Jump to content

Search the Community

Showing results for tags 'lab'.

More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


    • LINUX
    • ORACLE
    • GNS3

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...


  • Start





Website URL







Found 124 results

  1. Hi All, I have passed my written today. But cant schedule yet my lab as cisco lab scheduling tool not yet update my exam records. I just would like to know if any seat availale for lab on feb. my CCIE friend told me e no more seat available in all location as per his check. Kindly confirm. I prefer ASIA location.
  2. Hi All, I would like to sell my INE rack rental tokens for discounted price. I still have 1509 tokens. Kindly negotiate your many tokens you need, how your bidding price. Can PM me.
  3. Hi All, I am having some trouble in completing and verifying task 3.5. Has anyone else faced any trouble in that? Thanks in advance.
  4. Hi Friends, Can you share Tshoot materials/unl file/diagram for TS2.2,TS3.4 &TS4? I have the rest but am unable to get any feedback for the above Tshoot. As I have my lab coming up this month,any help is much appreciated. As always,thanks a lot for this wonderful community.
  5. Kindly share your ccie security lab experience...
  6. ntwrkpnc

    JNCIE Vendors

    Hello everyone! Who are the trusted vendors for JNCIE such as spoto for CCIE?
  7. BUCKLE UP GUYS! THIS IS GOING TO BE A DOOZY RIDE! Many parts of this will not exactly be compulsory requirements or instructions but rather suggested method used for attempting exam. There are several things that one can change or use a method however they see fit or comfortable with. This is based oo TS1/Diag1 and Config is still same everywhere. I believe every location has very minor changes in Config but thats solely dependent upon the rack setup specific location has. Minor changes like interface mapping or devices preconfigured with something. Some locations might have preconfigured a particular while others might not have but nothing alarming. You should be able to figure that part out easily if you know what you are doing. Troubleshooting: This section is pretty straight forward and does not seem like there has been any major updates in questions or topology. I f you have practiced the workbooks, you should be able to finish TS within an hour. In fact, your strategy should be to finish TS within an hour and start the next Diag section immediately because you will need that saved 1 hour in Config later. Regarding the questions and configurations: The question will definitely be same unless you get new version of TS BUT the number of breaks or configurations provided can be different from what you get in workbooks so they are very small changes. For e.g in lab devices might have interfaces "administratively down" but that might have not been mentioned in the workbook. 1. I would suggest that whichever device question is asking you to troubleshoot, ALWAYS start your attempt by running "show ip int brief" or "sh int ip brief" for ASAs and verify that all the configured interfaces are UP. 2. I noticed that many of the questions in TS actually involve troubleshooting dynamic routing so second should be quick look of neighbor relation on particular device based on the topology. 3. Many of he routers will have diagnostic messages popping up complaining about authentication failure so even if in your lab the diagnostics are off, verify that dynamic routing config matches on both ends. There will be 2 or 3 questions with either password mismatch or password not defined at all at one end. Refer the workbook for exact number. OR better yet, to save time even more just when you have realized that you got TS1, start fixing the breaks as per the workbook you are following (For e.g Rahul Kashyap or PSL etc). If you have practiced workbooks enough, you should be able to do it from your memory. Diagnostics: Important Note: The only important thing that you should do in this section is that since this section is fixed 1 hour, as soon as you have realized the diag version you have received, mark you answers accordingly. The Diag questionnaire will be opened on one screen Fullscreen view but you will have other one available and soon as you are done with marking answers, open notepad and start writing commands needed in Config section from your memory. For example ASAv tasks 1.1a and 1.1b, those should be easy to memorize and if you do it for one question the second one is same command but changing IP addresses or required command set of any other questions that you can from memory. Utilize your remaining Diag time doing that. You can later in config section just start copy pasting but offcourse it goes without saying PLEASE do double check your commands match to questions requirement for e.g IP addresses or interface names. BUT do not just mark answers blindly, refer the material provided. If you have practiced and worked enough with all the topics and especially practiced alot with Config section, you should easily be able to figure out the problem from data provided. Although i must say there are several questions for which provided data do not make any sense and you have to go with the memorized answer from Diag dump. Let me break down Diag1 questions: 1. The answer is "Radius Shared key is Incorrect." Reason: The question metioned that Auth failing with "Radius Request Dropped" error and in the Email Exchange provided, there will be Error Statement along with code "Radius attribute not accepted" or something along those lines. If you test this in lab with mismatch radius key between ISE and SW you should see these diagnostics on SW CLI 2. Another easily identifiable question from data provided. The Redirect ACL will have line "deny udp any any eq ...."so basically the redirect ACL not allowing DNS UDP traffic at all so no redirection occuring to ISE guest portal site. 3. This can also be tested in lab, if you enable the option under Dot1x Windows Machine Interface Adapter --> Authentication --> Settings --> "Verify the server's identity by validating the certificate" then in ISE live logs, open the log report, you should see that 5400 Authentication Error. This problem will occurr if you have this option enabled and the client machine does not have ISE self signed CA certificate imported under its Trusted Root CA repository. Its same to the Config section Dot1x task where its instructed to turn that option off. 4. This can also be verified from the Authorization Policy Screenshot provided in exam, for refernce refer to this Configuration Example Article: [Hidden Content] Take a look at authorization policy and the rules. The first rule "2nd Auth" is the one required assign actual vlan to user after that have authenticated on Guest portal which was done via Redirection in the third Rule "MAC not known". BUT in exam, the authorization rule which would match to "Network Access:Use EQUALS Guest Flow" condition has permistion set as "Workstation" group and CWA Profile again which is causing the Redirection over and over again. 5. The screenshot will be provided of ISE --> Profiling Configuration tab which will have only Radius type probes enabled which are obviously not enough to profile Windows Machine. 6. There will screenshot of Commands set which will have arguement "all" defined for command "show" which is wrong because well there is no such command "show all". 7. Now this question i find most troubling because from provided data, different output of commands and processes details do not really indicate what the problem is so this one i memorized "L4 Traffic Monitoring Feature is on....". I think the reason why this answer is correct because there is only one more likely answer which is "One of the DNS servers might be issue" but in the logs/output provided in question show that device is able to resolve site name. It shows nslookup output. 8. I believe the hint for this answer "Configure Default decryption policy pass-through" is actually provided in error output, where there is Certificate Bitmap Error which i believe is caused if there is MIM-scenario or in other words some intermediate device doing TLS inspection/ Decryption/Encryption. This is also mentioned in one of the cisco documents that Web Servers for e.g some of Micrsoft Sites do not like some firewall decrypting and encrypting traffic and one need to defined Decryotion Pass through or exceptions. 9. Also visible in logs output where it says that the first certificate is not verified. You will seee there is only one certificate coming in and nother intermediate one. 10. The config outputs provided will show that Snrs score is included in the Blacklist and should be in suspectlist. And the reason why is here: [Hidden Content] "Note: Cisco does not recommend that you reject or drop connections from SBRS "none" senders. If there were an issue that prevents a connection to the highly redundant farm of SBRS servers, your Cisco Email Security Appliance (ESA) would drop all of your inbound mail. In most cases, you should either use an ACCEPT or THROTTLE mail flow policy instead" Basically NONE score does not mean that the sender is bad its just that it has not been classified so blacklisting/dropping is not the right approach. >>>>>>>>>>>>>>> I have not seen data from other diag versions (Diag2 and variants) so cannot really define logic of answers in those but i am sure the logic should be same. If you look at the data provided in questions carefully then match every answer provided to it, you should be able to identify the right answer unless offcourse you are sure about received diag version then go crazy and mark answers based on your memory. Configuration: Allright so this is the fun part. I am going to share the method and order that i would highly recommend. First, as soon as you see that you got the same config and everything which is highly likely since there is only one version of config yet, Start with ISE first. All the questions that involve ISE are as follow: 3.5 4.1 4.2 4.3 4.4 5.2 Doing everything on ISE in one go and first hand will save you alot of time because otherwise doing ISE config separately for every question you encounter will require unnecessary back and forth navigation. Step 1: As mentioned in Rahul config WB, disable password policy settings if needed, disable profiling probes, disable Vmware-Device Profle policy, Disable supression of authentication attempts under Protocol Radius. Refer Rahul WB, you will see what options i am referring above. Now start reading and verifying all those 6 questions if the details are same. Step 2: Define join AD point based on details in question 4.3 and also add your AD point under Identity Source Sequence "All_user_ID_Stores". The Internal Users should be first in order and second should be your defined AD point. Note: Most likely there will be one AD point already defined on ISE, check if it already points to cisco.com AD domain otherwise just do not touch it and add your own AD point. Step 3: Define Security Groups --> PC1 and PC2 based on questions 4.2 and 4.4 Step 4: Define Authorization profiles. Essentially you will need total 5 profiles --> MAB_PC, Dot1x_PC, R1_SSH, AP_Prof and the fifth one (questions 4.2, 4.3, 4.4 5.2) needed is for IP Phone but for that you can use system default Cisco_IP_Phones as it already has required settings asked in question which is DACL permit ALL traffic plus it has Voice domain attribute selected. Offcourse if question asks you to add something else then create your own accordingly. Also, it would still be good idea to verify the system defined profile has all the settings needed as mentioned above. Step 5: Define Networ Devices. Refer questions 3.5, 4.1, 4.2, 4.3, 4.4, 5.2 for details and verify IP addresses from topology (MGMT vlan 150). You will need total 4 devices ASA1V, SW2_P, R1 and ASA3 (do not forget to generate PAC file before saving). Step 6: Define Identity Groups. 3 User ID groups --> Anyconnect_Group, Dot1x_group, Lab_Admin (questions 4.1, 4.2 and 4.3 respectively) You will need total 3 Endpoint ID Groups --> MAB_PC Group, Cisco-IP-Phone, Cisco-Air AP. Two of these, you can use the default system elements. For e.g Cisco-IP-Phone will already be there but for AP group you can either create your own OR if you navigate to Policy --> Profiling --> enable corresponding Group for Cisco AIR AP, it will become available in the list. The instructions are mentioned to do this in Rahul's WB. Now, the MAB PC MAc address you can get right away by logging into MAB PC machine and check under interface adapter. NOTE: some people might face the issue where MAB_PC MAC address is already profled and listed end Endpoints list and if you try to add new endpoint there then it will throw an error "endpoint already defined" Or if you try to edit the current endpoint then it will throw an error "You are not authorized to edit this endpoint". Also deleting the endpoint might not work so workaround is to Open the defined MAB_PC Endpoint Identity Group and add the MAC from there. Even if this does not work, then simple use Vmware-Device group element in authorization rule later because the mac address will be profile as Vmware-Device. For AP and IP phone MAC addresses, you will get those after you enable authentication on SW interface and turn it on. First auth attempt will fail but that will get you the MAc addresses. You can also run show CDP neighbor command and see the phone ID "SEP<mac address>" that will help help you identify the MAc address of device. Also you can see it under "show auth session" the failed addresses. Shutdown the interface --> disable the MAB PC adapter --> Add MAC addresses under MAB PC and Cisco-IP-Phone groups. Do not turn the interface back up until you have configured Authentication and Authorization rules. Basically adding these mac addresses step you can do once you have configured the SW configuration when you get to that question. I would suggest keeping the MAB PC adapter disabled and let the IP Phone gets authenticated also recieve IP address first. Similar for Dot1x PC, do the adapter authentication settings first before enabling SW interface and keep it disabled. Enable the adapter once you have done SW config. Step 7: Define users. Total 3 users --> admin1 (question 4.3 and assign it to Lab_Admin ID group DO NOT forget to chose ADpoint for the password), ccie (4.2 and assign it to dot1x Group), cisco (4.1 anyconnect ID group). Step 8: Define Authentication Rules. Essentially total 4 rules will be needed. Check screenshots attached for reference. Step 9: Define Authorization rules. You will need total 6 rules. Check screenshots attached for reference. NOW ORDER OF ATTEMPTING QUESTIONS and TIPS: 1. 1.4 (you can verify right away that EIGRP between R1 and R2 goes up) 2. 2.1 (do all the config need on WSA first which includes 2.2 question as well and do Router side config) 3. 2.2 4. 1.1a NOTE: perform all basic network config as per requirement on ASA1v but do not ENABLE FAILOVER YET. Assign only single IP address on ASA11V management interface (, this will be needed to copy files onto ASA11V node. 5. 4.1 NOTE: Once you are done with Anyconnect config, retrieve the client profle XML file via tftp and copy it to the Anyconnect client_PC and also to ASA11v node. In some locations, you might also need to copy Anyconnect image file onto ASA11v node. ASA1v might already have it. Otherwise it will be on Candidate PC, so copy on both nodes. Once you are done with Anyconnect config, and XML file plus anyconnct image uploaded to ASA11V, Enable Failover now. The reason behind enabling failover after Anyconnect config and copying XML file onto ASA11v node because without those files, ASA11v node will not apply "anyconnect image and profile" commands under webvpn because it cannot reference files which are not there. EVEN if you copy the files afterwards, the wr mem replication will still not add those two lines, you will need to run "write standby" on active node to do full replication. Now for connecting Anyconnect, make ASA11v active first and connect anyconnect, in order to verify that it connects to ASA11v node as well. Once tested and Server1 Server2 redirection verified (question 2.1 and 2.2). Disconnect anyconnect, make the ASA1v active and then connect anyconnect. This will basically save you one round of connecting Anyconnect to ASA1v then to test on ASA11v and then back on ASA1v as it should left connected on ACTIVE ASA1V node. !!!!!!!!!!!!!!!!!! Around the time you are performig above tasks, if there is something loading or you are waiting idle then ennable Multiple Mode on ASA1, ASA2, ASA3, ASA4 as that will require reboot so the nodes will be ready by the time you get to their question !!!!!!!!!!!!!!!!!!!!!!!!!!! 6. 1.1b NOTE: Same logic here, do network config but not enable failover. Also no need to assign IP on ASA22V as this does not require copying anything on nodes. 7. 3.1 Once you are done with this task, enable failover from question 1.1b. And same connecting to SSL VPN site logic order as above. Make ASA22v active first to test and then back to ASA2v. MORE IMPORTANT thing, make sure that both nodes have created gateway certificate "Show crypto ca certificates". Sometimes if you enable failover before doing SSL config, the nodes might not replicate the gateway certificate. So when you connect SSL portal with ASA22V, it would still work with default system Self Signed certificate but one would not notice it unless checked. So verifying certificates presence on both nodes is important. 8. 1.2 9. 3.4 (because you can verify task 1.2 and 3.4 right away) 10. 5.3 (do this task now because its better to synchronize clocks before generating certificates for task 3.2 ) 11. 3.2 12. 3.3 13. 1.3 14. 3.5 NOTE: Before starting this task, run following commands On ASA3: "clear cts pac" "clear cts environment-data" oN SW2_P: "clear cts pac" "clear cts environment-data" "clear cts credentials" 15. 4.4 Note: As mentioned above, disable MAB_PC adapter after getting MAC address and add it to MAb_PC group on ISE. Enable adapter after you have done SW2_P config and authenticated phone. 16. 4.2 17. 5.2 18. 4.3 19. 5.1 20. 2.3 Note: The last 3 tasks are independent and small tasks so you can do them whenever you see fit. In order to make sense of most of the details above, you will need resources provided here on this post by Rahul: [Hidden Content]
  8. Could someone share the EVE-NG topology and VMs for CCIE Security Lab-5 please.
  9. Hi guys..we can discuss the lab exam preparation here.. here is config part updates [hide][Hidden Content]]
  10. These are some TS2 new issues i have seen. Please post if you have encountered any new issue in TS2. Updated 23/6/2018 [Hidden Content] Please post below if you have been reported with any new TS2 faults.
  11. Hello, Am having some issues with the configuration. Help please.. 1. In Section 2.5, it says "Ensure that any prefix originated in any of these main site will not get advertise back to same site via redundant gateway." I think there are two variants for the lab, VRF and Non-VRF, how to achieve this requirement in the VRF one and Non-VRF one. Should we use Route-tap and distribute list? 2. Secondly, my HSRP is not working good. SW3 is in Active mode and SW4 Standby and SW4 eventually become Active if SW3 is down BUT am not being able to ping the Virtual IP address from the Standby Switch. The Virtual IP address, which is also the default gateway of PC 101, cannot be ping the PC too. As the PC cannot even ping it's gateway, all the test where PC 101 is involved in fails. SW 3 can ping SW4 vlan 100 and vice-versa. The DHCP is working fine. The L2 Interface are as follows: SW5 >> SW3 >> SW4 >> SW6 If anybody can help, please provide the config too. Best, xxcciexx
  12. Hey guys, There is a new variation of the config lab out. Two colleagues went for the exam yesterday and got it. 1. MST should be configured for Layer 2 2. No etherchannel between SW3 & SW4. It is asked to block VLAN 34 on ether 2/0 and forward it on ether 2/1. This needs to be done without touching SW3. 3. R17 both physical interface are in VRF Corp. 4. The VRF Name change. No more red, blue, green. I still couldn't do the task 2 and 3. Regarding blocking of VLan 34, we need to make all amendments on SW4. Can someone advise how can we achieve this please? And For the VRF. R17 both physical interface are in VRF. But i still couldn't manage to make OSPF neighborship between the HUb and SPOKE. Can someone write me the config for HUb and SPOKE. Both the tunnel interface are in VRF. Thanks in advance. XXCCIEXX
  13. Hi everyone In UNetLab 1.0.0-12 can add Cisco Firepower Please help me how to add Firepower to unl thanks
  14. Hi Guys, So am following this CCNA Voice lab whihc is pretty good. Its just at 32:15min when he showing the ephone-dn 1 part i am getting an error (see below) R1(config)# *Mar 1 01:01:05.403: %DIALPEER_DB-3-ADDPEER_MEM_THRESHOLD: Addition of dial-peers limited by available memory R1(config)# *Mar 1 01:01:05.407: %SYS-2-MALLOCFAIL: Memory allocation of 65536 bytes failed from 0x6003ACE0, alignment 8 Pool: Processor Free: 51452 Cause: Not enough free memory Alternate Pool: None Free: 0 Cause: No Alternate pool -Process= "Chunk Manager", ipl= 3, pid= 1 -Traceback= 0x61467204 0x60014798 0x6001A04C 0x6003ACE8 0x60039D94 0x60039B78 *Mar 1 01:01:05.415: %SYS-2-CHUNKEXPANDFAIL: Could not expand chunk pool for VTSP EVENT poo. No memory available -Process= "Chunk Manager", ipl= 3, pid= 1 -Traceback= 0x61467204 0x60039BBC I believe its memory issue but i cant see to fix it. Can anyone help?? thanks
  15. Hi Team, Any one planning soon for the exam in upcoming days ? 1st or 2nd quarter or 2017 ? Any ongoing study groups so that we start studies and share information. Please PM me or comment here. Thank you !
  16. Hi Guys, Can anyone confirm going to CCIE security lab in Sydney . If so please send me a PM till now , I can't find anyone going to sydney Please do help
  17. guys please help me out which lab is coming lab 5 or lab 6
  18. Cisco CCNP Switch (300-115) Lab Manual All with GNS3 Complete course + labs: 2 in 1 Cisco CCNP Switch (300-115) Lab Manual All with GNS3 Complete course + labs: 2 in 1 Cisco CCNP Switch 300-115 Lab Manual All with GNS3 – Free Download Description Cisco CCNP Switch (300-115) Lab Manual All with GNS3 WEBRip | MP4/AVC, ~408 kb/s | 1360 x 768 | English: AAC, 61.8 kb/s (2 ch), 44.1 KHz | 2.01 GB Genre: IT & Software / IT Certification | Language: English | +Project Files This course is a about Cisco CCNP Switch Labs (Exam No 300-115). The course covers all CCNP Switch curriculum in the lab formats, and also complete descriptions. This course is organized in 33 lectures and about 11 hours. Each lecture includes a file which accommodate lecture’s scenario and executed commands. You will find an extensive description at the first of each lecture followed by a practical lab so you have both demonstration and labs at your hand. The lectures are organized in a manner that take you step-by-step from beginning to the end. After finishing this course you will be prepared for CCNP Switch 300-115 exam, and become familiar how to do their related exercises with GNS3. What are the requirements? Students should have CCNA R&S level of knowlege What am I going to get from this course? Over 34 lectures and 11 hours of content! Be prepared for CCNP SWitch 300-115 Exam Master in CCNP Switch topics What is the target audience? This course is suitable for students who want to take CCNP Switch exam and also network administrators Download Links: [Hidden Content] from
  19. Hello Guys, I want to start preparing for CCIE R&S Lab. I want to know how exactly should I go like what all workbooks I have to download and from where will I get those. what is the procedure to start working on IOU labs also?
  20. In case of FCOE VE to VE or F to NP port do we need to allow vlan 1 on switchport trunk allowed vlan (As FCOE still works with or without vlan 1), what is the best recommendation for the lab to allow or not to allow vlan 1 or its not going to make difference. interface Ethernet101/1/20 switchport mode trunk switchport trunk allowed vlan 1,10 (Why do we need to allow vlan 1) interface vfc2 bind interface Ethernet101/1/20 switchport trunk allowed vsan 10 no shutdown
  21. Hello, I am going to take the lab exam on April 26, 2016. I have completed the INE training and on my Cisco CCIE360 practice lab. What I am looking for is an actual lab exam topology which I can import to my WebI-OU lab. It should be importable .gz file. Thank you so much.
  22. Hi everyone! Its topic is all about preparation to lab CCIE security 2016
  23. Guys Could someone please update us with Current active lab in bangalore. My exam is on April 8.
  24. would appreciate if someone share the link for written and labs . Need to give ccie security before the version 5 comes
  • Create New...