Jump to content
hUmU

PASS: TS1 / DIAG H1+ / CFG H2

Recommended Posts

Hi guys,

 

Here is my feedback for this LABs' experience:

 

First of all I want to say that I used both vendors with materials found on this forum.

 

Feedback:

 

TS1

 

1. Layer 2

 

SW2 didn't had the VLAN 12 on interface eth0/0

 

2. PPP

 

R17 had the wrong password

 

3. OSPF

 

R22 had E0/0 as passive

 

4. EIGRP

 

R11/R12/R14 didn't had the weights right (only R13 had them)

R13 had a distribute-list that needed 145.14.14.14/32 to be excluded for offset

 

5. BGP

 

Decreased the metric on R6 for 123.3.3.3

 

6. IPv6

 

R25 needed to advertise the E0/0 network

 

7. DMVPN

 

R19's access-list needed ESP added

R15 needed to add hostname to match output

R18 didn't had shortcut under Tu0

 

8. MPLS

 

R4/R6 needed OSPF cost change for their E2/0 interface (for back-up link)

R7/R8 didn't had "default-information originate" under router bgp

R8 didn't had "ip nat inside" on E0/0.123

 

9. DMVPN NAT

 

R7 had wrong address for isakmp key

 

10. NAT

 

R23 didn't had "ip dns server"

 

 

=============================================================================================

 

DIAG - H1+

 

90% is the same as the workbook, however the last ticket has different answer than both provider's workbooks.

 

The output from the router shows that you have two next-hops for the desired traffic, therefor you have multiple next-hops but it chooses a single hop based on per-destination load-balancing (I think I've chosen the wrong answers here).

 

 

 

=============================================================================================

 

CFG - H2

 

Same as Workbooks with some changes:

 

1.1

 

SW3/SW4/SW5/SW6 had already VTP + vlans configured

SW10/SW11 are not in the VLAN table and you don't need to configure anything on them, they have everything preconfigured

SW1/SW2 have already VLANs created.

 

1.2

 

It states clear that you need to make SW3 primary for normal VLANs and SW4 as back-up for normal vlans.

 

1.3

 

Same WB

 

1.4

 

Same WB (interface DIAL1 didn't exist and you have to create the route for 192.0.2.0/24

 

2.1

 

Same as WB

 

2.2

 

Same as WB

 

2.3

 

Same as WB (upgrade-cli worked so I just added the router-id and the TAG and at the end I upgraded to named mode)

 

2.4

 

Same as WB (R15/R16 redistribute bgp 65002 subnets metric-type 1 under OSPF process)

 

2.5, 2.6, 2.7

 

Same as WB

 

2.8

 

The exam did not request verification from SW10, only from R101

 

2.9, 2.10, 2.11

 

Same as WB

 

3.1

 

Same as WB but the verification required just ping not traceroute

 

3.2

 

Same as WB but the verification required just ping not traceroute.

 

However there is a request saying "All sites need to import all prefixes". It is unclear if it should be pre-merge or post-merge as well (see 3.4)

 

3.3

 

Diagram 6 + the question itself, showed that you need to change the BGP procces from 65006 to 65001. This means local-as towards R55/R56/R58 and also adapt the iBGP.

There is a pre-configured iBGP between R50/R51/R52 which is also present in BGP Diagram and you should keep it when merging.

 

3.4

 

This one was tricky. Diagram 6 didn't showed any information to find out what to import where. The only guidelines were that:

* DC need to receive all prefixes from all sites (Jamesons + Jacobs)

* All sites must receive BGP prefixes from DC

* Jamesons Main Office should receive only DC prefixes (actually the text said that Main Office should not receive prefixes from Jamesons HQ nor Jacobs HQ nor Jacobs Office)

 

4.1

 

Same as WB (one deny ACL matched in class-map matched in policy-map)

 

4.2

 

I left this one last because I wanted to test it. I didn't managed to make it work.

The question has a note to itself saying that: "When you do "shut" "no shut" on R101, be sure to do "no ip dhcp snooping vlan 100" and "ip dhcp snooping vlan 100" on the distribution switches (SW3/SW4))

 

I tried, didn't worked. I did a debug and when the R101 got it's ip, there was a huge broadcast storm between SW6/SW4/SW3/R15. When I removed the dhcp snooping for vlan 100 the broadcast storm stopped. Therefor, just to be sure, i didn't configured dhcp snooping for vlan100 (Did the rest of the config though).

 

5.1

 

Same as WB however i've set "lease infinite" for that snooping thing.

 

5.2, 5.3, 5.4

 

Same as WB

 

 

I wish everybody good luck (until 23rd of February - after that....God help us all

Hidden Content

    Give reaction to this post to see the hidden content.
/uploads/emoticons/default_biggrin.png"> ).

  • Like 24
  • Thanks 10

Share this post


Link to post
Share on other sites

Congrats @hUmU! Just wondering what import policy did you end up doing based on what you've seen in your questions?

 

Also did u filter 172.0.0.0/8 on R15/R16 facing MPLS (R3/R4) as well to prevent it from being redistributed back to R55/56?

 

SPOTO solution only filtered 172.18.1.0/24 on the prefix-list towards R3/R4.

Edited by bruvas

Share this post


Link to post
Share on other sites

Sorry. but do you have a link for the material? I have found some of them in this page but I want to be sure that team are the updated ones

Share this post


Link to post
Share on other sites

Hi.

 

Congratulations and thank you!

Did you take the extra 30 min for the TSHOOT or kept it for the CONFIG?

 

There is somewhat of a misnomer here, in case you weren't already aware: the reality is that TSHOOT can take *up to* 2 and a half hours, but it's over as soon as you mark it done. So, if you finish it in 45 minutes, that's an extra hour and 15 minutes that you have for CONFIG. The only section that you have a minimum time for is DIAG, which takes exactly 30 minutes.

 

This is definitely true in US, I assume it's the same everywhere.

Share this post


Link to post
Share on other sites

Hi.

 

Congratulations and thank you!

Did you take the extra 30 min for the TSHOOT or kept it for the CONFIG?

Thank you.

 

No, I didn't need that extra 30 min. The clock starts with 2:30 hours from the beginning. In the guidelines it states that when you reach 30 minutes it will turn red and it will let you know.

 

Congrats @hUmU! Just wondering what import policy did you end up doing based on what you've seen in your questions?

 

Also did u filter 172.0.0.0/8 on R15/R16 facing MPLS (R3/R4) as well to prevent it from being redistributed back to R55/56?

 

SPOTO solution only filtered 172.18.1.0/24 on the prefix-list towards R3/R4.

 

Thank you.

 

Because the requests were ambiguous from my point of view, all I did was this:

 

* Jamesons DC - Import all (Jamesons HQ, Jamesons MO, Jacobs HQ, Jacobs Office)

* Jamesons HQ - Import only Jamesons DC and Jamesons MO

* Jamesons MO - Import only Jamesons DC (it was clear in the question that they must not receive anything else - see 3.4)

* Jacobs HQ - Import only Jamesons DC

* Jacobs Office - Import only Jamesons DC

 

I didn't need to filter anything on R15/R16 because R18 is redistributing the BGP into OSPF as type 1 and R15/R16 are redistributing, intro BGP, OSPF type 2.

 

Sorry. but do you have a link for the material? I have found some of them in this page but I want to be sure that team are the updated ones

 

Unfortunately I don't. I followed and searched through these forums (

Hidden Content

    Give reaction to this post to see the hidden content.
) and found the materials there. At this point I can't find the threads but I will post if I do find them.

 

which WB you are referring to ??

 

Both vendors. What exactly are you interested in?

  • Like 6
  • Thanks 4

Share this post


Link to post
Share on other sites

There is somewhat of a misnomer here, in case you weren't already aware: the reality is that TSHOOT can take *up to* 2 and a half hours, but it's over as soon as you mark it done. So, if you finish it in 45 minutes, that's an extra hour and 15 minutes that you have for CONFIG. The only section that you have a minimum time for is DIAG, which takes exactly 30 minutes.

 

This is definitely true in US, I assume it's the same everywhere.

 

That is correct.

 

The TS starts with 2:30 and counting down. You can always finish whenever you want. That time will be "added" to the Config section.

Diag has 30 minutes and you have to wait for them to pass even though you finished earlier.

CFG has no timer it will end when the proctor tells everybody to stop. This is why I said that the time you earn for finishing TS fast is "added" to the CFG.

 

Hope this helps.

Share this post


Link to post
Share on other sites

Can you please clarify more on below:

 

"Diagram 6 + the question itself, showed that you need to change the BGP procces from 65006 to 65001. This means local-as towards R55/R56/R58 and also adapt the iBGP."

 

You removed router bgp 65006 and configured router bgp 65001. While establishing eBGP with R55/R56/R58, use local-as 65006 ? Did you used no-prepend replace-as or output doesn't required that ?

Share this post


Link to post
Share on other sites

Can you please clarify more on below:

 

"Diagram 6 + the question itself, showed that you need to change the BGP procces from 65006 to 65001. This means local-as towards R55/R56/R58 and also adapt the iBGP."

 

You removed router bgp 65006 and configured router bgp 65001. While establishing eBGP with R55/R56/R58, use local-as 65006 ? Did you used no-prepend replace-as or output doesn't required that ?

 

I didn't use the "no-prepend replace-as" since it stated nothing about the BGP NLRI on either PEs nor CEs. I just swap the ASN from 65006 to 65001, kept the iBGP between the PEs but with AS 65001 and just configured local-as towards the CE.

Share this post


Link to post
Share on other sites

Hi , my exam is in few days , Just need confirmation with below . It has always worked in practice , was this how you did in exam according to your feedback ?

 

 

R15 , R16 , R18 Redistribution

 

 

R15/R16

router bgp 65002

redistribute ospf 1

 

router ospf 1

redistribute bgp 65002 subnets metric-type 1

 

 

R18

router ospf 1

redistribute bgp 65002 subnets metric-type 1

 

 

##########################

 

 

Section 4.1 , you mentioned " deny " . See my configs below , no deny

 

 

ip access-list extended TTL1

permit esp any any

permit pim any any

permit gre any any

permit ospf any any

permit tcp any any eq bgp

permit tcp any eq bgp any

permit udp any any eq isakmp

permit udp any any eq non500-isakmp

 

ip access-list extended TTL2

permit tcp any any ttl eq 0

permit tcp any any ttl eq 1

 

class-map match-all TTL1

match access-group name TTL1

 

class-map match-all TTL2

match access-group name TTL2

!

policy-map TTL

class TTL1

class TTL2

drop

 

 

control plane

service-policy input TTL

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...