section 1 ===

 

!--- 1.1 ---

The requirements clearly states all of the switches

So verify all required ports are assigned to the correct VLAN. there were many other ports assigned to VLAN 1, I did not touch them.

 

!--- 1.2 ---

 

Just check the requirements properly, port numbers are different and scrambled a bit. Interfaces are already shutdown

 

!--- 1.3 ---

 

the no spanning-tree mst simulate pvst was there in just one of the switches. I enabled it by removing the NO.

 

!--- 1.4 ---

 

no coment.

 

! === Section 2 ===

 

!--- 2.1 ---

 

no preconfiguration.

 

!--- 2.2 ---

 

ospf is already preconfigured, pay attention to additional loopbacks.

 

vlan 2001 already advertised to BGP.

 

!--- 2.3 ---

 

ospf and bgp already preconfigured, missing some router IDs and netx-hop-self commands.

 

no access to R100. Diagram you will see ospf pid 2 for partner network.

 

! --- 2.4

 

only bgp process preconfigured.

 

!--- 2.5

 

you will not see references to additional-paths unles bgp is configured with multi-af mode.

but you can check if multipath will work by looking to the neighbor capabilities negotiated during the open message.

 

sh ip bgp nei <ip> | i apabi

 

and also by looking at the sh ip bgp output

 

!--- 2.6

 

On DC1, it mentions R14 configured as the other eBGP, plus on R14 and R15 have to advertise its own loopback123 to ISP

otherwise internet access will not work.

 

!--- 2.7

 

R30 and R31 have iBGP btween them, but they are connected to only one AS they will not become transit AS.

 

So I just did it on R40/R41/R50/R51

 

!--- 2.8

 

nothing extrange here, just lower the local pref when advertising Medium Office network to route reflector, so return path to MO will always be MPLS.

 

!--- 2.9

 

nothing to add here. Question is clear.

 

!--- 2.10

 

SW100 is mapping aggent via L0.

 

!--- 2.11

 

run out of time

 

! === Section 3 ===

 

!--- 3.1

 

get the route distinguiser from the ouputs, and configure rt imports and exports acordingly.

ospf is already preconfigured. Check that is working, also check ldp nei too.

and configure bgp vpnv4.

 

!--- 3.2

 

I sneaked dmvpn config from TS and just prepare config by adding missing commands.

 

!--- 3.3

 

There is a NAT pool on R14 and R15 that it is miss configured. so you have to ammend that.

 

!--- 3.4

 

nat is already preconfigured. It happens User7 address is already part of the encryption domain, so no need to do double NAT. Just copied the config from

R24, inverted the Crypto ACL and created and applied the crypto MAP and Bang. R24 is aready redistributing static on BGP just need to create a static route

pointing to ISP address.

 

! === Section 4 ===

 

!--- 4.1

 

ip verify unicast source rx

 

! === Section 5 ===

 

 

!--- 5.1

 

I did not configure EMM.

Edited by gfreeman

Share this post


Link to post
Share on other sites

Congrats on the number. I have a couple of questions with regards to your input:

 

!=== T7 ===

 

 

!R1

conf t

interface Loopback0

ip ospf 10000 area 0

 

!R3

conf t

interface Ethernet0/1

mpls ip

 

!R4/R5/R6

conf t

 

!there were alot of wrong imports configured, hence I

!sho run | i 65003:3 yield no results

 

ip vrf HollyMaya

route-target import 65003:3

 

What did you do? Did you change the export so you don't have to change 3 imports?

 

!--- 2.7

 

R30 and R31 have iBGP btween them, but they are connected to only one AS they will not become transit AS.

 

So I just did it on R40/R41/R50/R51

 

What did you do on R40/R41/R50/R51 since 2.7 refers to R10/R11/R20/R21 ?

 

 

!--- 2.8

 

nothing extrange here, just lower the local pref when advertising Medium Office network to route reflector, so return path to MO will always be MPLS.

 

What route reflector are you referring to in Medium Office? From the WB and other inputs among the forums, there are no RR except in DC1 and DC2.

 

Thank you.

Share this post


Link to post
Share on other sites

Congrats on the number. I have a couple of questions with regards to your input:

 

 

What did you do? Did you change the export so you don't have to change 3 imports?

 

 

 

just configure the correct route-target import on R4/R5/R6, i did not deleted the wrong ones, there were 5 imports configured and I did not bother to delete the wrong ones.

 

 

What did you do on R40/R41/R50/R51 since 2.7 refers to R10/R11/R20/R21 ?

 

 

I mean this:

 

None of the Corporate sites (except both Datacenters) may ever be used as transit

sites for remote traffic. I just configured filter-list on R40/R41/R50/R51.

 

 

ip as-path access-list 10 permit ^$

nei x.x.x.x filter-list 10 out

 

What route reflector are you referring to in Medium Office? From the WB and other inputs among the forums, there are no RR except in DC1 and DC2.

 

 

I am refering to R13. R14 is the DMVPN hub and it will advertise MO prefix to RR, so you have to lower the local-pref so you match this requirement:

 

- The MPLS path (via R50) must be the preffered path for both ingress and egress traffic

 

because you cannot configure prepend on R51 or you will fail some outputs.

 

Thank you.

Edited by gfreeman

Share this post


Link to post
Share on other sites

congrats

 

can you elaborate ..

 

!--- 3.3

 

There is a NAT pool on R14 and R15 that it is miss configured. so you have to ammend that.

 

what was the miss config? what did you do?

 

thanks

Share this post


Link to post
Share on other sites

congrats

 

can you elaborate ..

 

!--- 3.3

 

There is a NAT pool on R14 and R15 that it is miss configured. so you have to ammend that.

 

what was the miss config? what did you do?

 

thanks

 

 

! R14

!preconfig

 

int loopback123

ip add 123.19.99.1 255.255.255.240

 

ip nat pool NATPOOL 123.19.99.0 123.19.99.255 nextmask 255.255.255.0

 

!FIX

 

basically you have to amend the nat pool to match the address range of loopback 123 becouse you advertise that addres range towards ISP.

 

no ip nat pool NATPOOL 123.19.99.0 123.19.99.255 netmask 255.255.255.0

 

ip nat pool NATPOOL 123.19.99.2 123.19.99.14 netmask 255.255.255.240

 

!R15

 

!preconfig

 

int loopback123

ip add 123.19.99.17 255.255.255.240

 

ip nat pool NATPOOL 123.19.99.0 123.19.99.255 nextmask 255.255.255.0

 

!FIX

 

So:

 

no ip nat pool NATPOOL 123.19.99.0 123.19.99.255 netmask 255.255.255.0

 

ip nat pool NATPOOL 123.19.99.18 123.19.99.30 netmask 255.255.255.240

Share this post


Link to post
Share on other sites

Congrats.

Can you explain in detail about advertising lo123 on 2.6 ?

Thank you

 

This is what I did.

 

!R14

 

ip pref L123 permit 123.19.99.0/28

 

route-map TO_ISP permit 10

match ip add pref L123

route-map TO_ISP permit 20

match ip add pref "other addresses they ask you to advertise"

 

router bgp 65001

network 123.19.99.0 mask 255.255.255.240

nei ISP route-map TO_ISP out

 

 

!R15

 

ip pref L123 permit 123.19.99.16/28

 

 

route-map TO_ISP permit 10

match ip add pref L123

 

 

router bgp 65001

network 123.19.99.16 mask 255.255.255.240

nei ISP route-map TO_ISP out

Share this post


Link to post
Share on other sites

just configure the correct route-target import on R4/R5/R6, i did not deleted the wrong ones, there were 5 imports configured and I did not bother to delete the wrong ones.

 

 

 

 

I mean this:

 

None of the Corporate sites (except both Datacenters) may ever be used as transit

sites for remote traffic. I just configured filter-list on R40/R41/R50/R51.

 

 

ip as-path access-list 10 permit ^$

nei x.x.x.x filter-list 10 out

 

 

 

I am refering to R13. R14 is the DMVPN hub and it will advertise MO prefix to RR, so you have to lower the local-pref so you match this requirement:

 

- The MPLS path (via R50) must be the preffered path for both ingress and egress traffic

 

because you cannot configure prepend on R51 or you will fail some outputs.

 

Thank you.

 

Thank you for clarification.

 

In regards to the NAT for Loopback123. Did R24/R25 had filtering towards their RR when announcing their Loopback123 into BGP?

 

Since we're filtering on R14 and R15, shouldn't we do the same thing on R24 and R25?

 

Hope it makes sense.

Share this post


Link to post
Share on other sites

Thank you for clarification.

 

In regards to the NAT for Loopback123. Did R24/R25 had filtering towards their RR when announcing their Loopback123 into BGP?

 

Since we're filtering on R14 and R15, shouldn't we do the same thing on R24 and R25?

 

Hope it makes sense.

 

You don't have to touch R24 or R25 internet access and I cannot remember how it was done. You only touch R24 for the 3.4 task.

 

I did not filtered L123 towards RR on R14 and 15, I did filter toward ISP by not advertising the R15 loopback123 via R14 eBGP connection and vice versa. This way natted traffic always come back via the link

it was natted, and DC1 internet access just work.

 

Hope it helps.

Share this post


Link to post
Share on other sites

Hello Guys,

 

I passed.

 

Location: Lambda Bunker.

 

Attemp: Episode X

 

 

Don't forget to save time for proper verificaton of the outputs. Save config regularly. As soon as you finish with TS start with Diag as the time for diag is 30 minutes Fixed time. I saved

45 minutes from TS to use in config. Some devices were misbeheaving and I had to restart them.

 

 

 

Did you have to let the proctor know about the restart?

Share this post


Link to post
Share on other sites

Hello,

 

I did not tell to the proctor about the restart. he told us on the induction that we were free to manage our devices, plus the issue that I was having was a routing loop

and probably he would have told me "You are a CCIE, you are supuosed to fix your issue".

 

 

I talked to the proctor only when after restarting my devices, everything went to normal but my devices were showing DOWN on the manage devices TAB,

but as I was able to connect the devices and type commands on them, he told me that no problem.

 

Another thing to mention is about the mouse, you can adjust the speed but have to ask him to show you how.

Edited by gfreeman

Share this post


Link to post
Share on other sites

Security ticket with DHCP snooping problem.

 

Even after configuring the relay as trusted, the pool does not lease any IP. It claims the there is no pool. I figured out that due to HSRP the relay uses the physical IP of the active router instead of the VIP. I used a feature that assigns a redundancy name to the HSRP and the 'ip helper' to tied them ... but it still does not work. Didn't you face the same issue?

Share this post


Link to post
Share on other sites

Security ticket with DHCP snooping problem.

 

Even after configuring the relay as trusted, the pool does not lease any IP. It claims the there is no pool. I figured out that due to HSRP the relay uses the physical IP of the active router instead of the VIP. I used a feature that assigns a redundancy name to the HSRP and the 'ip helper' to tied them ... but it still does not work. Didn't you face the same issue?

 

No issues with the DHCP snooping.

 

If DHCP server claims there is no pool means the DHCP packets are unicasted to the DHCP server by the DHCP relay. Was client-id configured? was it correct?

 

In my case there were no client ID configured.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...