Jump to content

gfreeman

Members
  • Content Count

    26
  • Joined

  • Last visited

Community Reputation

4 Neutral

About gfreeman

  • Rank
    Member

Recent Profile Visitors

76 profile views
  1. Hi, All of them area available already in this forum, you just need a dilligent search.
  2. No issues with the DHCP snooping. If DHCP server claims there is no pool means the DHCP packets are unicasted to the DHCP server by the DHCP relay. Was client-id configured? was it correct? In my case there were no client ID configured.
  3. Hello, I did not tell to the proctor about the restart. he told us on the induction that we were free to manage our devices, plus the issue that I was having was a routing loop and probably he would have told me "You are a CCIE, you are supuosed to fix your issue". I talked to the proctor only when after restarting my devices, everything went to normal but my devices were showing DOWN on the manage devices TAB, but as I was able to connect the devices and type commands on them, he told me that no problem. Another thing to mention is about the mouse, you can adjust the speed but have to ask him to show you how.
  4. You don't have to touch R24 or R25 internet access and I cannot remember how it was done. You only touch R24 for the 3.4 task. I did not filtered L123 towards RR on R14 and 15, I did filter toward ISP by not advertising the R15 loopback123 via R14 eBGP connection and vice versa. This way natted traffic always come back via the link it was natted, and DC1 internet access just work. Hope it helps.
  5. This is what I did. !R14 ip pref L123 permit 123.19.99.0/28 route-map TO_ISP permit 10 match ip add pref L123 route-map TO_ISP permit 20 match ip add pref "other addresses they ask you to advertise" router bgp 65001 network 123.19.99.0 mask 255.255.255.240 nei ISP route-map TO_ISP out !R15 ip pref L123 permit 123.19.99.16/28 route-map TO_ISP permit 10 match ip add pref L123 router bgp 65001 network 123.19.99.16 mask 255.255.255.240 nei ISP route-map TO_ISP out
  6. ! R14 !preconfig int loopback123 ip add 123.19.99.1 255.255.255.240 ip nat pool NATPOOL 123.19.99.0 123.19.99.255 nextmask 255.255.255.0 !FIX basically you have to amend the nat pool to match the address range of loopback 123 becouse you advertise that addres range towards ISP. no ip nat pool NATPOOL 123.19.99.0 123.19.99.255 netmask 255.255.255.0 ip nat pool NATPOOL 123.19.99.2 123.19.99.14 netmask 255.255.255.240 !R15 !preconfig int loopback123 ip add 123.19.99.17 255.255.255.240 ip nat pool NATPOOL 123.19.99.0 123.19.99.255 nextmask 255.255.255.0 !FIX So: no ip nat pool NATPOOL 123.19.99.0 123.19.99.255 netmask 255.255.255.0 ip nat pool NATPOOL 123.19.99.18 123.19.99.30 netmask 255.255.255.240
  7. just configure the correct route-target import on R4/R5/R6, i did not deleted the wrong ones, there were 5 imports configured and I did not bother to delete the wrong ones. I mean this: None of the Corporate sites (except both Datacenters) may ever be used as transit sites for remote traffic. I just configured filter-list on R40/R41/R50/R51. ip as-path access-list 10 permit ^$ nei x.x.x.x filter-list 10 out I am refering to R13. R14 is the DMVPN hub and it will advertise MO prefix to RR, so you have to lower the local-pref so you match this requirement: - The MPLS path (via R50) must be the preffered path for both ingress and egress traffic because you cannot configure prepend on R51 or you will fail some outputs. Thank you.
  8. Hello Guys, I passed. Location: Lambda Bunker. Attemp: Episode X Don't forget to save time for proper verificaton of the outputs. Save config regularly. As soon as you finish with TS start with Diag as the time for diag is 30 minutes Fixed time. I saved 45 minutes from TS to use in config. Some devices were misbeheaving and I had to restart them. !=== TS ========================================================== !=== T1 === !SW400/SW401 conf t vlan access-map ATTACK 20 action forward !=== T2 === !R14 conf t router bgp 65001 neighbor DC1 next-hop-self !=== T3 === !R22/R23 conf t no access-list 1 permit 10.1.1.0 0.0.254.255 no access-list 2 permit 10.1.0.0 0.0.254.255 access-list 1 permit 10.2.1.0 0.0.254.255 access-list 2 permit 10.2.0.0 0.0.254.255 !SW101 conf t int E0/1 ip ospf cost 10 !=== T4 === !R21 conf t route-map LP permit 10 match ip address prefix-list LP set local-pre 200 !=== T5 === !R14/R60/R51 conf t int t0 ip ospf net point-to-mul no shut !=== T6 === !R15 conf t router bgp 65001 address-family ipv6 network 2001:CC:1E:8BAD:154::/104 !=== T7 === !R1 conf t interface Loopback0 ip ospf 10000 area 0 !R3 conf t interface Ethernet0/1 mpls ip !R4/R5/R6 conf t !there were alot of wrong imports configured, hence I !sho run | i 65003:3 yield no results ip vrf HollyMaya route-target import 65003:3 !=== T8 === !SW300/301 conf t int vlan 2000 ip dhcp relay information trusted !=== T9 === !R71 conf t interface Tunnel0 tunnel key 10000 !=== T10 === !R24/R25 conf t ip nat outside source static 201.99.70.2 <outside-local> (I cannot remember the correct IP) !=== DIAG========================================================== Just understand uRPF and you will be able to solve third ticket. !=== CFG========================================================== ! === Section 1 === !--- 1.1 --- The requirements clearly states all of the switches So verify all required ports are assigned to the correct VLAN. there were many other ports assigned to VLAN 1, I did not touch them. !--- 1.2 --- Just check the requirements properly, port numbers are different and scrambled a bit. Interfaces are already shutdown !--- 1.3 --- the no spanning-tree mst simulate pvst was there in just one of the switches. I enabled it by removing the NO. !--- 1.4 --- no coment. ! === Section 2 === !--- 2.1 --- no preconfiguration. !--- 2.2 --- ospf is already preconfigured, pay attention to additional loopbacks. vlan 2001 already advertised to BGP. !--- 2.3 --- ospf and bgp already preconfigured, missing some router IDs and netx-hop-self commands. no access to R100. Diagram you will see ospf pid 2 for partner network. ! --- 2.4 only bgp process preconfigured. !--- 2.5 you will not see references to additional-paths unles bgp is configured with multi-af mode. but you can check if multipath will work by looking to the neighbor capabilities negotiated during the open message. sh ip bgp nei <ip> | i apabi and also by looking at the sh ip bgp output !--- 2.6 On DC1, it mentions R14 configured as the other eBGP, plus on R14 and R15 have to advertise its own loopback123 to ISP otherwise internet access will not work. !--- 2.7 R30 and R31 have iBGP btween them, but they are connected to only one AS they will not become transit AS. So I just did it on R40/R41/R50/R51 !--- 2.8 nothing extrange here, just lower the local pref when advertising Medium Office network to route reflector, so return path to MO will always be MPLS. !--- 2.9 nothing to add here. Question is clear. !--- 2.10 SW100 is mapping aggent via L0. !--- 2.11 run out of time ! === Section 3 === !--- 3.1 get the route distinguiser from the ouputs, and configure rt imports and exports acordingly. ospf is already preconfigured. Check that is working, also check ldp nei too. and configure bgp vpnv4. !--- 3.2 I sneaked dmvpn config from TS and just prepare config by adding missing commands. !--- 3.3 There is a NAT pool on R14 and R15 that it is miss configured. so you have to ammend that. !--- 3.4 nat is already preconfigured. It happens User7 address is already part of the encryption domain, so no need to do double NAT. Just copied the config from R24, inverted the Crypto ACL and created and applied the crypto MAP and Bang. R24 is aready redistributing static on BGP just need to create a static route pointing to ISP address. ! === Section 4 === !--- 4.1 ip verify unicast source rx ! === Section 5 === !--- 5.1 I did not configure EMM.
  9. gfreeman

    Passed today

    If you think about it, the switch is using vtp version 2, so you can not create extended range vlans. That is how I understand it.
  10. Hello, If I am not mistaken, R15.R16,SW3 and SW4 are AS 65002, so no need to remove preconfig.
  11. Hello, Please see this topic. Everything has been answered there already. [Hidden Content]
  12. Hello xyber85, Could you please clarify point 7? Do you mean something like that: ip access-list extended WANTED_PROTOCOLS permit gre any any permit esp any any permit udp any any eq isakmp permit udp any eq isakmp any permit udp any eq non500-isakmp any pemrit tcp any eq bgp any permit pim any any permit tcp any any eq bgp permit ospf any any permit icmp any any ttl-exceeded permit icmp any any port-unreachable ip access-list extended TTL permit ip any any ttl lt 2 class-map match-all WANTED_PROTOCOLS match access-group WANTED_PROTOCOLS class-map match-all TTL match access-group name TTL policy-map CoPP class WANTED_PROTOCOLS police 10000 1500 1500 conform-action transmit exceed-action transmit class TTL drop control-plane service-policy input CoPP As oposed to the solution provided by C4C or Spoto? Could please clarify as well the porpose of the following you said? Thanks.
  13. Hello, Both are perfectly valid. Which one to use will depend on the wording of the question. If they say make sure site x it is not used as transit and do not use route-maps to achieve the solution, your choice is option 1. If they don’t put any restriction you can use the one you prefer.
  14. Aggrrr!! They have a limit on the number of times you can check for lab availability. Now I have to wait some time until I can check for available slots again, It says tomorrow so I guess it will be 24 hours.
  15. They have been shared many many times. Please do a search in the forum. [Hidden Content] [Hidden Content]
×
×
  • Create New...