-4 2.2 PPP MD5 Authentication
I had this working right but the script said I needed "ppp eap identity
-4 3.2 OSPF
A load of OSPF configuration and I was not supposed to use a network statement on areas 256, 96 and 97. I used a network statement for R9's loopback costing me the 4 points. There were probably over 50 commands for this task and 1 command cost me.
-3 3.3 OSPF Authentication
Grading script was wrong. You didn't need a VL between Cat1 and Cat3 and the script was checking for one.
-3 7.3 IPv6 Security
Grading script was wrong. I had filters on all IPv6 interfaces but the script was looking for it on the wrong interface.
-3 4.4 BGP Path Selection
I had to engineer a next hop solution and I used the "set ip next-hop" in a neighbor route-map. The Script didn't use a ping or trace to verify the solution so it did not know that my solution worked. Instead it came up with a bogus explanation.
-3 5.1 Multicast
What I do not like about the grading script is once it finds an error - it doesn't continue so you never get to see how the rest of the task would have been checked. In this case I did not put PIM in the loopbacks of the multicast routers. The task said all interfaces so I messed up on this.
-3 5.2 Multicast - Sink RP
I guess your supposed to deny the RP groups in an ACL on your mapping statement when configuring a sink RP. Makes sense otherwise you get the chicken/egg problem.
-2 6.2 System Management
This kind of crap pisses me off. I had to enable load-interval 60 on all interfaces and I forgot it on the port channels and loopback. Good grief.
-3 6.4 ECN
ip tcp ecn. I had no clue on this one.
-3 6.5 Local DNS
This is where the lab is screwed up. In this task R5 needs to telnet to R2 by name. But in a later task we have to block IPv4 telnet to R2 and only allow IPv6 via LOOPBACK IPV6 ADDRESS. The script does not use /source-interface and so it fails. I am going to bring this up with IPexpert.
-3 8.1 MQC
We were supposed to prevent R1 from sending unreachables without an interface command or rate-limit. The SG uses CPP to block them, pretty nifty. I used local policy routing to NULL 0 - probably not allowed but I could not think of another way.
-3 9.2 CBAC
The ACL the SG wants is supposed to be "strict". I allowed RIP and BGP and the SG only allows RIP. I guess BGP is included in the tcp router-traffic command but I will have to verify this. I actually thought about this but not enough to have me change it. I figured if I got it wrong I will be forced to learn a little more.
-3 9.4 TCP intercept
I did not configure any one-minute low/high options. I don't think the question asked for this, so I am not sure why they are there.
Well that's about it for today. The total score was 60 but I am pretty satisfied. I was able to browse the DocCD for some tasks I never heard of. This includes disabling the RFC 2217 option for telnet, MRM (which I got right), PPP EAP authentication, round robin DNS and some others.
This lab was heavy on the configuration and 4 point-tasks. This sucks because one little thing ruins the whole task. Plus, there was a bunch of little interesting topics on this lab I will probably blog about this week.
Posts
For become an ipexpert, you have to clear your lab or written exam. There are many CCIE bootcamps, those providing the best training with proper knowledge.
ReplyDelete