Jump to content

Firass81

Members
  • Content Count

    117
  • Joined

  • Last visited

Community Reputation

41 Excellent

About Firass81

  • Rank
    Advanced Member

Recent Profile Visitors

138 profile views
  1. Thanks a lot, but the google drive linke is coruppt, could u pls give us the new link. Many thanks for the great effort. B. R
  2. Hey, I have aready disscussed this, as the previous comment says there is no such question. But in reality it must goes to internet, So to do it, Just add default router with AD better than the old one if it was there on router on R51 with next-hop tunnel interface R14. Thanks.
  3. Hey man, all your basic config is correct, but what i want you to do is next: 1. If your enabled TTL security, pleas remove the policy under Control-panel, to see if this TTL makes trouble or not. 2. Better to remove capability-vrf under ospf proccess from hub and leave it on spokes. 3. When you issue ping command towrds 8.8.8.8, you MUST know the soure for IP packet, by your ping the source on Hubs and Spokes in the outgoing interface e0/0 and this interface is NOT belong to VRF table!!! you MUST issue ping with source internal interface e0/1 which belongs into VRF!!! 4. Please double-check on VRF interfaces on Hub and Spokes, Loopback0, tunnel0, internal e0/1. Let me know what is going on? Regards
  4. Hey man, firstly: i would like to say that what have you done is correct, there is no missconfig or false in your config. Cheeeeers. Secondly: All your output doesn't requierd in the exam, but it is a good point from you to asure that everything operates as expected. But please in the lab exam you don't have much time to do it. Just make sure that all your config is made correctly and all exam-output is prefeclty good, then when you have time, you can produce outputs to make a double-check and final touch on everything. Now back to your question: {{{ As per the requirement of VRF imports, SW2 which is in Jamesons Main Office should not be able to see Jamesons HQ and should not be able to see JACOBS }}} Sorry to say it, but you don't understand VPN-routing Polciy very well, when you config import&export route-tag that means one thing either directly routed or indirectly routed throuhg anthoer domain, and hence SW2 which is in Jamesons Main Office SHOULD be able to see Jamesons HQ but through DC domain and SHOULD be able to see JACOBS again through DC dmain. Based on that, you see, that all your config is perfect. All the bests
  5. Hey, of course you can, as long as the exam didn't enforce us to configure it in a certian way, but I would like to say, the cisco has a default config on TS1, TS2 as the web config. So I prefer to fellow this default config as pluse point. All the bests
  6. No, it would the old one renwe it as CCIE infrastructer... cheeeeers
  7. Hey, In the point view of the exam it is correct, because he ask to redistribute loop52. but in general we prefer to your route-map without tag, and better to use anothor route-map for tag as next: On R52: route-map LO52 match interface loop52 and then redistibute it On R52/51/50: route-map TAG set tag 172.172.172.172 Under eigrp named proccess use: distribute-list route-map TAG out. this is a safe way to get prefect solution. All the bests
  8. Hey, {{{ Can We use command eigrp default-route tag 172.172.172.172 on R50/51/52 ? Or need to do with route map?}}} No you can't, because we use thist command to tag only all internal eigrp prfixes. The exam demands to tag too external eigrp routes, and hence he asks to redistribute Loopback52. So bette to do it with a route-map. All the bests
  9. Hey man, very good quetions, {{{ None of the switches can generate TC.}}} For this please DON'T touch any preconfig for spanning-tree on all switches, it is correct, only you need to check access-ports and routed-ports. There is a requirement asks to enable port-fast on all access-ports, and hence what that means NOT to generate TC. {{{ Question: C4C solution has some configuration for R20 setting weight for neighbor in AS10000. I can't find any requirement related to this and in fact it violates section 2.8. }}} there is a preconfig output on the exam, and to match this output you must configure wieght on R20. {{{ C4C solution says there is no configuration needed in DC1 to prefer path to AS65005 via AS10000 (MPLS). I don't agree. Since we have additional paths configured on R13 (RR), all the clients will get two routes and will decide based on the metric towards the BGP next-hop. I solved this by route-map on R14 setting LP to 50 towards R13. }}} You are right, we have to configure this route-map on R14 towards RR R13, to be in a safe side. and C4C is right because ospf internal metric. but we do it to speed convergance too. {{{ How should HQ get the RP info from DC1? As announcement from DC1 mapping agent, as announcement from HQ mapping agent or it does not matter? I can't find anything in the outputs determining this so I assume as long as your pings are working as expected this really does not matter. Or? }}} This is a multicast, and the requirement asks clearly to depend on unicast default-route for announcemnets. and for filter you MUST configure boundray multicast as useual. {{{ Again, why the heck we need both IPv4 and VPNv4 peering?}}} Please whenever you conunter VPN4 you must disalbe default ipv4-unicast or at least open ipv4-family. that is for bgp negotiating to know exactly vpnv4 attributes. All the bests
  10. Hey, What i studied, i did it on papares NOT on labtop, and i gatherd all informations from this group, what you want is here, feedcbacks, materials, and disscutions, this group is really helpfull. All the bests
  11. Yes better to change this metric, I have change it to equal that i have already configured on R57, Just make this in 2 labs H2/2+. {{{ did you do section 4.2 about snooping and storm-control}}} Nup, I skiped this one, because I couldn't applay the command on web or eve-ng under trunk interface on both SW5/6: strom-control .... Other guy has configured this command on a real ios. it works for 2 or 5 hours, but not more. So I found to skipe this requirement, i didn't want to be stuck in broadcast strom. lost 2 points, better to lose the whol config. All the bests
  12. Hey, {{{ then R15/16 inject this as type 1 into DC, then from sw4 point of view it woill have two routes with the same metric towars 172.0.0.0 one through the mpls type 1 and the other one through R18 , then will load balance the traffic . }}} In this way better to filter this prefix on R15/16 from inter into MPLS: In both lab H2/2+ it is forbidden to inject this prefix int mpls on R15/16, that is why he asks bout it. Any way in both H2/2+ the redistribute filter on R55/56 is correct, better not to touch it please, only to change metric eigrp during redistribute. this redistribution is corrcectly filter 172.0.0.0/8 from inter int MPLS. So R15/16 will have not this prefix again from MPSL. And on R15/16 you must NOT enject any prefix back. otherwise you will have loop. and this will cost you much.
  13. Hey, {{{ do we config eigrp default-route-tag 172.172.172.172 on all routers running eigrp or route-tag notation dotted-decimal is enough?}}} No we couldn't use this command eigrp default-route-tag 172.172.172.172 Only use dootted-deicaml on all eigrp routers, that is enough to meet the requirement. P.S: Your config is prefect, you don't need anything else. that is what i did it in the exam. All the bests.
  14. Hey, I assume that your question about H2+, if so, my answer would be for it: Yes you are right, i used metric-type 1 on R18, and i leave all redistribution as default on R15/16 router os 1 redistribute bgp 65002 subnets ----------------------> here is the default metric-type 2 E2, in this way all DC's devices would get the prefix from R18 with a metric E1 and prefix from R15/16 with E2 and all would prefed E1 router bgp 65002 redistribute ospf 1 -------------> the default here is to redistrute only intra and inter ospf, no warry about all exteranl ospf E1/2 from re-redistrute againg into bgp and this is a filter for a loop. {{{ how you set R55/56 in order to avoid the prefix 10.0.0.0/8 to enter the mpls ? }}} there is no fear here, becaus there is a prefconfig to filter it in the exam as next; with route-map or without it, directly using prefix-list: ip prefix-list 172 deny 172.0.0.0/8 ip prefix-list 172.permit 172.18.0.0/16 (this entry i think like this) As you see, impilicty deny 10.0.0.0/8 from intering into MPLS domain. that is it. All the bests
  15. Hey, for your config on R71 I have got thist: {{{ ip nat pool L2L 10.7.0.1 10.7.0.254 netmask 255.255.255.0 ip nat inside source list 101 interface Ethernet0/0 overload ip nat inside source list 102 pool L2L overload ! access-list 100 permit ip 10.7.0.0 0.0.255.255 10.0.0.0 0.255.255.255 access-list 101 deny ip 10.7.0.0 0.0.255.255 10.0.0.0 0.255.255.255 access-list 101 permit ip any any access-list 102 permit ip 10.7.0.0 0.0.255.255 10.0.0.0 0.255.255.255 }}} I think that is not the right way to do it. you must decide to enable nat with a POOL or without it ( to use e0/0 as NAT outgoing) you use 2 ways and this would confuse the router R71 which access-list would use for nat and encryption. What you MUST do, actually to mirror the all config R24 and applay it on R71 as next: ip access-list extended L2LVPN permit ip 10.0.0.0 0.255.255.255 10.7.0.0 0.0.0.255 Mirror on R24: ip access-list extended L2LVPN permit ip 10.7.0.0 0.0.0.255 10.0.0.0 0.255.255.255 -------------------------- ip access-list extended NAT deny ip 10.0.0.0 0.255.255.255 10.7.0.0 0.0.0.255 permit ip 10.0.0.0 0.255.255.255 any Mirror on R24: ip access-list extended NAT deny ip 10.7.0.0 0.0.0.255 10.0.0.0 0.255.255.255 permit ip 10.7.0.0 0.0.0.255 any -----------> you can use permit ip any any as the exam did with all nat in DC domain) rypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp key HollyMaya address 201.99.24.2 ! ! crypto ipsec transform-set esp-aes esp-aes esp-sha-hmac mode tunnel ! ! ! crypto map HollyMayaMap 10 ipsec-isakmp set peer 201.99.24.2 set transform-set esp-aes match address L2LVPN For the NAT in the exam, there is a preconfig with a pool and named ACL NAT and all you must to do is just enable access-list named nat on command nat exxactly as R24: ip nat pool L2L 10.7.0.1 10.7.0.254 netmask 255.255.255.0 if this pool is alreay there, you must double-check on loopback withen this pool, I think it is already there, otherwiese you must check crypto works without it, if NOT you must creat it with the same make as pool; ip nat pool R71 10.7.0.1 10.7.0.254 netmask 255.255.255.0 int loopback 10 ip add 10.7.0.1 255.255.255.0 route-map NAT permit 10 match ip address NAT ip nat inside source route-map NAT pool R71 overload For other configs it is correct. Just applay this config and let me know. All the best.
×
×
  • Create New...