Jump to content

Search the Community

Showing results for tags 'v5'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • ANNOUNCEMENTS
    • ANNOUNCEMENTS
  • CERTIFICATION - - - - - NO REQUESTS IN THESE FORUMS - - - - -
    • CISCO SYSTEMS
    • COMPTIA
    • LINUX
    • MICROSOFT
    • ORACLE
    • PROJECT MANAGEMENT
    • SECURITY CERTIFICATIONS
    • SUN MICROSYSTEMS
    • WIRELESS
    • OTHER CERTIFICATIONS
  • CISCO TECHNICAL SECTION
    • CISCO LABS
    • GNS3
    • NETWORK INFRASTRUCTURE
    • SECURITY
    • WIRELESS
    • SERVICE PROVIDERS
    • COLLABORATION, VOICE AND VIDEO
    • DATA CENTER
    • SMALL BUSINESS
  • MICROSOFT TECHNICAL SECTION
  • OTHER TECHNICAL SECTION
  • TRAINING OFFERS & REQUESTS
  • CERTCOLLECTION MALL
  • GENERAL FORUMS
  • COMMUNITY CENTER

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


AIM


MSN


Website URL


ICQ


Yahoo


Jabber


Skype


Location


Interests

Found 40 results

  1. INE - CCIE RS v5 IOUEVE Lab Import Files Description:- INE CCIE RS v5 workbooks, original configs, toplogies, and IOU/EVE import files to practice on IOU-web or EvE-NG emulators. L2/3 Switch image called “Iron” is a must have for labbing but not included here; nor are any images. DOWNLOAD LINK:- [hide][Hidden Content]] [hide][Hidden Content]] [hide][Hidden Content]]
  2. Hello people! I wonder if anyone is able to upload (preferably torrent) all the INE ATC v5 videos in HD quality. There are posts here with only some of the files. It would be great for everyone if we had them all in one place! Thank you
  3. rsv5

    Passed CCIE R&S v5

    Hi friends i would like to inform you all that i recently passed the ccie r&s lab, Now all of us would like to know what all did i face in the lab, my answer nothing new of what has been shared and/or discussed here, so i will not go in detail, but you are free to ask me. What i would like to say to the near-future lab takers is that focus on the lab topology's objective(s) as thats the key to solving it, be Tshoot or Config. Some detail about the lab: TS nothing new, faced 8x2-pointers & 2x4-pointers. Total= 16+8= 24 points. DIAG: shared here in the Share Section. 3 questions, 2 parts per question, 1 point per sub-part so 3x2x1=6 points Config: vrf variant. can't remeber the points per section. but they should add up to 70 points so we have a full 100 point exam(TS+DIAG+Config). In the end a big thanks to this place CC.ORG and its members, i will not take names but we all know'em. Thankyou.
  4. Hi, I see there is a lot of successful results last year with H1/B1-6 etc ... have you heard or do you know someone who got the number this year?
  5. SECTION 3.1 it is written , “ The ACME HQ network (AS12345) uses MPLS L3VPN in order to clearly separate remote site networks. The ACME corporate security policies are centralized and enforced at the San Jose site (AS 65112) for all remote sites. The policies require that all traffic that is originated from any remote sites (with the exception of New York office). “ the question is incomplete , it seems . Can you please complete this question ?
  6. vikasbenni

    Lab Topology

    In the lab exam is the logical and physical topology are same? And while going through the posts in forum i get to know cisco also sometimes have preconfigurations error. Are these common in the lab exam ?
  7. Friends i would like to share my lab experience, it was good. the place, seating, keyboard and all was good, but the PC response was sluggish, I couldn't clear TS just missed it by silly mistakes , but did the rest and i'm pretty sure must be in full in %terms ... I will not post any updates regarding the lab , but would simply tell the future takers, be confident and believe in yourself you can do it. Follow the topology and see what has been done where and why and what would be the best resolution for that ticket without remove any existing command or keeping it as a last-resort, DIAG: read the data given, it can be done just fine, CONFIG: read carefully before doing any configuration also very important to check the pre-config... Well thats it... I will re-attempt soon, till then all the best to others takers, here with us on CC.org or not. Thanks, GOD bless.
  8. Hello, Can somebody share this series please? _http://streaming.ine.com/c/ccie-rs-advanced-tshoot-v5
  9. CBT Nuggets - Cisco CCIE RS v5 All-In-One: 4.0 VPN Technologies Instructor: Anthony Sequeira Format: MP4 Size: 1.48GB Part four of our series on the version 5 CCIE R&S training here at CBT Nuggets builds directly on the three previous parts. Here, you prepare for both the written exam as well as the lab exam on key topics involving virtual private networks. From the DMVPN to the GETVPN, master the technologies taking corporations by storm today — as they try and protect their data as it courses through the veins of public Internet connections. Virtual private networking technologies are now quite commonplace in corporate networks. Cisco has responded by adding many topics in this area to the Routing and Switching CCIE. This course ensures you are adequately prepared. And this area is tricky because some of the topic domains are written exam-only, while some are lab potential. To make matters more complicated, many of the topics have a potentially very deep scope, but not so for the Routing and Switching CCIE. This course covers these technologies to the extent you require. The topic list for this course reads like a “greatest hits” list for recent technologies, including MPLS, DMVPNs, site-to-site VPNS, and GETVPNs. These technologies are not just “nice to have,” but are considered critical in many environments today. Just as you experienced in the previous three CCIE training courses, this installment provides the theory and the hands-on approach required to master the technologies for written and lab excellence. Topics are broken up into very detailed components to promote easy understanding, as well as pinpoint review areas. More Info: [Hidden Content] Table of Contents: 1. Welcome to Part 4 of CCIE RS v5 All-In-One (3 min) 2. MPLS Labels (8 min) 3. LSRs (7 min) 4. LSPs (7 min) 5. Bonus Tip: The Cisco Feature Navigator (5 min) 6. Label Distribution (7 min) 7. The LFIB (6 min) 8. Creating the Provider Core Topology (15 min) 9. Configuring Basic MPLS (8 min) 10. Verifying Basic MPLS (12 min) 11. LDP at the CLI (20 min) 12. Bonus Tip: Tracking Your Study Progress (7 min) 13. Troubleshooting the Provider Network (21 min) 14. MPLS PING (12 min) 15. MPLS Traceroute (9 min) 16. MBGP on the PE Devices (13 min) 17. VRFs on the PE Devices (12 min) 18. CE to PE Routing (12 min) 19. Redistr and Verif in the L3 MPLS VPN (20 min) 20. Extranet: Route Leaking (20 min) 21. GRE (12 min) 22. mGRE (8 min) 23. NHRP (7 min) 24. Introduction to DMVPN (7 min) 25. Building a Practice DMVPN Topology (15 min) 26. NHRP in the DMVPN - EIGRP (22 min) 27. IPSec in the DMVPN (9 min) 28. OSPF in the DMVPN (5 min) 29. QoS Pre-Classify (11 min) 30. Legacy Site to Site IPsec VPNs (16 min) 31. VTI Site to Site IPsec VPNs (14 min) 32. AToM (9 min) 33. L2TPV3 (10 min) 34. VPLS (9 min) 35. GET VPN (12 min) [Hidden Content]
  10. INE - CCIE RS Advanced Troubleshooting v5 (HD) Instructor: Dave Smith, CCIE #19125 (R&S), VMWare VCP Format: FLV Size: 20.5GB The CCIE Routing & Switching Advanced Troubleshooting video course download is a combination of lectures focused on a structured troubleshooting approach and advanced hands-on troubleshooting lab scenarios. The class is designed for students who want to solidify their troubleshooting skills, master a structured troubleshooting approach, and identify their weak areas. This is the only product on the market targeted exclusively at CCIE Routing & Switching troubleshooting topics. The lecture portion of the class covers topics from structured troubleshooting strategies and their application to isolating issues found at different layers of the seven-level OSI model. The lab strategy portion of the class covers such topics as what to expect the day of your lab, how to prioritize tasks, and how to manage your time. More Info: [Hidden Content] [Hidden Content]
  11. INE - CCIE RS Advanced Troubleshooting v5 (Compressed/MKV) Instructor: Dave Smith, CCIE #19125 (R&S), VMWare VCP Format: MKV Size: 2.0GB The CCIE Routing & Switching Advanced Troubleshooting video course download is a combination of lectures focused on a structured troubleshooting approach and advanced hands-on troubleshooting lab scenarios. The class is designed for students who want to solidify their troubleshooting skills, master a structured troubleshooting approach, and identify their weak areas. This is the only product on the market targeted exclusively at CCIE Routing & Switching troubleshooting topics. The lecture portion of the class covers topics from structured troubleshooting strategies and their application to isolating issues found at different layers of the seven-level OSI model. The lab strategy portion of the class covers such topics as what to expect the day of your lab, how to prioritize tasks, and how to manage your time. More Info: [Hidden Content] Table of Contents: 1. Advanced Troubleshooting v5 Introduction 2. Lab 1 Ticket 1 Part 1 3. Lab 1 Ticket 1 Part 2 4. Lab 1 Ticket 2 5. Lab 1 Ticket 3 6. Lab 1 Ticket 4 7. Lab 1 Ticket 5 8. Lab 1 Ticket 6 9. Lab 1 Ticket 7 10. Lab 1 Ticket 8 11. Lab 1 Ticket 9 12. Lab 1 Ticket 10 13. Lab 2 Ticket 1 14. Lab 2 Ticket 2 15. Lab 2 Ticket 3 16. Lab 2 Ticket 4 17. Lab 2 Ticket 5 18. Lab 2 Ticket 6 19. Lab 2 Ticket 7 20. Lab 2 Ticket 8 21. Lab 2 Ticket 9 22. Lab 2 Ticket 10 23. Lab 2 Ticket 11 24. Lab 2 Ticket 12 25. Lab 3 Ticket 1 Part 1 26. Lab 3 Ticket 1 Part 2 27. Lab 3 Ticket 2 28. Lab 3 Ticket 3 29. Lab 3 Ticket 4 30. Lab 3 Ticket 5 31. Lab 3 Ticket 6 32. Lab 3 Ticket 7 33. Lab 3 Ticket 8 34. Lab 3 Ticket 9 35. Lab 3 Ticket 10 36. Lab 4 Ticket 1 37. Lab 4 Ticket 2 38. Lab 4 Ticket 3 39. Lab 4 Ticket 4 40. Lab 4 Ticket 5 41. Lab 4 Ticket 6 42. Lab 4 Ticket 7 43. Lab 4 Ticket 8 44. Lab 4 Ticket 9 45. Lab 4 Ticket 10 Course Duration: 15h 25m [Hidden Content]
  12. Hi friends, Can someone please share or point to a/few pdf(s) that would cover the Advance Services Section of the Lab; i.e SNMP, NAT, NTP, TACAS, etc. Would be a great help thanks.
  13. HI, If any one is having the pdf or epub file for Cisco CCIE Routing and Switching v5.0 Troubleshooting Practice Labs Cisco CCIE Routing and Switching v5.0 Configuration and Troubleshooting Practice Labs Bundle (Practical Studies... by Martin Duggan Please share the link for pdf or if anyone has the knowledge , where to buy it in india please share the information ! I saw it on amazon , but its too much costly .
  14. Link to book on amazon: [Hidden Content] It's also available here on this site, I believe. Seems like a great book, so go ahaead and buy it. I want it in hardcopy, so I'm holding out for that. Anyway, it would be great if one of you gurus could set this up in IOU. I still haven't used IOU (I have a PHY lab which GNS3 has complemented well so far)
  15. Orignal Credit goes to the person who uploaded on torrent i have just made mirror out of it CCIE Routing and Switching v5.0 Official Cert Guide Vol 1 Links to file Host [hide][Hidden Content]] Direct Link [hide][Hidden Content]] [hide][Hidden Content]] [hide][Hidden Content]] [hide][Hidden Content]] [hide][Hidden Content]] For 4shared Lovers [hide][Hidden Content]] [hide][Hidden Content]] Torrent magnet:?xt=urn:btih:F90957DF984AC9ECDC3F5685B9474F35D8419B9C&dn=CCIE%20Routing%20and%20Switching%20v5.0%20Officiel%20Cert%20Guide%20Vol%201.pdf&tr=udp%3a%2f%2fdenis.stalker.h3q.com%3a6969%2fannounce&tr=%2ahttp%3a%2f%2fopen.tracker.thepiratebay.org%2fannounce&tr=http%3a%2f%2fwww.torrent-downloads.to%3a2710%2fannounce&tr=udp%3a%2f%2ftracker.openbittorrent.com%3a80%2fannounce&tr=udp%3a%2f%2ftracker.publicbt.com%3a80%2fannounce&tr=http%3a%2f%2fwww.sumotracker.com%2fannounce&tr=http%3a%2f%2fdenis.stalker.h3q.com%3a6969%2fannounce&tr=udp%3a%2f%2ftracker.ccc.de%3a80%2fannounce Please share if any one have Kindle Edition *Refresh Page If after Thanks You are not able to See Content
  16. Hello I took the CCIE lab version 5 in asia. I will report it. The result Diagnostics : Pass Configuration : Fail Trouble Shoot : Fail Question & Topology ( This is not 100% sure. as far as I can remember) Topology -> the attached file TS ( the following order may not be correct) Q1 VLAN mismatch + DHCP snooping ? ( + ip host name ? ) Q2 PPP-CHAP + No route to hub ? Q3 OSPF (max-metric is wrong?) Q4 EIGRP (bandwidth is wrong?) Q5 DMVPN Q6 MPBGP - MPLS Q7 BGP? (details unknown) Q8 BGPv6 Q9 DMVPN with NAT(twice) Q10 Telnet to NAS(Router) (details unknown) Diag (fixed 30min) Q1 Missing connectivity after replacement of SW3 My answer -> [sho ip int bri ] + [ask the mac-address of host ] Q2 DMVPN + EIGRP Flapping My answer -> [select the hub router] + [supress the EIGRP advertisement from all spoke router ] Q3 BGP Routing Policy Drag and Drop + Drop Down List Details unknown (due to timeout) Config Topology is alomost same -> [Hidden Content] Question 1. Layer2 + WAN 1-1 . VTP (avoid unknown unicast flooding?) 1-2 . VLAN assign 1-3 . Spanning-tree (rapid-pvst) 1-4 . WAN (PPP-CHAP) * No trouble shooting question 2. Layer3 2-1 . OSPF 2-2 . EIGRP ( + two equal path) 2-3 . EIGRP (use 64 bits metric ?) 2-4 . EIGRP (on DMVPN) 2-5 . BGP (peer-group + RR) 2-6 . BGP (select exit point ,         avoid unreachable next-hop) 2-7 . BGP (details unknown) 2-8 . BGP Routing Policy 2-9 . OSPFv3 2-10. BGPv6 2-11 . L3 Multicast 3. VPN 3-1 . MPLS VPN 1 3-2 . MPLS VPN 2 3-3 . DMVPN 3-4 . Encryption of DMVPN 4. Security 4-1 . banner 4-2 . Port security 5. Service 5-1 . ssh 5-2 . [details unknown (ACL?)] 5-3. Net flow 5-4 . NTPv4 in IPv6 I hope this will help.
  17. Download link as follows : [Hidden Content] I request to all experts to start integrating it into IOU for a decent configured practise lab for v5. Method for using it in GNS as follows : [Hidden Content]
  18. Hi All, This workbook is based off udilsd's cert 4 cluster iou share - note this is a work in progress so router numbers links the generally topology is not confined as if yet, but this is the best on what we have to go on. [hide][Hidden Content]] i will be updating the configs as we get more info in please feel free to help ;-) green = verified purple = not verified I have also listed issues with the questions so fill the blanks in please. Update 11.1.13 This is the best diag from crabs and his post [Hidden Content] so we have the answers to the questions here and the topology on crabs post ... This is the diag from our work book not to different - i can commit to updating all this, but if some one is interest feel free, The 3 big q's that no one is passing are these (moved to the top) 1)Ping internet q 2)ACME branch HQ ping q 2)MSDP - multicast q These are the game changers if you do not get at least 2 of these you fail, rest are easy. Q8 Ping internet 4.2.2.2 (OSPF to BGP Redistribution). [3 Points] Traffic going from host XX must reach 4.2.2.2 going through R1 over the internet Fix problem so that the extended ping result in 100% success: While you are resolving this issue, you are not allowed to create any new interfaces. Refer to the Troubleshooting guidelines to determine if your solution is appropriate. there were 2 faults. 1. host had a default to next hope however interface IP was not configured right. so traffic was not ablet o reach the next hop after changing the IP of the host to the segment of next (connected switch vlan 11). traffic reached till R2. Then check it was advertising the aggregate address. however when checked with sh ip bgp <aggregate prefix> found that it's not beinged advertised to any peer due to supression. remove the supression key word and it worked. A) Theres was no peering between R1 R2 and R3. So we had to establish the eBGP peering towards R1. Explanations: Determine the next HOP ip address by pinging the interface broadcast address. Chose any random bgp number for the peering to creat the error then you can determine the bgp as number of R1. Once peered you will receive the route. Note this does not propages down to the PC this issue is still unresolved. Noticed 4.4.2.2 was installed in the routing table of R2 after i configured eBGP to R1, and R4 recievd the route in bgp , it did not enter the routing table ( looks like invaild) so issue looks to be here. potential solution bgp sync, next hop issue, rib failure etc please let us know ... Current question issues No one has solve this issue yet information is lacking. Still waiting verification answers Q9 MPLS. ACME BRANCH to HQ ping (2 Errors) [3 Points] Client 10.1.1.15 in RIP Domain AS65007 has to contact a Server 10.1.1.42 in OSPF Domain AS65006. Fix problem: While you are resolving this issue, you are not allowed to create any new interfaces. Refer to the Troubleshooting guidelines to determine if your solution is appropriate. There were two faults one ldp was missing. second R6 and R7 was not generating the lables when i check with show mpls forwarding. I gave around 25 min and did not work so moved on and came back after completing rest of the tickets. and all of a sudden cef clicked my mind I enable the cef and it worked. R9 has physical link to OSPF Network behind R10. Check for possible Sham Link. BGP to RIP Route Redistribution Route not getting from BGP to last RIP Router in the queue. R8 has a best route to R9 going through R10 based on lower IP Address of R9 Missing Route between R8 and two Routers in the series. Frame Relay environment multicast solutions: Possible errors are: A) R9 had MPLS configured with label protocol TDP. Change it to MPLS Label Protocol LDP. R8 is a PE connected to two P Routers. Both P Routers are missing “ip cef” command. Add it show cmds show ip cef show mpls forwarding-table show run | in mpls <--- to check what label protocol is running and also what is the router-id for the label protocol show mlps ldp neighbors <--- to verify or confirm that ldp neighborship is being formed correctly. show mpls forwarding-table <--- to verify if the prefixes are being transported correctly across MPLS. show mpls ldp discovery <-- Show ip bgp summary Show ip bgp all Show ip bgp vpnv4 vrf Site-X sh run | se bgp Show ip interface brief Show cdp neighbor sh run | se ospf sh ip ospf n ! DEBUGS loggin on loggin con << not in lab ! loggin buffered access-list 133 per icmp an an debu ip pack detail 133 < note dont see on CE or last hop PE no ip route-cache on interfaces debu mpls packets Current question issues General lack of information here. Still waiting verification answers. Q7 MSDP Multicast on Frame Relay. [2 Points] PC1 in AS65005 has to get a Multicast Stream from R28 in AS65004. Fix problem so the ping results: R28# ping 224.23.23.23 re 5 While you are resolving this issue, you are not allowed to create any new interfaces. Refer to the Troubleshooting guidelines to determine if your solution is appropriate. Possible errors are: A) R13 has access-list blockin multicast traffic - could be the ip multicast boundary R25 has access-list blockin multicast traffic through Policy in Control Plane. Make ACL deny traffic. C) R25 is missing interface level command “ip pim nbma-mode” D) Video streaming server R26 is missing "ip pim sparse-dense-mode" and "ip pim auto-rp listener" E) 7) MSDP multicast- Boundry access-list also had deny 224.0.0.0 0.15.255.255.255 or something - removed from the access-list and got ping to work, (thanks ciscopants) OR A) Check MQC Policy at R5 Access list denying 224.0.1.39 and 40 applied to the interface or control plane C) Standard access-list applied to multicast boundary access-list 10 deny 224.0.1.39 << change to permits access-list 10 deny 224.0.1.40 << change to permits access-list 10 permit any D) Auto-RP not properly configured. ip pim send-rp-announce Loopback0 scope 10 E) Auto RP filter by UDP 496 port. F) Wrong DR elected (hub point priority change, ip pim dr-priority) G) Check for command “ip pim auto-rp listener” on involved routers remains to be verified, because in boundaries denying 39 and 40 is usually part of the RP control mechanism solution. Explanations: Note: In AS65004 there is frame relay area running multicast with multicast boundaries denying 224.0.1.39 and 224.0.1.40. MSDP Peering is UP. Use of Auto-RP 224.0.1.39 and 224.0.1.40 is denied at border. Whether this is an error or not R25 access-list 100 permit ip any host 224.23.23.23 <<<< Make it deny (2 -ves= +ve) ! class-map DRP match access-group 100 ! policy-map DRM class DRP drop ! control-plane service-policy input DRM ! interface Serial0/1 ip pim nbma-mode <<<< Missing ip pim sparse-mod! interface loopback10 ip pim sparse-dense-mode <<<< Missing ! ip pim send-rp-announce Loopback10 scope 16 <<<< Missing ip pim send-rp-discovery Loopback10 scope 16 Auto RP filter by UDP 496 port ip access-list extended UDP deny udp any eq pim-auto-rp 224.0.1.0 0.0.0.255 eq pim-auto-rp permit ip any any Standard access-list applied to multicast boundary access-list 10 deny 224.0.1.39 <<< change to permits access-list 10 deny 224.0.1.40 <<< change to permits access-list 10 permit any ! int s0/0int Serial0/0 ip multicast boundary 10 in ip multicast boundary 10 in Current question issues Not sure rp locations Not sure of if boundary command is needed or should be changed to permit for .39.40 Still waiting verification answers. Q10 MST. [2 Points] User has to ping a Server in two hops. Fix problem: While you are resolving this issue, you are not allowed to modify the configuration of SW6.. Refer to the Troubleshooting guidelines to determine if your solution is appropriate. Possible errors are: A) VTP Sync, Trunk config, STP, VLANs, etc Both SW5 and SW6 are configured as VTP Client. Configure SW5 as Server. C) VTP Password Mismatch. D) SW6 is configured not to allow Vlan5 across its e1/1 trunk interface. Adjust priority on SW5 e1/1 for Vlan5 E) vlan 56 was not allowed on the trunk between SW5 & SW6 , we are not allowed to change any configuration on SW6 , change port priority on SW5 to change Trunk port Current question issues Not sure what the 2 hops are supposed to be the switches or say r21 or r22 ? anyone? Q1 IP SLA. [2 Points] The IP Service Level Agreement configured between R19 and R9 is not working as expected Fix problem so that it matches the following outputs: While you are resolving this issue, you are not allowed to create any new interfaces. Refer to the Troubleshooting guidelines to determine if your solution is appropriate. Answers ! 1)source destination wrong way round. ! R19 ip sla 9 tcp-connect 10.1.1.19 1025 source-ip 10.1.1.9 source-port 1026 ip sla schedule 9 start-time now 2) no ip sla responder configuration Q2 BGP. [3 Points] R29 from EIGRP AS 65002 is not able to reach Host on R19 on AS65006 Fix problem so that R29 can ping R19: R29# ping 10.1.1.19 so lo0 While you are resolving this issue, you are not allowed to create any new interfaces. Refer to the Troubleshooting guidelines to determine if your solution is appropriate. Answers ! 1 r2 missing ospf auth to r5 R12(config-if)#int e0/0 R12(config-if)# ip ospf message-digest-key 1 md5 cisco ! 2 r2 missing bgp config to r5 router bgp 65001 no bgp default ipv4-unicast bgp log-neighbor-changes neighbor 10.1.1.5 remote-as 65001 neighbor 10.1.1.5 password 1 cisco neighbor 10.1.1.5 update-source Loopback0 ! address-family ipv4 neighbor 10.1.1.5 activate ! 3 Note only in our topology vert( belive they must be vrfs or in different ospf vrfs as) R2 R4 prefer 10.1.1.19 via ospf to fix R9 area 2 range 10.1.1.19 255.255.255.255 not-advertise ! 4 cluster ID issue ensure cluster ids are different between RR to allow updates. summary R2 R3 R4 R5 are route reflectors and share the same cluster id hence reflected updates with the same cluster id will be dropped. Cluster id is a loop prevention mecanism. R4(config-router)#do sh ip bgp nei 10.1.1.5 adv | in 10.1.1.19 *>i10.1.1.19/32 10.1.1.9 0 100 0 65006 i R4(config-router)# debug R5#debu ip bgp updates BGP updates debugging is on for address family: IPv4 Unicast R5#clear ip bgp 10.1.1.4 in *Jan 4 16:25:00.174: BGP(0): 10.1.1.4 rcv UPDATE about 10.1.1.19/32 -- DENIED due to: reflected from the same cluster; ! INTERESTINLY HERE R4 R2 R5 ARE CLUSTERID 1 R3 CLUSTERID 2 MAKES SENSE HERE TO CHANGE R5 TO CLUSTER ID 2 as they share dual homing to each area. Hint: Point to this ticket is to get route on RR R4 going to R9. Hint: Ping Continuosly from Source to Destination and check when problem gets solved Possible errors are: A) BGP Session missing between R5 (RR) and R12 RR R5 Has a Route to R9 whereas RR R4 has not. Check Cluster-IDs C) Wrong Cluster-id on R4: Must be unique; change it to 10.1.1.4 Current question issues not aure if these are vrfs areas or not ? Still waiting verification answers. Q3 IPv6 Phone. [2 Points] R20 is acting as an IPv6 phone. Fix problem so that the IPv6 Phone can reach R23 on AS65004: Phone# ping 2013:CC1E:1:1::23 so lo0 While you are resolving this issue, you are not allowed to configure Auto-Tunnel feature. Refer to the Troubleshooting guidelines to determine if your solution is appropriate. Answers ! 1 incorrectly configure tunnel R11 to R13 IPv6 Tunnel is DOWN, ! interface Tunnel11 no ip address ipv6 address 2001:CC1E:113::1/64 ipv6 ospf 3 area 0 tunnel source Loopback0 <<< add this tunnel mode mpls traffic-eng <<< change to this ipv6ip or gre tunnel destination 10.1.1.23 Problem is NOT related to MPLS Cloud!! Extra Diagram provided on exam shows that. Possibly wrong Tunnel Mode Possibly loopback interface or a router is not routing protocols Check Ipv6 Address auto-configuration on IPv6 Phone. Possible OSPF neighbor problem. OSPF should be enabled through the tunnel Posible Access-List implicitly denying Protocols 41 (GRE IPv4) or 47 (GRE IPv6IP). 2) ipv6unicast routing and autoconfig default not enabled on phone router. 3) ospf was not configured on the tunnel Q4 DNS. [2 Points] Ping from R29 to www.abc.com or www.cisco.com should resolve and reach the Web Server on the same AS. Packet count under ZBF map should increase with the ping traffic as shown in the output: While you are resolving this issue, you are not allowed to create any new interfaces. Refer to the Troubleshooting guidelines to determine if your solution is appropriate. Answers ! R29 client R31 dns server R30 ww.abc.com ! ensure each have the following ! R29 client ip domain-lookup ip name-server 10.1.1.31 ! R31 dns server ip dns server ip host www.abc.com 10.1.1.30 Current question issues Potential of zbf in here ? Still waiting verification answers. Q5 PPP Multilink. [2 Points] User should be able to telnet from R27 to R25 Fix the Network so R27 can telnet R25: R27# telnet 10.1.1.25 /source loopback0 While you are resolving this issue, you are not allowed to create any new interfaces. Refer to the Troubleshooting guidelines to determine if your solution is appropriate. Answers ! 1 Multilink interface is down so no shut on serials 2 PPP is not configured correctly across multilink and multilink is missing group statement so add int serial x/x ppp multilink ppp multilink group 1 3 PPP multilink had ppp chap hostname mismatch with its adjacent router on username 4 Username was ccieR26 and username was cc1eR26 5 ppp authentication chap was missing Q6 Frame-Relay QoS. [2 Points] Traffic that is marked with IP Precedence 5/ToS 160 coming from R26 must reach R23 Fix problem so that the extended ping result in 100% success and match the following screen shot - NOTE.. the30 second rate is 15000 bps: While you are resolving this issue, you are not allowed to create any new interfaces. Refer to the Troubleshooting guidelines to determine if your solution is appropriate. Answers ! A) Missing command “frame-relay traffic shapping” CIR is too small and results in packet loss C) Qos Pollicy not applied to the DLCI Explanations: FRTS with MQC CB-Shaping, multiple repost about this q still looking for following points to be verified 1is this 2 question 2 rate supposed to match 3 cir vaule to get the rate ? Final config ! class-map match-all VOICE match ip precedence 5 ! ! policy-map FRTS class VOICE ! ! map-class frame-relay FRTS frame-relay cir 16000 service-policy output FRTS ! interface Serial0/0 load-interval 30 frame-relay traffic-shaping ! interface Serial0/0.345 multipoint frame-relay interface-dlci 253 class FRTS Current question issues This may be 2 questions FRTS and MQC Not sure of rate to match Not sure of full config Still waiting verification answers.
  19. update 9.1.13 now moving this to a real workbook [Hidden Content] update 04.01.13 going to tidy this up ;-) going to work this off udilsd's fantastic iou with the 4 cluster one. ============================================================================================================ 1. IP-SLA: source and destination for the tcp connection were swapped. answer source dest wrong way round - change works fine. long story short its misconfiguration how hard can it be ? update fron nerd 18.12.2 “diagram involved gettin tcpconnect thing with population the table in sh ip sla stat the ques was betn R14 and R9 R9 was already having ip sla responder R14 had its wrong statement of ip source and destination ports wer 1025 and 1026 of source n dest i swapped the source n dest ips...” student: he did not confirm that he fixed it but I assume he did. =========================================================================================================== update 03.01.13 from member snjk That R1 is not inside the Internet cloud. It is inside the pink box centrally placed above R2 & R3. The internet is simply drawn as a cloud with the word Internet. From my memory, i remember clearly that R31 is the devive that u have named as server connected to SW6. That server is given the name as R31 in the exam and it is this R31 they are asking to ping from the RIP client (for the mpls qn). The IPv6 phone is given the name as R19 in the exam. R27 is the DHCP/NAT box that is drawn in the exam as a thin rectangular box and named as R27. Thats all. regards, snjk update 19.12.12 hi fellas - making gns3 top for this any one can help would be much appreciated ! so pm me if interested Now this is officially out, lets have some order here ... Make this the master sheet of this new ts update 18.12.12 please ref howlers diag and workbook [hide] ][Hidden Content]] update 21.12.12 Hi All gns3 file uploaded [hide][Hidden Content]] Big note for candidates who receive this .. 1 take a notepad with you 2 at the and of the day note down anything you remember and share with us. IP addressing | router numbers | technologies | q's | answers Combining following threads.... [Hidden Content] [Hidden Content] [Hidden Content] [Hidden Content] [Hidden Content] can people post or pm me as they get more info.... I an looking for updates and verifications on the diag questions answers. usual here green (verified) purlple (unverified) i.e. if you have updates to the diag print add to it, scan put on a filesharing site and pm me the link to update here so we currently have / need .. diag see this link -> [Hidden Content] working topology scraped this for the minute till we get a pcl cert update really questions / answers ============================================================================================================ 1. IP-SLA: source and destination for the tcp connection were swapped. answer source dest wrong way round - change works fine. long story short its misconfiguration how hard can it be ? update fron nerd 18.12.2 “diagram involved gettin tcpconnect thing with population the table in sh ip sla stat the ques was betn R14 and R9 R9 was already having ip sla responder R14 had its wrong statement of ip source and destination ports wer 1025 and 1026 of source n dest i swapped the source n dest ips...” student: he did not confirm that he fixed it but I assume he did. =========================================================================================================== 2. BGP: [ping/telnet from router in the EIGRP AS to the one where the IP SLA is] - BGP session was missing between RR (R5) and R12. update 18.12.12. nerd student77 2. BGP ping through Core (3 pointer) Nerd could not fix this one but another candidate claims to have fixed it through correcting a misconfiguration clusterIDs. more reading equired on large scale IBGP deployments. emula2000 [Hidden Content] 5)BGP R4/R5's cluster-id are same, change it.<< does that matter ? did it start working ? had a little read [Hidden Content] If a BGP router that receives a route from an iBGP neighbor is configured to operate as a route reflector and in the incoming update detects the presence of its own Cluster-ID in the Cluster-list attribute it will reject the update. so with our top with multiple RR maybe this is a potential issue - keep in mind. =========================================================================================================== 3. IPv6: the tunnel on the picture was down - I couldn't bring it up but I think it was the same issue as you mentioned (remove mpls-traffic eng and add the tunnel destination) summary dual stacked tunnels dont think they are supposed to be mode mpls traffic-eng as its not on the blue print. answer change mode to gre add source .. additional info... tunnels have no sources and are type mpls ts - add source remove type . Ie ! interface Tunnel1 ip address 100.1.1.1 255.255.255.0 tunnel mode mpls traffic-eng <<<< remove this tunnel source xxxx <<<<<< add this tunnel dest xxxx no routing dynamic additional... GRE tunnel. Configuration steps: 1, the establishment of GRE tunnel must be up pay attention to the source and destination addresses, error is mentioned here the tunnel mode error must be the same at both ends, GRE tunnel or IP over IP tunnel:example.. ! interface Tunnel0 ip address 100.1.1.9 255.255.255.0 ipv6 address 2000:89 :: 9/64 ipv6 ospf 1 area 0 tunnel source Loopback0 tunnel destination 88.1.1.1 2, so that the function of the dual-stack tunnel equipment: ipv6 unicast-routing 3, configure OSPFv3 can establish OSPFv3 neighbor possible error: instance must be the same: ipv6 MTU of the MTU ignore regional RID Do the same ACL problems, etc. Of course, this the tunnel also may IPv6ip the tunnel update 18.12.12 nerd / student77 . Ipv6 phone cannot ping R28 “bgp is ping from bgp AS to eigrp as with R4 and R5 there in betn actin as RRs of MPLS link also!! i HAD NOT used autoroute announce... Perhaps that might be an issue yeah perhaps but still confirm the diagram from some1 who gives exam... coz its like the extra diagram f IPv6 topology clearly shows that the tunnel didnt had nething to do with MPLS” “ping was to be made from ipv phone to R28 i suppose... R11 to R13 has been configured as tunnel.. the IPv6 diagran which is provided separate for the same shows that the tunnel had nothing to do wid MPLS core region just entered proper source which is loop 0... n den dest ip in ipv6ip tunnel will be ipv add.. DONT use ip add for the same as it wud b useless to use IPV6IP tunnel den now tunnel was up o problem for pings betn R11 to ipv phone and no prob from R13 to R28 still d prob was betn R11 to R13 tracing ipv showed ending on R13 no ipv access lists on R13 as well it also had IPv6 unicast-routin ipv6 cef” Student: Nerd clearly mentions that there was no indication as to whether MPLS involved in this scenario. However he configured mpls te without the autoroute option and the results were the same. GRE did make matters worse.so that’s a big no no.. if we look at Dave's post he clearly mentioned that about a partially configured MPLS TE. did some reading on that there are some additional ospf commands related to MPLS TE. Nerd identified that problem lies between R11 and R13. So all bottles down to a f**king tunnel don’t know what form it is J =========================================================================================================== 4. Ping www.cisco.com - ip domain-lookup missing, point to DNS server and add ip host in DNS server. note may have zbf in here also (vaguely remember that) 3. dns qn.. ping www.abc.com.. it is zone-based firewall concept and match protocol dns was missing.. and wrong apply of zone security [Hidden Content] #12 pretty straight forward q R20 (config) # do p www.cisco.com Translating "www.cisco.com" ... domain server (10.1.1.22) [OK] Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.23, timeout is 2 seconds: !!!! Success rate is 100 percent (5/5), round-trip min / avg / max = 40/61/76 ms answer DNS problems, a feature Example : R1 (PC): ip name-server 2.2.2.2 ip domain lookup R2 (DNS Server / Web Server): ip host www.cisco.com 100.2.2.2 ip dns server ! interface Loopback0 description DNS Server IP ip address 2.2.2.2 255.255.255.0 ip ospf 110 area 0 ! interface Loopback1 description Web Server IP ip address 100.2.2.2 255.255.255.0 ! Verification: ping www.cisco.com Translating "www.cisco.com" ... domain server (1.1.1.1) [OK] Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 11.1.1.1, timeout is 2 seconds: !!!! Error points: A client's ip domain-lookup is not configured 2, server-side ip host www.cisco.com XXXX is not configured update nerd 18.12.12 DNS here is a DNS server configured there... look for proper name server and all such small misconfigs... there are faults on name-server n web server... but still the problem wont resolve.. coz there was a misconfigured loopback wid 4.2.2.2 which is for abc.com (that u wud know from dns server and if u want by debug dns) that too i got to know after 15 mins of changin again n again and finally lookin for traceroute n it was goin somewhere on R15 perhaps over extended backbone... n it had a mask f 32 on it... so i guessed it might b preferred there so i just shut down that loopback... used clear arp-cache command on thruout the trace path n ping again to abc.com.. n der might b a question if there was already a loopback why wasnt it ping even to 4.2.2.2 instead f pingin to abc.com which i tried... it was in announced in rip!!!! good atleast that they didnt o else u might b stuck in dns servers as such!! thinkin dns aint resolvin name to ip and u rnt gettin echo replys!!! Student- we will need to look for this loopback and filter the route..not too sure whether we can shutdown interfaces. =========================================================================================================== 5. PPP: [telnet from R27 to R25] - ppp multilink was down - (ppp authentication was wrong) - username R27 password XXX was missing in R25 1. ppp authentication.. ip address was in ppp multilink group .. wrong username password, multilinkgroup not called in the interfaces..etc update nerd 18.12.12 - PPP multilink had ppp chap hostname mismatch with its adjacent router on username - Save and reload both Multilink routers after u think that you have done the config correctly. - Username was ccieR26 and username was cc1eR26 - ppp authentication chap was missing ======================= ======================= QOS bit (2 q's over lap here)... one on the root policy (q6)and one nested below (q8) =========================================================================================================== 6. QoS: same as you mention. Screenshot with QoS applied to the DLCI in R25. I believe the QoS policy was defined but not applied to the DLCI. (QoS over FR, there is no application map-class to DLCI?) / / (QoS over FR, there is no application map-class to the DLCI under?) answer here just not applied =========================================================================================================== Question 8 frame / qos - match this... q asks you to ping through this matching class voice tos 160 / precedence 5 R20(config)#do p Target IP address: 10.1.1.23 Repeat count [5]: 10000 Extended commands [n]: y Type of service [0]: 160 Type escape sequence to abort. Sending 10000, 100-byte ICMP Echos to 10.1.1.23, timeout is 2 seconds: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ! R22(config-map-class)#do clear counters Clear "show interface" counters on all interfaces [confirm] R22(config)#do sh policy-map int s1/1 | b DLCI 22 Serial1/1: DLCI 22 - Service-policy output: FRTS Class-map: VOICE (match-all) 1023 packets, 106392 bytes 30 second offered rate 15000 bps Match: ip precedence 5 Class-map: class-default (match-any) 34 packets, 2295 bytes 30 second offered rate 0 bps, drop rate 0 bps Match: any here nested policy under one above... answers 1enable frame traffic shaping 2 cir rate to 96000 from 1000 (pings fail !.!.!) due the rate being set to 1000 bits additional info... Another QoS in R25: ping was failing !.!.!.!.! (Some MQC policy was defined but not correct I guess). faults ini config the interface is missing frame-relay traffic-shaping also for the rate of 15000 do map-class frame-relay EEK frame-relay cir 1000 frame-relay cir 96000 <<<<<< change to get the rate above answers 1enable frame traffic shaping 2 cir rate to 96000 from 1000 (pings fail !.!.!) due the rate being set to 1000 bits 1) FRTS int s0 / 0 frame-relay traffic-shaping frame-relay interface-dlci 103 class FRTS ! map-class frame-relay FRTS frame-relay cir 1000 frame-relay bc 30000 sh traffic-shape statistics sh frame-relay pvc 103 2) nested CB-shaping over FR, this also may test / / Nested CB-shaping over FR, this may also test class-map VOICE match ip precedence 5 --- 5 traffic / / Matching priority traffic matching priority ! policy-map VOICE class VOICE priority percent 10 ! policy-map CISCO class class-default shape average 8000 shape adaptive 8000 service-policy VOICE --- nested call POLICY-MAP VOICE / / the Nested call POLICY-MAP VOICE ! map-class frame-relay CCIE service-policy output CISCO --- map-class call POLICY-MAP CISCO / / Map-class call POLICY-MAP CISCO ! int s0 / 0 frame-relay interface-dlci 206 class CCIE --- interface call MAP-CLASS CCIE Verification: Protocol [ip]: Target IP address: 12.1.1.6 Repeat count [5]: 50 Datagram size [100]: 1000 Timeout in seconds [2]: Extended commands [n]: y Source address or interface: Type of service [0]: 160 Set DF bit in IP header? [No]: Validate reply data? [No]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose [none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 50, 1000-byte ICMP Echos to 12.1.1.6, timeout is 2 seconds: !!!!!!!.!!.!!.!!! Possible errors are: 1, no FRTS, program interface: int s0 / 0 frame-relay traffic-shaping 2, CIR is too small map-class frame-relay FRTS frame-relay cir 1000 --- transfer large frame-relay bc 30000 ======================= ======================= =========================================================================================================== 7. MSDP: I just remember that the PC in the picture had to get the stream from R28 but I don't know the issues. Question 2 frame multicast In area h there is a frame relay area running multicast with multicast boundaries denying .39.40 - need to change to permit, also msdp in in here but this is up, answer - permit multicast on the boundaries also 2 RP's between areas 2) multicast frame relay environment, while there may be cross-domain multicast use MSDP (MSDP peer is intact), from the description, use autp-rp .39 and 40 are denied at border, but whether this is not an error remains to be verified, because in boundary deny39 and 40 is usually RP control solutions Frame Relay environment multicast solutions: interface Serial0 / 2 ip access-group 100 in ip pim nbma-mode ip pim sparse-mode Auto RP misclassified: A.extended the list deny 224.0.1.39 and 40 applied to the interface, such as: access-list 100 deny ip any 224.0.1.0 0.0.0.255 access-list 100 permit ip any any ! int s0 / 0 ip access-group 100 in Note * applied to the control plane effect B. the standard list of application multicast boundary access-list 10 deny 224.0.1.39 access-list 10 deny 224.0.1.40 access-list 10 permit any int s0 / 0 ip multicast boundary 10 in C. no configuration MA or not configured elected the RP or configuration problem in Scope (TTL) ip pim send-rp-announce Loopback0 scope 10 ip pim send-rp-discovery Loopback0 scope 10 There might loopback port PIM is removed D. for auto RP, another may be rejected by the UDP 496 port, such as: ip access-list extended UDP deny udp any eq pim-auto-rp 224.0.1.0 0.0.0.255 eq pim-auto-rp permit ip any any E. for the PIM neighbors likely to reject 103 agreement or refuse to 224.0.0.13 F. is possible to modify the DR (hub point priority change, ip pim dr-priority) to register update nerds 18.12.12.MSDP- Regarding our topology commented “remember router number changes r19=r14 and r26 is video server, there is a DMZ configured with the help of accessible firewall in eigrp domain n for sure it had something to do with one of the tickets... but as i said, time was insufficient otherwise wud hd passed already” - MSDP peer was UP - R13 has access-list blockin multicast traffic - R25 has access-list blockin multicast traffic - Video streaming server had missin "ip pim sparse-dense-mode" and "ip pim auto-rp listener" Ping was successful Student: As nerd fixed this during the exam, we can safely assume this is fixable once u understand the topology/flow.However reading up on auto RP /boundary will not hurt. =========================================================================================================== 9. MPLS: PC had to contact a server in the Internet cloud. Couldn't check. (MPLS vpn involves) not much here ;-( new info 14.12.12 from #13 mulc there was a MPLS question. I don't remember all the details, but I found out, that PE router(top left corner) had best route to PE Router 9 over 10. Best route was based on lower IP address of R9 over R10. Router 9 had link to OSPF network (network behind R10). R10 is the bottom left corner. There were two mistakes in MPLS ticket. First one I have described it above, second one there was a route missing between PE, and two router which were in the series. I was not sure how to solve it, so I left it, maybe changing the best route on PE router. Or fixing the existing solution. And existing solution R9 had static route for that network. This is all I can remember from MPLS, other questions are already answered in this topic. Just one more strange behavior, There was a network in the bottom, which I don't see it in net.pdf, but client is there I just remember that client was unable to ping even the default gateway, but DG - L3 switch was able to ping back the client ??? I just found out, there is a router missing in the net.pdf diagram. Top left corner there was additional router between R4, R5 and left top corner router, it was so called extended backbone. I am not sure how it was connected. =========================================================================================================== 10. MST: [sW5 and SW6] - User had to ping Server (one of the SWs could not be modified) following screenshot (in one hop). Couldn't fix it so don't know what the issue was. 2. traceroute.. spanning tree mst.. spanning tree port-priority.. was. (Two layer problem, a device can not be modified, or hop? that is directly connected to nature is ultimately nothing but the VTP synchronization trunk, STP, VLAN division, etc.) update nerd 18.12.12. STP/MST “There seem to be two more routers in the area- bottom- left. the cisco topology suggests that there are two routers from which u have to traceroute in "TWO" hops!!” This should be straightforward. [Hidden Content] 3)MST Client traceroute Server need 2 hops. just VTP problem (maybe other variations..)
  20. CBT Nuggets - Cisco CCIE RS v5 All-In-One: 5.0 Infrastructure Security Instructor: Anthony Sequeira Format: FLV Size: 684MB NETWORKING Part five of our series on version 5 CCIE R&S training here at CBT Nuggets builds directly on the four previous parts. Here, you prepare for both the written exam, as well as the lab exam on key topics involving security. From authentication and authorization to all kinds of control lists, master the technologies taking corporations by storm today as they work tirelessly to secure their networks. Recommended skills: Knowledge of CCIE RS v5 All-In-One parts 1 through 4 Recommended equipment: GNS3 VIRL IOS 15.x Cisco Routers Related certifications: CCIE RS v5 Related job functions: Network admin Network operations analyst Network technician Data Center admin Data Center technician Cisco-certified internetwork expert Routers and switches from Cisco are readily armed to help secure your network environment. In this course (part five of our six-part series), you examine many of the security capabilities of Cisco routers and switches. Just as you experienced in the previous four CCIE training courses, this installment provides the theory and the hands-on approach required to master the technologies for written and lab excellence. Topics are broken up into very detailed components to promote easy understanding, as well as pinpoint review areas. More Info [Hidden Content] Table of Contents 1. Course Introduction (3 min) 2. AAA with Local Database (9 min) 3. AAA with RADIUS or TACACS+ (13 min) 4. 802.1X (8 min) 5. Other Device Access Controls (11 min) 6. Control Plane Policing (13 min) 7. VACLs and PACLs (11 min) 8. Storm Control (4 min) 9. DHCP Snooping (16 min) 10. IP Source Guard and DAI (8 min) 11. Port Security (14 min) 12. Private VLANs (13 min) 13. IPv4 ACLs (18 min) 14. IPv6 ACLs (7 min) 15. Unicast Reverse Path Forwarding (7 min) 16. IPv6 First Hop Security (5 min) [Hidden Content] Note: Thanks to original uploader. I just gave more hosts for others ;D
  21. Please upload INE CCIE Routing and Switching v5 Bootcamp. [Hidden Content] Thanks and regards.
  22. Hi this videos are INE security V5 [Hidden Content] pls support by buying long tearm accounts thank you
  23. BUCKLE UP GUYS! THIS IS GOING TO BE A DOOZY RIDE! Many parts of this will not exactly be compulsory requirements or instructions but rather suggested method used for attempting exam. There are several things that one can change or use a method however they see fit or comfortable with. This is based oo TS1/Diag1 and Config is still same everywhere. I believe every location has very minor changes in Config but thats solely dependent upon the rack setup specific location has. Minor changes like interface mapping or devices preconfigured with something. Some locations might have preconfigured a particular while others might not have but nothing alarming. You should be able to figure that part out easily if you know what you are doing. Troubleshooting: This section is pretty straight forward and does not seem like there has been any major updates in questions or topology. I f you have practiced the workbooks, you should be able to finish TS within an hour. In fact, your strategy should be to finish TS within an hour and start the next Diag section immediately because you will need that saved 1 hour in Config later. Regarding the questions and configurations: The question will definitely be same unless you get new version of TS BUT the number of breaks or configurations provided can be different from what you get in workbooks so they are very small changes. For e.g in lab devices might have interfaces "administratively down" but that might have not been mentioned in the workbook. 1. I would suggest that whichever device question is asking you to troubleshoot, ALWAYS start your attempt by running "show ip int brief" or "sh int ip brief" for ASAs and verify that all the configured interfaces are UP. 2. I noticed that many of the questions in TS actually involve troubleshooting dynamic routing so second should be quick look of neighbor relation on particular device based on the topology. 3. Many of he routers will have diagnostic messages popping up complaining about authentication failure so even if in your lab the diagnostics are off, verify that dynamic routing config matches on both ends. There will be 2 or 3 questions with either password mismatch or password not defined at all at one end. Refer the workbook for exact number. OR better yet, to save time even more just when you have realized that you got TS1, start fixing the breaks as per the workbook you are following (For e.g Rahul Kashyap or PSL etc). If you have practiced workbooks enough, you should be able to do it from your memory. Diagnostics: Important Note: The only important thing that you should do in this section is that since this section is fixed 1 hour, as soon as you have realized the diag version you have received, mark you answers accordingly. The Diag questionnaire will be opened on one screen Fullscreen view but you will have other one available and soon as you are done with marking answers, open notepad and start writing commands needed in Config section from your memory. For example ASAv tasks 1.1a and 1.1b, those should be easy to memorize and if you do it for one question the second one is same command but changing IP addresses or required command set of any other questions that you can from memory. Utilize your remaining Diag time doing that. You can later in config section just start copy pasting but offcourse it goes without saying PLEASE do double check your commands match to questions requirement for e.g IP addresses or interface names. BUT do not just mark answers blindly, refer the material provided. If you have practiced and worked enough with all the topics and especially practiced alot with Config section, you should easily be able to figure out the problem from data provided. Although i must say there are several questions for which provided data do not make any sense and you have to go with the memorized answer from Diag dump. Let me break down Diag1 questions: 1. The answer is "Radius Shared key is Incorrect." Reason: The question metioned that Auth failing with "Radius Request Dropped" error and in the Email Exchange provided, there will be Error Statement along with code "Radius attribute not accepted" or something along those lines. If you test this in lab with mismatch radius key between ISE and SW you should see these diagnostics on SW CLI 2. Another easily identifiable question from data provided. The Redirect ACL will have line "deny udp any any eq ...."so basically the redirect ACL not allowing DNS UDP traffic at all so no redirection occuring to ISE guest portal site. 3. This can also be tested in lab, if you enable the option under Dot1x Windows Machine Interface Adapter --> Authentication --> Settings --> "Verify the server's identity by validating the certificate" then in ISE live logs, open the log report, you should see that 5400 Authentication Error. This problem will occurr if you have this option enabled and the client machine does not have ISE self signed CA certificate imported under its Trusted Root CA repository. Its same to the Config section Dot1x task where its instructed to turn that option off. 4. This can also be verified from the Authorization Policy Screenshot provided in exam, for refernce refer to this Configuration Example Article: [Hidden Content] Take a look at authorization policy and the rules. The first rule "2nd Auth" is the one required assign actual vlan to user after that have authenticated on Guest portal which was done via Redirection in the third Rule "MAC not known". BUT in exam, the authorization rule which would match to "Network Access:Use EQUALS Guest Flow" condition has permistion set as "Workstation" group and CWA Profile again which is causing the Redirection over and over again. 5. The screenshot will be provided of ISE --> Profiling Configuration tab which will have only Radius type probes enabled which are obviously not enough to profile Windows Machine. 6. There will screenshot of Commands set which will have arguement "all" defined for command "show" which is wrong because well there is no such command "show all". 7. Now this question i find most troubling because from provided data, different output of commands and processes details do not really indicate what the problem is so this one i memorized "L4 Traffic Monitoring Feature is on....". I think the reason why this answer is correct because there is only one more likely answer which is "One of the DNS servers might be issue" but in the logs/output provided in question show that device is able to resolve site name. It shows nslookup output. 8. I believe the hint for this answer "Configure Default decryption policy pass-through" is actually provided in error output, where there is Certificate Bitmap Error which i believe is caused if there is MIM-scenario or in other words some intermediate device doing TLS inspection/ Decryption/Encryption. This is also mentioned in one of the cisco documents that Web Servers for e.g some of Micrsoft Sites do not like some firewall decrypting and encrypting traffic and one need to defined Decryotion Pass through or exceptions. 9. Also visible in logs output where it says that the first certificate is not verified. You will seee there is only one certificate coming in and nother intermediate one. 10. The config outputs provided will show that Snrs score is included in the Blacklist and should be in suspectlist. And the reason why is here: [Hidden Content] "Note: Cisco does not recommend that you reject or drop connections from SBRS "none" senders. If there were an issue that prevents a connection to the highly redundant farm of SBRS servers, your Cisco Email Security Appliance (ESA) would drop all of your inbound mail. In most cases, you should either use an ACCEPT or THROTTLE mail flow policy instead" Basically NONE score does not mean that the sender is bad its just that it has not been classified so blacklisting/dropping is not the right approach. >>>>>>>>>>>>>>> I have not seen data from other diag versions (Diag2 and variants) so cannot really define logic of answers in those but i am sure the logic should be same. If you look at the data provided in questions carefully then match every answer provided to it, you should be able to identify the right answer unless offcourse you are sure about received diag version then go crazy and mark answers based on your memory. Configuration: Allright so this is the fun part. I am going to share the method and order that i would highly recommend. First, as soon as you see that you got the same config and everything which is highly likely since there is only one version of config yet, Start with ISE first. All the questions that involve ISE are as follow: 3.5 4.1 4.2 4.3 4.4 5.2 Doing everything on ISE in one go and first hand will save you alot of time because otherwise doing ISE config separately for every question you encounter will require unnecessary back and forth navigation. Step 1: As mentioned in Rahul config WB, disable password policy settings if needed, disable profiling probes, disable Vmware-Device Profle policy, Disable supression of authentication attempts under Protocol Radius. Refer Rahul WB, you will see what options i am referring above. Now start reading and verifying all those 6 questions if the details are same. Step 2: Define join AD point based on details in question 4.3 and also add your AD point under Identity Source Sequence "All_user_ID_Stores". The Internal Users should be first in order and second should be your defined AD point. Note: Most likely there will be one AD point already defined on ISE, check if it already points to cisco.com AD domain otherwise just do not touch it and add your own AD point. Step 3: Define Security Groups --> PC1 and PC2 based on questions 4.2 and 4.4 Step 4: Define Authorization profiles. Essentially you will need total 5 profiles --> MAB_PC, Dot1x_PC, R1_SSH, AP_Prof and the fifth one (questions 4.2, 4.3, 4.4 5.2) needed is for IP Phone but for that you can use system default Cisco_IP_Phones as it already has required settings asked in question which is DACL permit ALL traffic plus it has Voice domain attribute selected. Offcourse if question asks you to add something else then create your own accordingly. Also, it would still be good idea to verify the system defined profile has all the settings needed as mentioned above. Step 5: Define Networ Devices. Refer questions 3.5, 4.1, 4.2, 4.3, 4.4, 5.2 for details and verify IP addresses from topology (MGMT vlan 150). You will need total 4 devices ASA1V, SW2_P, R1 and ASA3 (do not forget to generate PAC file before saving). Step 6: Define Identity Groups. 3 User ID groups --> Anyconnect_Group, Dot1x_group, Lab_Admin (questions 4.1, 4.2 and 4.3 respectively) You will need total 3 Endpoint ID Groups --> MAB_PC Group, Cisco-IP-Phone, Cisco-Air AP. Two of these, you can use the default system elements. For e.g Cisco-IP-Phone will already be there but for AP group you can either create your own OR if you navigate to Policy --> Profiling --> enable corresponding Group for Cisco AIR AP, it will become available in the list. The instructions are mentioned to do this in Rahul's WB. Now, the MAB PC MAc address you can get right away by logging into MAB PC machine and check under interface adapter. NOTE: some people might face the issue where MAB_PC MAC address is already profled and listed end Endpoints list and if you try to add new endpoint there then it will throw an error "endpoint already defined" Or if you try to edit the current endpoint then it will throw an error "You are not authorized to edit this endpoint". Also deleting the endpoint might not work so workaround is to Open the defined MAB_PC Endpoint Identity Group and add the MAC from there. Even if this does not work, then simple use Vmware-Device group element in authorization rule later because the mac address will be profile as Vmware-Device. For AP and IP phone MAC addresses, you will get those after you enable authentication on SW interface and turn it on. First auth attempt will fail but that will get you the MAc addresses. You can also run show CDP neighbor command and see the phone ID "SEP<mac address>" that will help help you identify the MAc address of device. Also you can see it under "show auth session" the failed addresses. Shutdown the interface --> disable the MAB PC adapter --> Add MAC addresses under MAB PC and Cisco-IP-Phone groups. Do not turn the interface back up until you have configured Authentication and Authorization rules. Basically adding these mac addresses step you can do once you have configured the SW configuration when you get to that question. I would suggest keeping the MAB PC adapter disabled and let the IP Phone gets authenticated also recieve IP address first. Similar for Dot1x PC, do the adapter authentication settings first before enabling SW interface and keep it disabled. Enable the adapter once you have done SW config. Step 7: Define users. Total 3 users --> admin1 (question 4.3 and assign it to Lab_Admin ID group DO NOT forget to chose ADpoint for the password), ccie (4.2 and assign it to dot1x Group), cisco (4.1 anyconnect ID group). Step 8: Define Authentication Rules. Essentially total 4 rules will be needed. Check screenshots attached for reference. Step 9: Define Authorization rules. You will need total 6 rules. Check screenshots attached for reference. NOW ORDER OF ATTEMPTING QUESTIONS and TIPS: 1. 1.4 (you can verify right away that EIGRP between R1 and R2 goes up) 2. 2.1 (do all the config need on WSA first which includes 2.2 question as well and do Router side config) 3. 2.2 4. 1.1a NOTE: perform all basic network config as per requirement on ASA1v but do not ENABLE FAILOVER YET. Assign only single IP address on ASA11V management interface (150.1.7.54), this will be needed to copy files onto ASA11V node. 5. 4.1 NOTE: Once you are done with Anyconnect config, retrieve the client profle XML file via tftp and copy it to the Anyconnect client_PC and also to ASA11v node. In some locations, you might also need to copy Anyconnect image file onto ASA11v node. ASA1v might already have it. Otherwise it will be on Candidate PC, so copy on both nodes. Once you are done with Anyconnect config, and XML file plus anyconnct image uploaded to ASA11V, Enable Failover now. The reason behind enabling failover after Anyconnect config and copying XML file onto ASA11v node because without those files, ASA11v node will not apply "anyconnect image and profile" commands under webvpn because it cannot reference files which are not there. EVEN if you copy the files afterwards, the wr mem replication will still not add those two lines, you will need to run "write standby" on active node to do full replication. Now for connecting Anyconnect, make ASA11v active first and connect anyconnect, in order to verify that it connects to ASA11v node as well. Once tested and Server1 Server2 redirection verified (question 2.1 and 2.2). Disconnect anyconnect, make the ASA1v active and then connect anyconnect. This will basically save you one round of connecting Anyconnect to ASA1v then to test on ASA11v and then back on ASA1v as it should left connected on ACTIVE ASA1V node. !!!!!!!!!!!!!!!!!! Around the time you are performig above tasks, if there is something loading or you are waiting idle then ennable Multiple Mode on ASA1, ASA2, ASA3, ASA4 as that will require reboot so the nodes will be ready by the time you get to their question !!!!!!!!!!!!!!!!!!!!!!!!!!! 6. 1.1b NOTE: Same logic here, do network config but not enable failover. Also no need to assign IP on ASA22V as this does not require copying anything on nodes. 7. 3.1 Once you are done with this task, enable failover from question 1.1b. And same connecting to SSL VPN site logic order as above. Make ASA22v active first to test and then back to ASA2v. MORE IMPORTANT thing, make sure that both nodes have created gateway certificate "Show crypto ca certificates". Sometimes if you enable failover before doing SSL config, the nodes might not replicate the gateway certificate. So when you connect SSL portal with ASA22V, it would still work with default system Self Signed certificate but one would not notice it unless checked. So verifying certificates presence on both nodes is important. 8. 1.2 9. 3.4 (because you can verify task 1.2 and 3.4 right away) 10. 5.3 (do this task now because its better to synchronize clocks before generating certificates for task 3.2 ) 11. 3.2 12. 3.3 13. 1.3 14. 3.5 NOTE: Before starting this task, run following commands On ASA3: "clear cts pac" "clear cts environment-data" oN SW2_P: "clear cts pac" "clear cts environment-data" "clear cts credentials" 15. 4.4 Note: As mentioned above, disable MAB_PC adapter after getting MAC address and add it to MAb_PC group on ISE. Enable adapter after you have done SW2_P config and authenticated phone. 16. 4.2 17. 5.2 18. 4.3 19. 5.1 20. 2.3 Note: The last 3 tasks are independent and small tasks so you can do them whenever you see fit. In order to make sense of most of the details above, you will need resources provided here on this post by Rahul: [Hidden Content]
  24. Can someone please share their Cisco ISE 2.3 qcow2 working evaluation image for EVE-NG Thanks
  25. Does anybody knows the release date for VIRL and what will be the subscription charges for it.
×
×
  • Create New...