This lab was not real difficult but it was just the first of section 2 labs I have attempted. I still have 2:16 left in proctor labs session and here I am writing this blog. I have already graded it myself, I graded myself hard as usual. I made some pretty dumb mistakes, but mostly I was in a rush and I was too anxious or sure of myself to double check everything. I barely looked at the doccd. I scored a 77 and here are the mistakes:
Points, Task #, Excuse
-3 1.1 Didn't put domain name at end of switch hostname. This was so CDP neighbors would be seen as cat.ipexpert.com, etc. Marked it off to review, but never went back.
-1 1.3 Didn't put enable secret for VTY access. Forgot that vty access sends you to the > prompt and you need to have enable set. If I verified telnet was setup I probably would have caught it.
-3 2.2 PPP reliable link. Everything on PPP was right except this command. The wording of the task was "allow extra buffering for error recovery at layer 2." I did come across this command in the doccd but I didn't make the connection.
-3 4.1 Forgot passive-interface loopback 0 on R5,R6,R7 and R8 in OSPF. Pure bonehead.
-2 4.7 I used "compatible rfc1583" instead of "no compatible rfc1583". The task said to disable the feature in 2328 regarding setting metrics in summary routes. I figured 1583 would disable the 2328 version. I didn't read about the command at all. Just found out in the doccd and remember coming across it a couple months ago.
-2 7.2 I used "show-timezone" instead of "localtime" in the service-timestamps command. Just misunderstood the question. Read it again and now it makes sense.
-3 7.3 Did not do snmp-server trap link ietf (no clue what this is). The task said to enable the traps supported in RFC2233. oh really?
-3 11.1 No byte-count was specified in the queue-list, but the PG had one. I used a queue-limit in my CQ configuration. The wording of the question confused me but now I see what they wanted.
-3 12.1 Time-range ACL was wrong. I had:
time-range WORKHOURS
periodic weekdays 0:00 to 7:59
periodic weekdays 18:00 to 23:59
access-list 101 deny tcp any any eq www time-range WORKHOURS
access-list 101 permit ip any any
But this still allows telnet traffic on Saturday and Sunday. Plus my theory at this task was different than the PG. They had a permit statement on the time-range, denying all www traffic below that, then a permit ip any any. I used my theory on 12.2 but remembered to deny sunday, saturday, etc.
Other possible issues, these worked but didn't match PG:
3.1 Didn't add loopback to rip on R2, it was in OSPF anyway. Task didn't say to put it in RIP.
4.1 I used point-to-multipoint on NBMA, PG used neighbor statements.
4.7 Didn't put local name in "ip host" command, only the neighbor
5.3 Didn't set bandwidth before eigrp percent command, is it really needed? maybe...
11.1 I already missed the points but I had:
queue-list 1 protocol ip 2 tcp 3389
queue-list 1 protocol ip 3 tcp telnet
queue-list 1 protocol ip 3 tcp 22
PG had:
queue-list 1 protocol ip 2 list 101
queue-list 1 protocol ip 3 list 102
access-list 101 permit tcp any any eq 3389
access-list 102 permit tcp any any eq 22
access-list 102 permit tcp any any eq telnet
So anyways, that all adds up to 23 points. I don't feel too bad. I think I made progress in my time. I can do frame-relay and switching now pretty easily. I rarely have problems with OSPF over frame-relay. My redistribution skills are improving (TAG and DROP! when in doubt). I still get stumped on things like ACLs, QoS and some IP Services stuff.
Back to the lab...
Wednesday, September 24, 2008
Subscribe to:
Post Comments (Atom)
I guess this link has best details for time-range issue..
ReplyDeletehttp://ardenpackeer.com/security/tutorial-time-based-acl/