Hi fellow CCIErs,
I hope you all are having a great time studying and preparing for your lab. I will try and make this post for 400-251’s lab in v5 and try to write down as much as possible as per my experience.
I prepared through Rahul’s solution for all Diags, TS and Config. I assure you one thing based on my experience that only the solution won’t be able to get you through this storm, I’ll explain later why. Let’s skip the part of how I prepared and everything and jump to the day of exam. Lab started on time, I got TS1. Let me explain the bugs I had in it.
Incident 1: For incident 1 everything was same as mentioned by Rahul in the solution. Incident had no new catches, just follow the solution. Keep in mind that the total breaks are the places that need rectification.
Incident 2 and 3: For incident 3 follow the solution but also remember the routes were wrongly entered and the DNS was incorrect.
Incident 4: For incident 4 the password entered for BGP neighborship was incorrect.
Incidents 5 and 6: In incident 5 and 6 follow Rahul’s solution.
Incident 7: This is where I had to spend the most time. In this incident you have to carefully check if Dot1x pc is part of any group or not firstly then add corresponding identity to that group. Furthermore, my Dot1x PC’s MAC was added in workstation, I had to remove that static entry in order to get it authenticated. Some commands were also missing for Dot1x which you can verify from Rahul’s solution. Also the DNS was missing from Dot1x PC and the user was also not enabled. Here you have to be the most careful, if the authorization condition is part of any group then ensure that identity is also part of the same group, else move on. Lastly, my DACL was incorrect, although the task had 3 incidents but I had to make changes in 04 places.
Incident 08: MAC was already in the workstation group although it did not specify in any authentication condition but did in authorization condition only. Commands related to MAB were missing from the switch port and IP pool configurations were incorrect.
Incident 09: The port of SW was shut and the rate limit had to be increased. This task was simple.
I had done the TS in 1 hour and 43 minutes.
This is the part that you have to be most careful about. I got Diag2+ and identified using the username/password in Q7 after pasting it in notepad. Then had to scroll back to Q1 to verify it as well. Furthermore, candidates fail the most in Diags when it comes to security as it is the most unstable. One key thing, you cannot skip the time of Diag. It is fixed of 1 hour and you cannot move to the next section even if you have finished your Diag in 5 minutes. You can utilize this time in writing down commands on notepad so that your time is saved. I finished my Diag in roughly 25 minutes as I was very nervous in it and then started writing commands. I was way ahead of schedule as I had planned. Moving on to config now.
1.3): Try writing the commands before you even have started config. Write as much commands for tasks as possible. I had reached commands for task 3.1 till now and I was hopeful that everything goes to plan but little did I know that cisco would introduce comm(terminal) server and change all my interfaces and I would have to re-visit my commands which was wasted my 20-25 minutes. I deleted FireAMP controller, restarted the PC and did task 2.3(FireAMP connector) first. Then I completed all my commands. Then I moved onto all web based devices (FMC, WSA, ISE) and configured it in one go. NGIPS was already registered and some policies were made but were in disabled state. I completed all web based tasks. When I moved onto ISE I figured out I was unable to add MAC of mab_pc in workstation as it was part of some other group. One thing to notice here is that Cisco used the same NIC for TS as it used for Config. I would better suggest to restart both dot1x and mab pcs before moving on. One more point, you will not have restart button on both Candidate PC and dot1x + mab. You will have to do it through command prompt. Furthermore, then I moved onto active directory configurations and it kept on failing me. I made all the policies but since I did not add any MAC of mab I did not add any condition for authentication condition for workstation. Then I moved onto configurations of devices and here I will write one by one regarding the tasks I faced.
Task 1.1(a): No issue faced generally. Just had to change my interfaces in accordance with my pod number.
Task 1.1(b): Same as above.
Task 1.2: No issue faced.
Task 1.3: Interfaces were different from Rahul’s solution. Consult pod number before proceeding. SW had configurations of VLANs but no port-channel and individual ports were empty.
Task 1.4: No issues faced
Task 2.1: No issues faced.
Task 2.2: No issues faced. Only DNS for WSA was wrong.
Task 2.3: No issue.
Task 3.1: No issues faced. Follow the solution accordingly.
Task 3.2: The certificate was expired and it did not allow me to enroll in the same certificate. I deleted the configurations of server and generated a new fresh key after which it worked fine.
Task 3.3: R4 and R5 had no configurations of VRFs. All good till here. Cisco also had both AS as 405 instead of 403. Prepare accordingly for this.
Task 3.4: I was unable to verify this task as I had some issues in commands. Although I corrected them but I still feel I left it too late to work on it. Make sure you write commands slowly and carefully to avoid any potential mistakes.
Task 3.5: SW2_P already had PAC file and dot1x_pc and mab_pc had IPs assigned which I suspect was due to TS. Make sure you delete all PAC file and credentials. Then apply solution accordingly. I had to make CTS connection through VLAN8. Furthermore, SVIs were already configured. ASA will have multiple ASDM images. I think I used the one having 782 at the end. Moreover, if it fails then try multiple images as I was able to access virtual ASAs using the same asdm image but was unable to for physical ASAs. Proceed with caution here as you might be nervous here.
Task 4.1: Make sure you upload profile to both active and backup ASAs. There are going to be multiple profiles present on ASA and PC. Do not disturb them. The folder having profiles will be hidden so find that accordingly. One more point for both this and 3.5 was tftp server. I had no working TFTP server. I figured it out using the admin rights on my PC. You can transfer files between all PCs using that local PC. Please practice once before going to appear. I almost failed my lab due to this.
Task 4.2: The Dot1x PC got authenticated easily. The credentials were kept same as that of TS1. Moreover, before verification the SW had downloaded PAC file through new credentials and environment data was also downloaded.
Task 4.3: I did not read the question. It had different credentials other than the solution. Another AD group was added. You will have to add a new group with credentials provided in the lab. It was verified easily. Make sure you do not delete the already present group.
Task 4.4: I was unable to delete or modify the endpoint. After some time I tried editing the end point from end point identities I think and then it allowed me to add in it. MAB PC was now added in workstation and updated my authentication policy.
Task 5.1: Easily done.
Task 5.2: SVIs were created and SSID was made in accordance with POD number. Furthermore, in my task it was clearly mentioned that we do not have to do anything on wireless PC so this task was also straight forward. I did configurations on WLC only as the IP assigned was wrong. Nothing had to be done on AP via CLI. Then the AP easily registered on WLC and task was verified.
Task 5.3: No issue.
Some key notes:
Make sure you have practiced TFTP well as you might face issue in that. There is also an issue with ASDM images. Make sure you know which image to use properly. The password for comm server is ‘Cisco’. I had practiced for the last month on rack rental and was pretty confident about it. Make sure you read the question very carefully before proceeding. Practice the Diags while using the outputs and don’t memorize the questions only as you would be badly stuck.
Feel free to contact me in case you need further clarity. Since CertCollection was down this whole time so I couldn't post earlier.