I took my exam on June 14 , 2019 and was able to get my CCIE #.
Small Tips :
People might have already shared on this forum but trying to reiterate the same.
1. Try to understand the packet flow in each sub section of a lab (TS or config), it will be useful to troubleshoot the issues in exam time
2. In each sub section of lab ( For instance, DC1 in H3 config), practice configuring all protocols at the same time ( OSPF, BGP, STP, DHCP, Multicast and NAT)
3. Practice makes a man perfect. Therefore, there is no substitute for practice.
4. Until you select "Start lab", the timer for TS/Diag doesnt start in the computer. However the moderator/invigilator has different set of timings and he clearly mentions them on the board. So please be aware to click on the appropriate buttons on the page.
Section TS :
Ticket 1 : It took more than 20 minutes to realize that there is "port security" configured in SW410. Because in the practice labs, the faults were mostly in SW400/SW401. Since i understood the packet flow, i was able to crack it
Ticket 2: NAT was not configured (ip nat inside/outside) in R14. Once NAT was configured, traceroute from Server1 in DC1 to ISP got matched exactly
Fault 1: iBGP neighborship between R22 and R23 (BGP RRs) was down. In R23, the lo0 interface was part of a different OSPF ID.
Fault 2 : Advertised R12-R22 link and R13-R23 link on both R12 and R13( should not advertise on R22 and R23) to exactly match the traceroute output requested.
Fault 1 : R10 was advertising higher LP for Large Office (10.4) and Medium Office ( 10.5) networks. Two solutions - reduce LP in R10 or increase LP in R12
Fault 2 : BGP cost community attribute used in R20/R21. We can use the command to ignore the cost community in best patch calculation and also increase OSPF cost of R20 Lo0
Ticket 5 : DMVPN tunnel parameter mismatch. Traceroute expected from Server1 to small office vlan 100/101. Therefore OSPF between R60 and SW600 need to be established.
Spoke to spoke communication(R60, R51) has to be verified. This is very important
Ticket 6: Ipv6 DHCP server configuration needed to be added on Vlan 2001 in SW111
Ticket 7: MPLS password mismatch between peers in the MPLS VPN network (CISCO and CISC0 - Note the alpahabet "O" and number "0") - This was a very subtle difference and i was not able to crack it during exam hours- i actually removed the password and traceroute worked but probably might have lost marks for it.
Ticket 8 : DHCP server in HQ was providing incorrect GW ( Vlan 2001 HSRP IP was provided as GW to user in Vlan 2000 and vice versa). Modify the GW in DHCP server configuration and increase the DHCP lease timer to infinity.
Ticket 9 :
Fault 1 :NAT was incorrectly configured in R71. ( IP nat inside missing on the interface facing R70/NAS).
Fault 2 : DMVPN tunnel key mismatch between R24 and R71. Please remember to Copy paste the tunnel key from DMVPN HUB (R24) into Spoke (R71) and not vice versa
Ticket 10 :
Couldnt crack the NAT configuration. There was ACL configured on Server2 to permit only a few networks. I had inadvertently removed it without copying the existing config.
I used the whole 2 hours and additional 30 minutes but couldn't find solution in R24/R25.
Section Diag :
Need to select the following options from drop down list
a. show ip dhcp relay information trusted sources
b. Search for the first "DHCP discover" packet with source IP 0.0.0.0 in the packet capture and select the packet no
c. Highlight link between SW1-SW3
2. Attacker is 10.1.1.1, Server 10.1.1.2
a. Select the following options for question
TCP connection from a remote host to the router’s IP address 10.1.1.1 on port 1337
TCP connection from the router to 10.1.1.2
Download of a TCL script in memory via HTTP
Installment of a ransomware via a backdoor
b. sudo poweroff
c. tclsh [Hidden Content]
Section Config :
Config lab as per SPOTO its termed "A4" and in cert collection forums its termed "H1 plus"
Same as in WB. There will be additional VRFs(Yellow VRF) configured on R6 and R7 in the MPLS VPN (AS 12345). But eBGP neighborship has to be established as per requirement.
Questions were very precise. The network diagrams were very clear and easy to understand. Configuration was easy as i had practised well and i was able to complete them in 3 hours 15 minutes.
Then went for a walk outside the building for 15 minutes. Came back and finished all verifications (Traceroute outputs, Ping).
Use the command "no mpls ip propagate-ttl" to disable MPLS TTL propagation and match traceroute. Add weight in R20 towards R3 (INET VRF) because traceroute was very specific to go via R3 at all times.
Good luck everyone !