I did this lab again today mainly to see how much I improved since the first time. If your curious, here was my original post:
IPexpert Volume 3 Mock Lab 1 - Take 1
That was just over 5 months ago, and I more than doubled my score and finished in about half the time. I got a 91 this time, missing 3 tasks. The first one was a grading script error. The second one was a bonehead mistake because the task said to prevent odd routes and I blocked odd (BGP task).
The last one was tricky and I skipped it because I did not know how to complete it without messing up another task. It was 2 points vs 3 points and I took the 3-pointer. I will explain what the issue was and how to resolve it.
The first task had you allow telnet only on port 3005 of R9. Then you create a privilege 15 user named cisco with a password cisco. The next task says that the user cisco should only be allowed to do show commands and not configure anything. Menus are not allowed.
Well....since user cisco is a level 15 user he can do anything he wants. And he HAS to be a level 15 user according to the first task. The solution was to configure AAA which basically ignores privilege levels that are assigned to username commands. Now, when user cisco logs in, he is actually in level 1 and he cannot get to configuration mode (without an enable password). Do you think this violates the previous task?
Anyways, it felt good to know that I have retained a lot of info. I'm going to do another mock lab tomorrow morning from IPexpert (Before the Super Bowl of course!). Then next week I have an IE mock lab and another proctor lab session scheduled. The week after that, it will be Cisco Assessor Labs on the 14th and 15th (if my schedule gets accepted).
That leaves one more weekend of nothing which I plan on just reviewing and tying up loose ends. Probably play around on the home lab most of the time. Then the next weekend I will be in San Jose :-)
Showing posts with label ipexpert. Show all posts
Showing posts with label ipexpert. Show all posts
Saturday, January 31, 2009
Sunday, January 25, 2009
IPexpert Volume 3 Mock Lab 9 Review
This lab was actually pretty fun, though I made a lot of mistakes. I was short on time so I did not have any time to verify. I had a previous conflict in schedule so I had to take an hour+ off in the middle of the lab. There was a little bit of everything here from IPv6 redistribution, routing loops (if your not careful), mls qos, hierarchical MQC, and some interesting multicast stuff.
Here's a summary of what I missed:
IGP
Forgot to add "no-summary" to an NSSA ABR. The task said "no intra-area" routes, and I guess I saw "no inter-area" instead.
I needed to traffic engineer OSPF to influence path selection in two directions, and I only did one way. I was going to come back after all the redistribution tasks, and I did not have time.
R1 was to only accept RIP routes from BB1. Without using authentication, the way to do this would be to make RIP AD 255, then use another neighbor-specific distance command for BB1. I missed this.
BGP
I had to prevent BB1/BB2 routes from being exchange to each other. Usually you would use an as-path filter, but the task did not allow this. I used community no-export, which I knew was over-filtering but for some reason I still used it. I should have just used community values like a tag, and then drop them on the way to each BBR.
I also had to find out what timers BB1 was using without looking at the config. I thought if I debugged keepalives I could tell. This does not work if your router has lower configured timer values. The peers use the lower value. The answer was to make your timers really high and then see what is negotiated. This is something I have read before but for some reason it didn't stick. I shall never forget again.
Multicast
I missed all 3 multicast tasks which was surprising because I am usually strong in this area. We need to make R6 an RP for the GLOP address ending with a 1. I used 233.0.0.1 but the middle octets are supposed to be the AS number (5051). Also, my multicast rate limiting statement wasn't specific enough because I didn't use a source list. And then I forget "filter-autorp" at the end of my multicast boundary statement. There was a lot more than this to configure but these items cost me the points.
Services
On DHCP, I forgot to disable dhcp conflict logging which I need to start remembering to do. I never disable it and I never have any problems, but the PG always has it disabled.
Security
Finally I missed a VTY security task to limit "telnet" access to only certain hosts. I made the ACL but forgot the transport input telnet.
One more volume 3 lab to go, which I start in a few hours. Next weekend I plan on doing Lab 1 again. This is the one I bombed on back in July when I was a wee little CCIE wannabe. It's been long enough for me to forget the details of that lab, so I want to see how much I have improved.
Here's a summary of what I missed:
IGP
Forgot to add "no-summary" to an NSSA ABR. The task said "no intra-area" routes, and I guess I saw "no inter-area" instead.
I needed to traffic engineer OSPF to influence path selection in two directions, and I only did one way. I was going to come back after all the redistribution tasks, and I did not have time.
R1 was to only accept RIP routes from BB1. Without using authentication, the way to do this would be to make RIP AD 255, then use another neighbor-specific distance command for BB1. I missed this.
BGP
I had to prevent BB1/BB2 routes from being exchange to each other. Usually you would use an as-path filter, but the task did not allow this. I used community no-export, which I knew was over-filtering but for some reason I still used it. I should have just used community values like a tag, and then drop them on the way to each BBR.
I also had to find out what timers BB1 was using without looking at the config. I thought if I debugged keepalives I could tell. This does not work if your router has lower configured timer values. The peers use the lower value. The answer was to make your timers really high and then see what is negotiated. This is something I have read before but for some reason it didn't stick. I shall never forget again.
Multicast
I missed all 3 multicast tasks which was surprising because I am usually strong in this area. We need to make R6 an RP for the GLOP address ending with a 1. I used 233.0.0.1 but the middle octets are supposed to be the AS number (5051). Also, my multicast rate limiting statement wasn't specific enough because I didn't use a source list. And then I forget "filter-autorp" at the end of my multicast boundary statement. There was a lot more than this to configure but these items cost me the points.
Services
On DHCP, I forgot to disable dhcp conflict logging which I need to start remembering to do. I never disable it and I never have any problems, but the PG always has it disabled.
Security
Finally I missed a VTY security task to limit "telnet" access to only certain hosts. I made the ACL but forgot the transport input telnet.
One more volume 3 lab to go, which I start in a few hours. Next weekend I plan on doing Lab 1 again. This is the one I bombed on back in July when I was a wee little CCIE wannabe. It's been long enough for me to forget the details of that lab, so I want to see how much I have improved.
Monday, January 19, 2009
IPexpert Volume 3 Mock Lab 8 Review
At first read through, this lab appears very difficult because the number of routing protocol domains. 2 EIGRP domains, 3 OSPF domains, 1 RIP domain and almost every router and switch running 2 or 3 protocols. I attacked this by creating ACLs matching every set of networks, example:
ip access-list standard EIGRP134
ip access-list standard EIGRP24
ip access-list standard OSPF1
ip access-list standard OSPF2
ip access-list standard OSPF3
ip access-list standard RIP
Each ACL contained the networks in that domain. I then altered distance on each border router as needed so I could force the router to learn a route from that direction. In OSPF you can only specify one distance command so I had to merge the RIP and EIGRP ACL's in one case. The goal was to prevent route-feedback by ensuring that routes were learned through the best protocol to begin with. It took me about an hour but it worked great.
Another task had me configure clustering which is not as hard as it seems. A few commands on the commander and I was done. I had to read through the DocCD to figure some stuff out.
Side note: If you need to ping your own interface on a frame-relay task but are not allowed to use "frame-relay map", you can use Multilink interface and run MLPPPoFR.
BGP Section was pretty convoluted and I did not complete it. The main section revolved around using prepends so that distant ASes would disallow certain networks. I thought I could do this, but I did a bad job of reading ahead so I did not have the required confederations for this task. I did not fell like going back and re-doing BGP.
Another new command: "no service disable-ip-fast-frag"
IPv6 was pretty easy, I used tunnels to get everywhere.
QOS: Misunderstood the Flow Based WRED task, instead configured WRED + WFQ in a policy-map. I also configured the Be wrong and forgot adaptive shaping in a FRTS task.
Last task said to keep traffic stats for a host that might be under a DoS attack. I used accounting, but the PG has ip source-track. I should have got this, as I was just reviewing this topic in the DocCD last week.
I am not doing as good as I want to be doing. The last few labs in Volume 3 have been tougher, but there's nothing that I should not be able to get or find in the DocCD at this point. It's just a matter of staying focused and keeping the skills sharp.
ip access-list standard EIGRP134
ip access-list standard EIGRP24
ip access-list standard OSPF1
ip access-list standard OSPF2
ip access-list standard OSPF3
ip access-list standard RIP
Each ACL contained the networks in that domain. I then altered distance on each border router as needed so I could force the router to learn a route from that direction. In OSPF you can only specify one distance command so I had to merge the RIP and EIGRP ACL's in one case. The goal was to prevent route-feedback by ensuring that routes were learned through the best protocol to begin with. It took me about an hour but it worked great.
Another task had me configure clustering which is not as hard as it seems. A few commands on the commander and I was done. I had to read through the DocCD to figure some stuff out.
Side note: If you need to ping your own interface on a frame-relay task but are not allowed to use "frame-relay map", you can use Multilink interface and run MLPPPoFR.
BGP Section was pretty convoluted and I did not complete it. The main section revolved around using prepends so that distant ASes would disallow certain networks. I thought I could do this, but I did a bad job of reading ahead so I did not have the required confederations for this task. I did not fell like going back and re-doing BGP.
Another new command: "no service disable-ip-fast-frag"
IPv6 was pretty easy, I used tunnels to get everywhere.
QOS: Misunderstood the Flow Based WRED task, instead configured WRED + WFQ in a policy-map. I also configured the Be wrong and forgot adaptive shaping in a FRTS task.
Last task said to keep traffic stats for a host that might be under a DoS attack. I used accounting, but the PG has ip source-track. I should have got this, as I was just reviewing this topic in the DocCD last week.
I am not doing as good as I want to be doing. The last few labs in Volume 3 have been tougher, but there's nothing that I should not be able to get or find in the DocCD at this point. It's just a matter of staying focused and keeping the skills sharp.
Sunday, January 18, 2009
IPexpert Volume 3 Mock Lab 7 Review
This is a very challenging lab. I missed quite a few things, and there was a LOT of troubleshooting involved when things wouldn't work.
To begin with, all switches have dot1q trunk links to each other. However SW2 and SW3 are using flex-links. At first nothing seems wrong, then all of a sudden in the IGP section, SW1 becomes unbearably slow and R4 and R7 keep dropping EIGRP adjacencies. I noticed the RIP and IP INPUT processes on R1 were eating up the CPU. RIP and EIGRP packets were being looped over and over and over because STP does not run over Flex links! I shut the links down and attacked it later.
Another task asked to configure MLPPP over Frame Relay without using a multilink group. I created a multilink interface, but the answer was to use ppp multilink on a virtual-template and forget about the multilink interface.
BGP, Multicast, IP Services and IPv6 were pretty easy. I was glad because I had already spent 4+ hours getting through IGP. I did miss the HSRP task because they wanted the highest group possible. I used 255 but you were supposed to switch to version 2 and use group 4096!
Missed some delicate stuff regarding QoS. Byte counts were easy enough configure but the task said you should assume packet sizes of 100. This means you needed to adjust queue-limits also, which I did not do.
Another tricky one was a CQ to MQC conversion task. They displayed the CQ conversion as using a TCP syslog port. If you use NBAR to match syslog, it only uses UDP buy default. So you had to create a custom port-map. Tough one to see right away.
There was a login task that asked me to enable SSH for VTY lines. I forgot to create the key so it never would have worked. I should have verified this by attempting to login via SSH.
Finally, when I went back to the flex-link tasks I just used "switchport trunk allowed vlan none" to get it to work. The PG pruned even VLANs off from SW3 to SW2, then pruned the odd ones from SW2 to SW4. Then they shut the link from SW1 to SW2. Anyways, there were probably a number of ways to do it. It didn't really matter as long as you have connectivity.
Next up: Lab 8 tomorrow.
To begin with, all switches have dot1q trunk links to each other. However SW2 and SW3 are using flex-links. At first nothing seems wrong, then all of a sudden in the IGP section, SW1 becomes unbearably slow and R4 and R7 keep dropping EIGRP adjacencies. I noticed the RIP and IP INPUT processes on R1 were eating up the CPU. RIP and EIGRP packets were being looped over and over and over because STP does not run over Flex links! I shut the links down and attacked it later.
Another task asked to configure MLPPP over Frame Relay without using a multilink group. I created a multilink interface, but the answer was to use ppp multilink on a virtual-template and forget about the multilink interface.
BGP, Multicast, IP Services and IPv6 were pretty easy. I was glad because I had already spent 4+ hours getting through IGP. I did miss the HSRP task because they wanted the highest group possible. I used 255 but you were supposed to switch to version 2 and use group 4096!
Missed some delicate stuff regarding QoS. Byte counts were easy enough configure but the task said you should assume packet sizes of 100. This means you needed to adjust queue-limits also, which I did not do.
Another tricky one was a CQ to MQC conversion task. They displayed the CQ conversion as using a TCP syslog port. If you use NBAR to match syslog, it only uses UDP buy default. So you had to create a custom port-map. Tough one to see right away.
There was a login task that asked me to enable SSH for VTY lines. I forgot to create the key so it never would have worked. I should have verified this by attempting to login via SSH.
Finally, when I went back to the flex-link tasks I just used "switchport trunk allowed vlan none" to get it to work. The PG pruned even VLANs off from SW3 to SW2, then pruned the odd ones from SW2 to SW4. Then they shut the link from SW1 to SW2. Anyways, there were probably a number of ways to do it. It didn't really matter as long as you have connectivity.
Next up: Lab 8 tomorrow.
Saturday, January 17, 2009
IPexpert Volume 3 Mock Lab 6 Review
This lab took me about 7 hours to complete, verify and grade. There a few things I did not think I would get, but I ended up with solutions for everything and pretty much all of them worked. There was a task for something I had never heard of, SSG, which I got by looking in the DocCD and browsing the context sensitive help. The question mark is your friend!
Also another tricky one was R5 had a new loopback that needed to be NATTED based on the outgoing interface. I spent a good chunk of time on this but once I figured it out, it was pretty basic. I just had to match interfaces and addresses in a route-map, and use the route-map on a few NAT statements.
Here's part of it:
access-list 55 permit 55.55.55.55
route-map VLAN15 permit 10
match ip address 55
match interface FastEthernet0/0
ip nat inside source route-map VLAN15 interface FastEthernet0/0 overload
Here's what I missed:
-7 Task 1.1, 1.2 Switching
Didn't create vlan 400 on CAT1 or CAT2 and didn't make CAT4 root for that vlan. Vlan 400 did not have any hosts but was used as a native vlan. The task said to make CAT4 root for any vlans you have to create on that switch. CAT4 had no hosts, but nevertheless we had to create the vlan and make it root. This task involved a lot of stuff so to lose points for a couple unnecessary things is a bummer.
-3 Task 5.1 Multicast
IGMP Filter task said to deny 227.0.0.43 - 227.0.0.99 but only use a permit statement. Silly me included 227.0.0.1-42 and 100-255. I completely forgot this was denying all the 224/8, 225/8, etc groups.
-3 Task 8.1 QOS
I don't know if I would have got this wrong but I kind of misunderstood it. R9 has a Fastethernet connection while BB3 has an Ethernet. The task said to base your MQC percentages of off BB3's link speed. Well, I used "bandwidth 10000" under R9's interface so all the percentages worked out. The SG modified the percentages themselves. For example, the task said to give SMTP 25%, so the SG gave it bandwidth 2500 as opposed to 25000.
Other differences:
Task 3.3 - SG had an extra OSPF VL between R2 and R6 in area 246. Not really needed but probably a good idea.
Task 4.4 - SG used cost-community to influence path selection, I used "set origin" in a route-map. So much easier!
Well that's it for tonight. Lab 7 tomorrow and lab 8 on Monday. I am almost done with all the IPexpert material. I have watched and/or listened to all the bootcamp stuff at least once or twice as well. I bought an IE mock lab for next month, and I am planning on doing the Cisco Assessor labs as well.
Also another tricky one was R5 had a new loopback that needed to be NATTED based on the outgoing interface. I spent a good chunk of time on this but once I figured it out, it was pretty basic. I just had to match interfaces and addresses in a route-map, and use the route-map on a few NAT statements.
Here's part of it:
access-list 55 permit 55.55.55.55
route-map VLAN15 permit 10
match ip address 55
match interface FastEthernet0/0
ip nat inside source route-map VLAN15 interface FastEthernet0/0 overload
Here's what I missed:
-7 Task 1.1, 1.2 Switching
Didn't create vlan 400 on CAT1 or CAT2 and didn't make CAT4 root for that vlan. Vlan 400 did not have any hosts but was used as a native vlan. The task said to make CAT4 root for any vlans you have to create on that switch. CAT4 had no hosts, but nevertheless we had to create the vlan and make it root. This task involved a lot of stuff so to lose points for a couple unnecessary things is a bummer.
-3 Task 5.1 Multicast
IGMP Filter task said to deny 227.0.0.43 - 227.0.0.99 but only use a permit statement. Silly me included 227.0.0.1-42 and 100-255. I completely forgot this was denying all the 224/8, 225/8, etc groups.
-3 Task 8.1 QOS
I don't know if I would have got this wrong but I kind of misunderstood it. R9 has a Fastethernet connection while BB3 has an Ethernet. The task said to base your MQC percentages of off BB3's link speed. Well, I used "bandwidth 10000" under R9's interface so all the percentages worked out. The SG modified the percentages themselves. For example, the task said to give SMTP 25%, so the SG gave it bandwidth 2500 as opposed to 25000.
Other differences:
Task 3.3 - SG had an extra OSPF VL between R2 and R6 in area 246. Not really needed but probably a good idea.
Task 4.4 - SG used cost-community to influence path selection, I used "set origin" in a route-map. So much easier!
Well that's it for tonight. Lab 7 tomorrow and lab 8 on Monday. I am almost done with all the IPexpert material. I have watched and/or listened to all the bootcamp stuff at least once or twice as well. I bought an IE mock lab for next month, and I am planning on doing the Cisco Assessor labs as well.
Sunday, January 11, 2009
IPexpert Volume 3 Mock Lab 5 Review
I just finished this lab in about 5 hours. I spent 1 hour verifying and found some mistakes. I ended up with a 73 and every single mistake except the BGP task should have been fixed. You will see below how easy these were.
I have still got some work to do in terms of fully understanding the requirements. I failed to make sure R7's extra loopbacks were in every routers table and for some reason IPv6 RIP failed when the script checked it. I logged back in and everything was fine.
Here are the mistakes:
-4 3.6 Redistribution
Failed connectivity to R7's loopback 2 and 3 addresses. I did not test reachability to these - only verified loopback 1.
-4 7.2 and 7.3 OSPFv3
I tested the results after the lab and it works fine. I wonder if the script shuts ports down for another VRRP failover task and then doesn't wait long enough for STP to forward, I don't know. Simple OSPFv3 and RIP redistribution.
-3 4.3 BGP Conditional Routing
Could not get this to work.
-3 5.3 Multicast
The argument is kbps and I put 64000 instead of 64. DOH!
-4 6.1 System Management
I had privilege 15 along with my username command and the script says this is wrong. The menu needs to display "show interfaces" and "show clock" and privilege 15 is not required for this.
-3 6.3 DHCP
The problem is that I filtered with a lot of caution so RIP routes do not enter EIGRP domain through OSPF. There were no requirements that stated full reachability is needed when various interfaces are shut.
-3 6.5 IP Accounting
I missed this because I thought you could only configure 1 list so I used a funky wildcard to match 2 subnets. I swear that on my first try the second list overwrote the first. Oh well, now I know.
-3 8.3 MQC
I forgot the bandwidth command on the serial interface of R7 and R8. This was a very easy MQC task, give 30% to telnet and 20% to smtp. The task said percentage of "interface bandwidth" and they are clocked at 2M.
Well that's it for the graded Mock Labs from IPexpert. There are still 5 more ungraded ones that I plan on doing. I think I will redo Mock Lab 1, I got a 41 on this about 6 months ago and am curious to know how much I have learned since then.
I also plan on doing mock labs from some other companies. I am going to do 1 or 2 from IE and I am debating on doing the CCIE Assessor labs. If you have any recommendations, please let me know.
I have still got some work to do in terms of fully understanding the requirements. I failed to make sure R7's extra loopbacks were in every routers table and for some reason IPv6 RIP failed when the script checked it. I logged back in and everything was fine.
Here are the mistakes:
-4 3.6 Redistribution
Failed connectivity to R7's loopback 2 and 3 addresses. I did not test reachability to these - only verified loopback 1.
-4 7.2 and 7.3 OSPFv3
I tested the results after the lab and it works fine. I wonder if the script shuts ports down for another VRRP failover task and then doesn't wait long enough for STP to forward, I don't know. Simple OSPFv3 and RIP redistribution.
-3 4.3 BGP Conditional Routing
Could not get this to work.
-3 5.3 Multicast
The argument is kbps and I put 64000 instead of 64. DOH!
-4 6.1 System Management
I had privilege 15 along with my username command and the script says this is wrong. The menu needs to display "show interfaces" and "show clock" and privilege 15 is not required for this.
-3 6.3 DHCP
The problem is that I filtered with a lot of caution so RIP routes do not enter EIGRP domain through OSPF. There were no requirements that stated full reachability is needed when various interfaces are shut.
-3 6.5 IP Accounting
I missed this because I thought you could only configure 1 list so I used a funky wildcard to match 2 subnets. I swear that on my first try the second list overwrote the first. Oh well, now I know.
-3 8.3 MQC
I forgot the bandwidth command on the serial interface of R7 and R8. This was a very easy MQC task, give 30% to telnet and 20% to smtp. The task said percentage of "interface bandwidth" and they are clocked at 2M.
Well that's it for the graded Mock Labs from IPexpert. There are still 5 more ungraded ones that I plan on doing. I think I will redo Mock Lab 1, I got a 41 on this about 6 months ago and am curious to know how much I have learned since then.
I also plan on doing mock labs from some other companies. I am going to do 1 or 2 from IE and I am debating on doing the CCIE Assessor labs. If you have any recommendations, please let me know.
Saturday, January 10, 2009
IPexpert Volume 3 Mock Lab 4 Review
Just took a dump on this lab. Lots of little mistakes. My problem was that many of the tasks were configuration heavy, mixing and matching totally unrelated options.
-4 2.2 PPP MD5 Authentication
I had this working right but the script said I needed "ppp eap identity" commands on each side. My link came up without them and I debugged PPP auth to verify it was authenticating.
-4 3.2 OSPF
A load of OSPF configuration and I was not supposed to use a network statement on areas 256, 96 and 97. I used a network statement for R9's loopback costing me the 4 points. There were probably over 50 commands for this task and 1 command cost me.
-3 3.3 OSPF Authentication
Grading script was wrong. You didn't need a VL between Cat1 and Cat3 and the script was checking for one.
-3 7.3 IPv6 Security
Grading script was wrong. I had filters on all IPv6 interfaces but the script was looking for it on the wrong interface.
-3 4.4 BGP Path Selection
I had to engineer a next hop solution and I used the "set ip next-hop" in a neighbor route-map. The Script didn't use a ping or trace to verify the solution so it did not know that my solution worked. Instead it came up with a bogus explanation.
-3 5.1 Multicast
What I do not like about the grading script is once it finds an error - it doesn't continue so you never get to see how the rest of the task would have been checked. In this case I did not put PIM in the loopbacks of the multicast routers. The task said all interfaces so I messed up on this.
-3 5.2 Multicast - Sink RP
I guess your supposed to deny the RP groups in an ACL on your mapping statement when configuring a sink RP. Makes sense otherwise you get the chicken/egg problem.
-2 6.2 System Management
This kind of crap pisses me off. I had to enable load-interval 60 on all interfaces and I forgot it on the port channels and loopback. Good grief.
-3 6.4 ECN
ip tcp ecn. I had no clue on this one.
-3 6.5 Local DNS
This is where the lab is screwed up. In this task R5 needs to telnet to R2 by name. But in a later task we have to block IPv4 telnet to R2 and only allow IPv6 via LOOPBACK IPV6 ADDRESS. The script does not use /source-interface and so it fails. I am going to bring this up with IPexpert.
-3 8.1 MQC
We were supposed to prevent R1 from sending unreachables without an interface command or rate-limit. The SG uses CPP to block them, pretty nifty. I used local policy routing to NULL 0 - probably not allowed but I could not think of another way.
-3 9.2 CBAC
The ACL the SG wants is supposed to be "strict". I allowed RIP and BGP and the SG only allows RIP. I guess BGP is included in the tcp router-traffic command but I will have to verify this. I actually thought about this but not enough to have me change it. I figured if I got it wrong I will be forced to learn a little more.
-3 9.4 TCP intercept
I did not configure any one-minute low/high options. I don't think the question asked for this, so I am not sure why they are there.
Well that's about it for today. The total score was 60 but I am pretty satisfied. I was able to browse the DocCD for some tasks I never heard of. This includes disabling the RFC 2217 option for telnet, MRM (which I got right), PPP EAP authentication, round robin DNS and some others.
This lab was heavy on the configuration and 4 point-tasks. This sucks because one little thing ruins the whole task. Plus, there was a bunch of little interesting topics on this lab I will probably blog about this week.
-4 2.2 PPP MD5 Authentication
I had this working right but the script said I needed "ppp eap identity
-4 3.2 OSPF
A load of OSPF configuration and I was not supposed to use a network statement on areas 256, 96 and 97. I used a network statement for R9's loopback costing me the 4 points. There were probably over 50 commands for this task and 1 command cost me.
-3 3.3 OSPF Authentication
Grading script was wrong. You didn't need a VL between Cat1 and Cat3 and the script was checking for one.
-3 7.3 IPv6 Security
Grading script was wrong. I had filters on all IPv6 interfaces but the script was looking for it on the wrong interface.
-3 4.4 BGP Path Selection
I had to engineer a next hop solution and I used the "set ip next-hop" in a neighbor route-map. The Script didn't use a ping or trace to verify the solution so it did not know that my solution worked. Instead it came up with a bogus explanation.
-3 5.1 Multicast
What I do not like about the grading script is once it finds an error - it doesn't continue so you never get to see how the rest of the task would have been checked. In this case I did not put PIM in the loopbacks of the multicast routers. The task said all interfaces so I messed up on this.
-3 5.2 Multicast - Sink RP
I guess your supposed to deny the RP groups in an ACL on your mapping statement when configuring a sink RP. Makes sense otherwise you get the chicken/egg problem.
-2 6.2 System Management
This kind of crap pisses me off. I had to enable load-interval 60 on all interfaces and I forgot it on the port channels and loopback. Good grief.
-3 6.4 ECN
ip tcp ecn. I had no clue on this one.
-3 6.5 Local DNS
This is where the lab is screwed up. In this task R5 needs to telnet to R2 by name. But in a later task we have to block IPv4 telnet to R2 and only allow IPv6 via LOOPBACK IPV6 ADDRESS. The script does not use /source-interface and so it fails. I am going to bring this up with IPexpert.
-3 8.1 MQC
We were supposed to prevent R1 from sending unreachables without an interface command or rate-limit. The SG uses CPP to block them, pretty nifty. I used local policy routing to NULL 0 - probably not allowed but I could not think of another way.
-3 9.2 CBAC
The ACL the SG wants is supposed to be "strict". I allowed RIP and BGP and the SG only allows RIP. I guess BGP is included in the tcp router-traffic command but I will have to verify this. I actually thought about this but not enough to have me change it. I figured if I got it wrong I will be forced to learn a little more.
-3 9.4 TCP intercept
I did not configure any one-minute low/high options. I don't think the question asked for this, so I am not sure why they are there.
Well that's about it for today. The total score was 60 but I am pretty satisfied. I was able to browse the DocCD for some tasks I never heard of. This includes disabling the RFC 2217 option for telnet, MRM (which I got right), PPP EAP authentication, round robin DNS and some others.
This lab was heavy on the configuration and 4 point-tasks. This sucks because one little thing ruins the whole task. Plus, there was a bunch of little interesting topics on this lab I will probably blog about this week.
Sunday, January 4, 2009
IPexpert Volume 2 Section 15 Review
This lab took quite awhile, there were a lot of things I would have had to ask the proctor about. I just finished grading and its been about 7 hours since I started. I missed 4 tasks for sure and a couple other solutions differed from the SG but I believe they worked just fine.
These are the ones I missed:
-4 Task 1.3 Switching
Needed a bridge-group on R8 to bridge between dot1q sub-interfaces. I had a tough time understanding what was required and it really looked like a typo so I peaked in the SG. I didn't even read the entire solution once I saw "bridge-group" I knew what I needed.
-3 Task 8.1 VRRP
The very beginning of the lab says to use "open standards" as needed. I didn't even think about that when configuring this task and used HSRP instead.
-2 Task 8.2 TFTP
The task said to make an "IOS file" called BACKUP.bin available. I just copied running-config to BACKUP.bin not realizing that the file needed to be an IOS image. The actual command was tftp-server with an alias option for the bin file.
-3 Task 8.4 GRE Tunnel
This task required a GRE tunnel and I really misundertood this. First I configured mobile ARP, then NAT, but alas it was GRE.
There were a couple other tasks requiring filtering that I disagreed with the SG. No big deal but I am pretty sure my solutions were worked fine. Also I needed to set the DE bit on all traffic "from BB1". The SG created a de-list that matched the input interface. I used MQC to match a class then set the DE bit with "set fr-de" in a policy map.
Volume 2 is in the books now. I have already done a few Volume 3 labs and I will probably concentrate on these from now on. I will also browse through the Volume 2 labs again trying to solve the problems in my head.
These are the ones I missed:
-4 Task 1.3 Switching
Needed a bridge-group on R8 to bridge between dot1q sub-interfaces. I had a tough time understanding what was required and it really looked like a typo so I peaked in the SG. I didn't even read the entire solution once I saw "bridge-group" I knew what I needed.
-3 Task 8.1 VRRP
The very beginning of the lab says to use "open standards" as needed. I didn't even think about that when configuring this task and used HSRP instead.
-2 Task 8.2 TFTP
The task said to make an "IOS file" called BACKUP.bin available. I just copied running-config to BACKUP.bin not realizing that the file needed to be an IOS image. The actual command was tftp-server with an alias option for the bin file.
-3 Task 8.4 GRE Tunnel
This task required a GRE tunnel and I really misundertood this. First I configured mobile ARP, then NAT, but alas it was GRE.
There were a couple other tasks requiring filtering that I disagreed with the SG. No big deal but I am pretty sure my solutions were worked fine. Also I needed to set the DE bit on all traffic "from BB1". The SG created a de-list that matched the input interface. I used MQC to match a class then set the DE bit with "set fr-de" in a policy map.
Volume 2 is in the books now. I have already done a few Volume 3 labs and I will probably concentrate on these from now on. I will also browse through the Volume 2 labs again trying to solve the problems in my head.
Saturday, January 3, 2009
IPexpert Volume 2 Section 14 Review
I just completed this lab in about 4 hours. I spent some time before my session started drawing diagrams and reading through the lab. I find this helps me save session time in case I take too long. Plus it gives me substantial time to grade the lab, verify solutions and even test out the solution guide if needed.
I only missed a few tasks, and some of these were because I was unfamiliar with commands and I made the solution too difficult.
-3 Task 7.3 BGP
I needed to provide redundant BGP connectivity after filtering some routes. I misunderstood this task, we needed an aggregate with as-set and I left it off.
-2 Task 7.5 BGP
I had to prevent AS paths of 16 or longer. I created an enormously large as-path ACL when all that was required was max-as limit. I know this command but I just had a brain fart.
-3 Task 10.1 CQ
Custom Queuing task had some extra stuff to throw you off. Very tricky ;-)
-3 Task 11.3 Multicast
For rate limiting multicast I used normal CAR, but there actually exists a special multicast rate-limit command.
There were several peculiar service tasks that I am getting the hang of now. I had to compress the config, decreases the telnet timeout, and some other stuff. Browsing the DocCD as well as the context sensitive help as helped me with these kinds of tasks.
A little less than 2 months to go now. I have been doing pretty well on 8 hour labs. Lately I have working on improving my verification habits. After a lab, I force myself to review almost every single task, even things like VLAN assignments. I always find a couple errors and I have been reducing my bonehead mistakes by a lot.
One more Volume 2 lab to go then I will probably stick with doing my own labs and Volume 3 graded mock labs.
I only missed a few tasks, and some of these were because I was unfamiliar with commands and I made the solution too difficult.
-3 Task 7.3 BGP
I needed to provide redundant BGP connectivity after filtering some routes. I misunderstood this task, we needed an aggregate with as-set and I left it off.
-2 Task 7.5 BGP
I had to prevent AS paths of 16 or longer. I created an enormously large as-path ACL when all that was required was max-as limit. I know this command but I just had a brain fart.
-3 Task 10.1 CQ
Custom Queuing task had some extra stuff to throw you off. Very tricky ;-)
-3 Task 11.3 Multicast
For rate limiting multicast I used normal CAR, but there actually exists a special multicast rate-limit command.
There were several peculiar service tasks that I am getting the hang of now. I had to compress the config, decreases the telnet timeout, and some other stuff. Browsing the DocCD as well as the context sensitive help as helped me with these kinds of tasks.
A little less than 2 months to go now. I have been doing pretty well on 8 hour labs. Lately I have working on improving my verification habits. After a lab, I force myself to review almost every single task, even things like VLAN assignments. I always find a couple errors and I have been reducing my bonehead mistakes by a lot.
One more Volume 2 lab to go then I will probably stick with doing my own labs and Volume 3 graded mock labs.
Sunday, December 14, 2008
IPexpert Volume 3 Mock Lab 3 Review
I finished this lab in a little more than 6 hours. It was a graded lab through Proctor Labs and I got an 82. This a very challenging lab because there was some dot1q tunneling involved and it affected reachability if you didn't prune VLANs properly due to l2portguard errors. Also, there was an IPv6 tunneling section which I got right. In fact, I got 100% on IGP, BGP and Multicast for a total of 44 points.
Here are the mistakes I made:
-3 1.2 Switching
Did not enable trust on the trunk ports after I enabled DHCP snhooping.
-2 2.3 Frame Relay
After I did some NAT R4 could no longer ping R2 over the Frame-relay.
-3 6.1 VRRP
I used group 1 instead of group 24. BONEHEAD mistake.
-4 6.5 IOS Services
Some NAT stuff. I think I got this right but...oh well.
-3 8.1 QoS
PBR config was supposedly on the wrong interface. I am arguing this one with the script writers.
-3 9.2 Security
I got the URL string wrong for blocking NIMDA.
All in all I felt pretty good. I had been practicing tunneling last night and I don't think I would have done as well or finished as fast if I hadn't. I gained a lot of confidence this round. There were some things I did not think I would be able to figure out upon the initial read-through. However, once I turned off the TV, I was in a pretty good groove :-)
Here are the mistakes I made:
-3 1.2 Switching
Did not enable trust on the trunk ports after I enabled DHCP snhooping.
-2 2.3 Frame Relay
After I did some NAT R4 could no longer ping R2 over the Frame-relay.
-3 6.1 VRRP
I used group 1 instead of group 24. BONEHEAD mistake.
-4 6.5 IOS Services
Some NAT stuff. I think I got this right but...oh well.
-3 8.1 QoS
PBR config was supposedly on the wrong interface. I am arguing this one with the script writers.
-3 9.2 Security
I got the URL string wrong for blocking NIMDA.
All in all I felt pretty good. I had been practicing tunneling last night and I don't think I would have done as well or finished as fast if I hadn't. I gained a lot of confidence this round. There were some things I did not think I would be able to figure out upon the initial read-through. However, once I turned off the TV, I was in a pretty good groove :-)
Saturday, December 6, 2008
IPexpert Volume 2 Section 13 Review - PART I
Well I am 2/3 of the way done here with a couple hours to go, but I am going to finish this next week. I have a terrible cold or something...I don't know, maybe it's all the Hot Pockets I ate this week. Whatever it is...I AM DEFEATED for the day.
I semi-graded this thing and I must say this is the TRICKIEST/HARDEST lab of them all. There are a total of 58 tasks, each worth 1 or 2 points and a few worth 3. This is the longest lab I have ever done to date. I am not entirely sure I would have finished in 8 hours...if I did, I wouldn't have been able to grade or verify much.
I think I missed about 7 or 8 tasks for about 15 or so points so far. Definitely a failed effort, but there were some good lessons learned. Here is a summary of what I had to configure:
-Fallback bridging. I actually got this right
-Only allow NetBIOS over TCP/IP in vlan 999. Used a VACL but I didn't what ports to match for netbios. I used range 135 - 139 but I don't know if this is right.
-Make sure CAT1 never becomes root for VLAN 999. The PG disabled STP for this VLAN, I used bpdufilter on the ports in VLAN 999. The PG was probably more correct.
-If R4 detects PVC states other than invalid, active or inactive - notify the trap receiver. What traps are these??
-Then there was a task that had me configure a secondary address 192.168.80.33/27 on an interface that already belonged to 192.168.80.0/24. Then you were supposed to filter out RIP routes on this subnet - HUH? I have no idea if this was a typo or what but the PG was really bad at explaining this one. I am not going into more detail - see it for yourself :-)
-OSPF task that had two different authentication keys on the same interface. This was a little tricky but I got it to work. I remember seeing this on GS so that helped a lot. You had to use neighbor statements on the spokes instead of the hub.
Anyways. this lab is truly a mind-number. Just the kind of trickery to expect on the lab, I assume. If you think you are hot stuff - try this one ;-)
I semi-graded this thing and I must say this is the TRICKIEST/HARDEST lab of them all. There are a total of 58 tasks, each worth 1 or 2 points and a few worth 3. This is the longest lab I have ever done to date. I am not entirely sure I would have finished in 8 hours...if I did, I wouldn't have been able to grade or verify much.
I think I missed about 7 or 8 tasks for about 15 or so points so far. Definitely a failed effort, but there were some good lessons learned. Here is a summary of what I had to configure:
-Fallback bridging. I actually got this right
-Only allow NetBIOS over TCP/IP in vlan 999. Used a VACL but I didn't what ports to match for netbios. I used range 135 - 139 but I don't know if this is right.
-Make sure CAT1 never becomes root for VLAN 999. The PG disabled STP for this VLAN, I used bpdufilter on the ports in VLAN 999. The PG was probably more correct.
-If R4 detects PVC states other than invalid, active or inactive - notify the trap receiver. What traps are these??
-Then there was a task that had me configure a secondary address 192.168.80.33/27 on an interface that already belonged to 192.168.80.0/24. Then you were supposed to filter out RIP routes on this subnet - HUH? I have no idea if this was a typo or what but the PG was really bad at explaining this one. I am not going into more detail - see it for yourself :-)
-OSPF task that had two different authentication keys on the same interface. This was a little tricky but I got it to work. I remember seeing this on GS so that helped a lot. You had to use neighbor statements on the spokes instead of the hub.
Anyways. this lab is truly a mind-number. Just the kind of trickery to expect on the lab, I assume. If you think you are hot stuff - try this one ;-)
Saturday, November 29, 2008
IPexpert Volume 2 Section 12 Review
I woke up late for this one but I still finished in plenty of time. Probably about 4 hours. I made some serious mistakes though that I completely overlooked. It was in the BGP section, I didn't configure a confederation...so that may have ruined 2 or 3 tasks - not real sure how to gauge the impact. You should have seen the look on my face when I saw the PG.
With that included I missed 6 tasks for about 15 points:
-8 Tasks 8.1 - 8.3
I knew we were using private AS numbers so I immediately thought configuring a confederation. However, I did not deduce that from the task requirements so I didn't bother. Reviewing it, I completely overlooked R1's task of peering with R2 is AS 200. AS 200 should have been the confederation....BIG BOOBOO. Completely unacceptable.
-4 Task 9.3 IOS Services
Completely missed this "Mobile ARP" section. I had a NAT solution that does what I thought the task asks. I have no idea how to configure mobile arp and I guess it's time to learn. I wonder if anyone even uses it...
-2 Task 11.2 DHCP
I used "no ip bootp server" for the DHCP router not respond to bootp requests. However, the answer was "ip dhcp bootp ignore"
-1 Task 14.3 Multicast
Configured MRM incorrectly. I used the DocCD for this and was what you could call "way off." It was a 1 point task and I was not too concerned.
My goal from here on out is to keep my score above 80 while improving my "process." That includes verifying everything, making notes and a point tracker, refraining from marking the actual lab docs (which I heard you cannot do), and moving through the DocCD.
Missing the BGP confederation is something that should never happen. I am lucky there were not more tasks dependent on it. Everything else was filtering of some sort. Who knows, I may have been marked of on the entire BGP section (20 points).
One thing I worry about is that I have not really been challenged during Layer 2 configurations. I pretty much breeze through VTP, trunking, and other topics, but I know there are topics that will get me (QoS, tunneling). For these I rely on the DocCD and make my own labs. That being said, Volume 1 Section 5 has an extremely difficult tunneling lab that I need to review.
With that included I missed 6 tasks for about 15 points:
-8 Tasks 8.1 - 8.3
I knew we were using private AS numbers so I immediately thought configuring a confederation. However, I did not deduce that from the task requirements so I didn't bother. Reviewing it, I completely overlooked R1's task of peering with R2 is AS 200. AS 200 should have been the confederation....BIG BOOBOO. Completely unacceptable.
-4 Task 9.3 IOS Services
Completely missed this "Mobile ARP" section. I had a NAT solution that does what I thought the task asks. I have no idea how to configure mobile arp and I guess it's time to learn. I wonder if anyone even uses it...
-2 Task 11.2 DHCP
I used "no ip bootp server" for the DHCP router not respond to bootp requests. However, the answer was "ip dhcp bootp ignore"
-1 Task 14.3 Multicast
Configured MRM incorrectly. I used the DocCD for this and was what you could call "way off." It was a 1 point task and I was not too concerned.
My goal from here on out is to keep my score above 80 while improving my "process." That includes verifying everything, making notes and a point tracker, refraining from marking the actual lab docs (which I heard you cannot do), and moving through the DocCD.
Missing the BGP confederation is something that should never happen. I am lucky there were not more tasks dependent on it. Everything else was filtering of some sort. Who knows, I may have been marked of on the entire BGP section (20 points).
One thing I worry about is that I have not really been challenged during Layer 2 configurations. I pretty much breeze through VTP, trunking, and other topics, but I know there are topics that will get me (QoS, tunneling). For these I rely on the DocCD and make my own labs. That being said, Volume 1 Section 5 has an extremely difficult tunneling lab that I need to review.
Friday, November 28, 2008
IPexpert Volume 2 Section 11 Review
I just completed this lab in about 4 or 5 hours. I spent the first hour (before my session even started) reading the lab, redrawing the L3 topology and making a task checklist. This actually took me about a half hour. I got an estimated score of 89, missing 4 tasks for 11 points. Two were easy, but the other two...well, just proof that I need to review the DocCD :-)
Here are the misses:
-3 Task 5.4 EIGRP
Routes should be dropped from inactive neighbors in half the default time. I used hold time command, but the PG had "timers nsf route-hold 120" as the answer. I need to review NSF.
-3 Task 6.1 RIP
I forgot to enable v2-broadcast on one interface. BONEHEAD!
-1 Task 8.7 BGP
Completely misunderstood the aggregation task. BONEHEAD #2!
-4 Task 10.2 DNS
We needed to create a domain list with "ip domain list ipexpert.net". I just used the domain-name command. I am not familiar at all with how DNS resolution works on Cisco routers so I need to review this.
Over the last few months I have increased my speed and efficiency dramatically. Time does not seem to be an issue anymore. When I started studying in the spring, I was taking so long on full scale mock labs, I stopped doing them. Many commands I know by heart, but occasionally I misunderstand a question or just have the wrong command like the EIGRP section above.
Now that I have more time, I use it to prep before I start. This includes reviewing and drawing the topology. I want the processes I use on the practice lab to be just like the ones on the real lab. That way nothing is new and I can get in my comfort zone. I definitely "feel" ready for the real thing, but that doesn't mean I am.
I can still think of some topics that would give me a hard time, unfortunately I haven't seen to many of these lately...but I know they are there...waiting to get me ;-)
Here are the misses:
-3 Task 5.4 EIGRP
Routes should be dropped from inactive neighbors in half the default time. I used hold time command, but the PG had "timers nsf route-hold 120" as the answer. I need to review NSF.
-3 Task 6.1 RIP
I forgot to enable v2-broadcast on one interface. BONEHEAD!
-1 Task 8.7 BGP
Completely misunderstood the aggregation task. BONEHEAD #2!
-4 Task 10.2 DNS
We needed to create a domain list with "ip domain list ipexpert.net". I just used the domain-name command. I am not familiar at all with how DNS resolution works on Cisco routers so I need to review this.
Over the last few months I have increased my speed and efficiency dramatically. Time does not seem to be an issue anymore. When I started studying in the spring, I was taking so long on full scale mock labs, I stopped doing them. Many commands I know by heart, but occasionally I misunderstand a question or just have the wrong command like the EIGRP section above.
Now that I have more time, I use it to prep before I start. This includes reviewing and drawing the topology. I want the processes I use on the practice lab to be just like the ones on the real lab. That way nothing is new and I can get in my comfort zone. I definitely "feel" ready for the real thing, but that doesn't mean I am.
I can still think of some topics that would give me a hard time, unfortunately I haven't seen to many of these lately...but I know they are there...waiting to get me ;-)
Sunday, November 23, 2008
IPexpert Volume 2 Section 10 Review
I just completed this lab, took about 5 hours and scored pretty well. As far as I can tell I only missed 3 tasks for a total of 9 points. And the ones I missed were not that tough...
-2 Task 2.1 Switching
Didn't know the command to prevent channel misconfiguration from disabling the ports. The command is "no spanning-tree etherchannel guard-misconfig". I was looking under the errdisable commands.
-2 Task 2.2 Switching
Ports should wait 44 seconds before they forward. I set forward timer to 22, the PG said it was 12, because ports also wait max-age timer.
-5 Task 11.1 Security
Task said to allow "mail' so I allowed SMTP. The PG had POP3 as well.
The major difference between this lab and other labs were the number of sections. There was a total of 38 tasks across 13 sections. Each task had a 1 or two bullets and was usually 2 or 3 points. This is opposed to some labs where the tasks are 4 or 5 points but have several bullets of things to accomplish.
After my first read-through, I thought this would be a difficult lab but once I got started it was relatively easy. There was no multicast or IPv6 and the QoS section was really easy. The only security task was the long ACL which I missed because I only specified SMTP as "mail" instead of including POP3...oh well.
The only real challenging task was some conditional advertisement in BGP which I got real quick after browsing the DocCD. R6 was only supposed to advertise loopback 201, if 200 was shutdown. So I created an advertise-map that matched loopback 201 (via ACL), and a non-exist map that matched loopback 200 (also via ACL). This worked perfectly and I was kind of surprised I got it to work so fast, since I have had trouble in the past with bgp conditional advertisements.
Wish I had more to say at this point but it was pretty much smooth sailing. All while watching the Raiders destroy the Broncos :)
-2 Task 2.1 Switching
Didn't know the command to prevent channel misconfiguration from disabling the ports. The command is "no spanning-tree etherchannel guard-misconfig". I was looking under the errdisable commands.
-2 Task 2.2 Switching
Ports should wait 44 seconds before they forward. I set forward timer to 22, the PG said it was 12, because ports also wait max-age timer.
-5 Task 11.1 Security
Task said to allow "mail' so I allowed SMTP. The PG had POP3 as well.
The major difference between this lab and other labs were the number of sections. There was a total of 38 tasks across 13 sections. Each task had a 1 or two bullets and was usually 2 or 3 points. This is opposed to some labs where the tasks are 4 or 5 points but have several bullets of things to accomplish.
After my first read-through, I thought this would be a difficult lab but once I got started it was relatively easy. There was no multicast or IPv6 and the QoS section was really easy. The only security task was the long ACL which I missed because I only specified SMTP as "mail" instead of including POP3...oh well.
The only real challenging task was some conditional advertisement in BGP which I got real quick after browsing the DocCD. R6 was only supposed to advertise loopback 201, if 200 was shutdown. So I created an advertise-map that matched loopback 201 (via ACL), and a non-exist map that matched loopback 200 (also via ACL). This worked perfectly and I was kind of surprised I got it to work so fast, since I have had trouble in the past with bgp conditional advertisements.
Wish I had more to say at this point but it was pretty much smooth sailing. All while watching the Raiders destroy the Broncos :)
Saturday, November 22, 2008
Route Redistribution - Tagging like an Expert
The inspiration for this post comes directly from IPexpert's wonderfully insane Volume 1 Section 12 Lab. THIS LAB IS INSANE. Not too bad really, but see for yourself :)
Here is the topology:
All I am going to do in this post is explain how I go about "prepping" for redistribution. These are just a random set of miscellaneous notes, in no particular order. I will number them just for identification purposes :)
Also, remember you can do ALL of this in a notepad file before you configure the routers. I try to do it like that, that way my head is truly "around" the whole scenario. Of course, there is some tweaking that will always need to be done once you do get down to business.
1) ASSIGN TAGS
First thing I like to do is think about tagging a routing domain. Remember we always drop the tag coming in so if you like to use the AD for a tag, be careful if you have multiple domains with the same protocol.
For example, if you set a tag of 110 on R4 and R7 for OSPF routes going into EIGRP. If you deny this tag from EIGRP into OSPF, you prevent R7 and R4 from learning about each other's OSPF networks. In this lab I used 110 for the R2/R4 process. And I used 115 for the R5/R6/R7 process.
Here are the tags I assigned, these were applied at the END of every redistribution route-map.
RIP = 110
OSPF AREA 0 = 110
BGP = 256
OSPF AREA 567 = 567
EIGRP 7800 = 7800
EIGRP 12348 = 12348
On R4, I might have something like this:
route-map ospf2eigrp permit 50
set tag 110
2) WHEN TO DENY TAG ON RE-ENTRY
Another thing to remember is when to deny the tag. I only deny the tag when it's entering that protocol from which it came. Unless, of course, I am specifically asked to block routes from entering a certain domain.
Example Rip routes are tagged with 120 going into OSPF (or community 120 in BGP). The only place I deny 120 from entering a routing domain is on R2 from OSPF to RIP, or BGP to RIP (matching community value, not tag).
So building on the above route-map I would have this now:
route-map ospf2eigrp deny 10
match tag 12348
route-map ospf2eigrp permit 50
set tag 110
Everything else is allowed.
3) ALLOW TAGS TO PASS THROUGH
Another thing to remember is to allow the tags to "pass through" each domain. In the above route-map, R4 removes any tags that R2 may have placed on RIP routes from R1. This prevents us from identifying and blocking the re-entry RIP routes in BGP on R2!
So on R4 we could do this:
route-map ospf2eigrp deny 10
match tag 12348
route-map ospf2eigrp permit 20
match tag 120
route-map ospf2eigrp permit 30
match tag 567
route-map ospf2eigrp permit 40
match tag 7800
route-map ospf2eigrp permit 45
match tag 115
route-map ospf2eigrp permit 50
set tag 110
Here I have "pre-identified" or "pre-classified" all the tags I want pass-through. This way we can identify the originating protocol of every route in the EIGRP 12348 domain.
4) WHEN TO CONVERT TAGS
Another note to remember is that BGP does not use tags, but it does community values to identify routes. So on R2, R5, and R6 we will need to "convert" the tag to community value. And when we redistribute the other way, we need to make a community-list to match and drop that route.
For example on R2 we set the community of OSPF routes into BGP as follows:
route-map ospf2bgp permit 50
set community 110
On R5 and R6 this community is converted to a tag as follows:
ip community-list 1 permit 110
route-map bgp2ospf permit 20
match community 1
set tag 110
Now as long as we allow this tag to pass through on R7 and R8, R4 can identify these OSPF routes so it will not redistribute them back into OSPF area 0.
5) OPTIMAL ROUTING
Lastly, we are not concerned with optimal routing here. If you are tasked with making paths optimal, you will have to work with metrics or administrative distances to do so. But that's easy right? :)
Here is the topology:
All I am going to do in this post is explain how I go about "prepping" for redistribution. These are just a random set of miscellaneous notes, in no particular order. I will number them just for identification purposes :)
Also, remember you can do ALL of this in a notepad file before you configure the routers. I try to do it like that, that way my head is truly "around" the whole scenario. Of course, there is some tweaking that will always need to be done once you do get down to business.
1) ASSIGN TAGS
First thing I like to do is think about tagging a routing domain. Remember we always drop the tag coming in so if you like to use the AD for a tag, be careful if you have multiple domains with the same protocol.
For example, if you set a tag of 110 on R4 and R7 for OSPF routes going into EIGRP. If you deny this tag from EIGRP into OSPF, you prevent R7 and R4 from learning about each other's OSPF networks. In this lab I used 110 for the R2/R4 process. And I used 115 for the R5/R6/R7 process.
Here are the tags I assigned, these were applied at the END of every redistribution route-map.
RIP = 110
OSPF AREA 0 = 110
BGP = 256
OSPF AREA 567 = 567
EIGRP 7800 = 7800
EIGRP 12348 = 12348
On R4, I might have something like this:
route-map ospf2eigrp permit 50
set tag 110
2) WHEN TO DENY TAG ON RE-ENTRY
Another thing to remember is when to deny the tag. I only deny the tag when it's entering that protocol from which it came. Unless, of course, I am specifically asked to block routes from entering a certain domain.
Example Rip routes are tagged with 120 going into OSPF (or community 120 in BGP). The only place I deny 120 from entering a routing domain is on R2 from OSPF to RIP, or BGP to RIP (matching community value, not tag).
So building on the above route-map I would have this now:
route-map ospf2eigrp deny 10
match tag 12348
route-map ospf2eigrp permit 50
set tag 110
Everything else is allowed.
3) ALLOW TAGS TO PASS THROUGH
Another thing to remember is to allow the tags to "pass through" each domain. In the above route-map, R4 removes any tags that R2 may have placed on RIP routes from R1. This prevents us from identifying and blocking the re-entry RIP routes in BGP on R2!
So on R4 we could do this:
route-map ospf2eigrp deny 10
match tag 12348
route-map ospf2eigrp permit 20
match tag 120
route-map ospf2eigrp permit 30
match tag 567
route-map ospf2eigrp permit 40
match tag 7800
route-map ospf2eigrp permit 45
match tag 115
route-map ospf2eigrp permit 50
set tag 110
Here I have "pre-identified" or "pre-classified" all the tags I want pass-through. This way we can identify the originating protocol of every route in the EIGRP 12348 domain.
4) WHEN TO CONVERT TAGS
Another note to remember is that BGP does not use tags, but it does community values to identify routes. So on R2, R5, and R6 we will need to "convert" the tag to community value. And when we redistribute the other way, we need to make a community-list to match and drop that route.
For example on R2 we set the community of OSPF routes into BGP as follows:
route-map ospf2bgp permit 50
set community 110
On R5 and R6 this community is converted to a tag as follows:
ip community-list 1 permit 110
route-map bgp2ospf permit 20
match community 1
set tag 110
Now as long as we allow this tag to pass through on R7 and R8, R4 can identify these OSPF routes so it will not redistribute them back into OSPF area 0.
5) OPTIMAL ROUTING
Lastly, we are not concerned with optimal routing here. If you are tasked with making paths optimal, you will have to work with metrics or administrative distances to do so. But that's easy right? :)
Sunday, November 16, 2008
IPexpert Volume 3 Mock Lab 2 Review
What a ride it has been since my last mock lab. For those that were not following then I scored a 41 with a veritable plethora of bonehead mistakes. This was a few months ago I think. Today I just finished lab 2 and got a 73. The grading script was incorrect on my multicast section so I actually got a 78. Plus my DHCP excluded address range ended with .255 instead of .254 so I might have had 3 more points on the real thing. Also my IPv6 RIP failover solution worked (ipv6ip tunnels), I think the grading script didn't wait long enough for convergence to happen.
Anyways, it was a good confidence booster. I managed my time well. I skipped tasks that were not easily doable, then came back and did them when I had time. I kept track of all my points on a sheet and I figured I was good for about 81. It was pretty accurate score keeping considering if you give me the multicast and dhcp tasks that's exactly the score I would have had.
Here is a little review of the misses:
-3 6.3 DHCP
I put ip dhcp excluded-address 142.42.27.128 142.42.27.255 but the answer had .254 on the end.
-4 3.3 OSPF
I use nssa no-summary to generate a default into OSPF. The answer was supposed to be nssa default-information-originate.
-7 3.2,3.4 RIP EIGRP Filtering
I couldn't figure out the ACL with the least amount of lines for both these tasks. It was a tough one. The ACL had to be 4 lines at most and only allow routes with a 3rd octet of 25-45. I haven't looked at the SG yet so I don't know what the answer is. I skipped both these.
-4 7.2 IPv6
According to the SG, "R5 Should still be able to ping 2001:1::1 2001:4::4 2001:5::5 2001:6::6 with its Fa0/0 Interface Shutdown." This does work! I don't know how long it's waiting to ping, but it's not long enough. My configuration works.
-5 5.1 MULTICAST
The SG was wrong. The task said to configure R2 with priority of 10 and R7 with 20. The grading script has it backwards. I have since found out that the workbook was updated and I was using a printed copy from a couple months ago. No sweat I had the task right.
-4 8.2 QOS
Worst QOS task ever. It was just too many freaking lines.
I still have 45 minutes in my lab left but I am pretty much beat today. I'm gonna get back to volume 2 the next few weeks and review volume 1 too. Next graded lab will probably be in a month or so.
Anyways, it was a good confidence booster. I managed my time well. I skipped tasks that were not easily doable, then came back and did them when I had time. I kept track of all my points on a sheet and I figured I was good for about 81. It was pretty accurate score keeping considering if you give me the multicast and dhcp tasks that's exactly the score I would have had.
Here is a little review of the misses:
-3 6.3 DHCP
I put ip dhcp excluded-address 142.42.27.128 142.42.27.255 but the answer had .254 on the end.
-4 3.3 OSPF
I use nssa no-summary to generate a default into OSPF. The answer was supposed to be nssa default-information-originate.
-7 3.2,3.4 RIP EIGRP Filtering
I couldn't figure out the ACL with the least amount of lines for both these tasks. It was a tough one. The ACL had to be 4 lines at most and only allow routes with a 3rd octet of 25-45. I haven't looked at the SG yet so I don't know what the answer is. I skipped both these.
-4 7.2 IPv6
According to the SG, "R5 Should still be able to ping 2001:1::1 2001:4::4 2001:5::5 2001:6::6 with its Fa0/0 Interface Shutdown." This does work! I don't know how long it's waiting to ping, but it's not long enough. My configuration works.
-5 5.1 MULTICAST
The SG was wrong. The task said to configure R2 with priority of 10 and R7 with 20. The grading script has it backwards. I have since found out that the workbook was updated and I was using a printed copy from a couple months ago. No sweat I had the task right.
-4 8.2 QOS
Worst QOS task ever. It was just too many freaking lines.
I still have 45 minutes in my lab left but I am pretty much beat today. I'm gonna get back to volume 2 the next few weeks and review volume 1 too. Next graded lab will probably be in a month or so.
Saturday, November 8, 2008
IPexpert Volume 2 Section 9 Review
This was my second lab of the day and I stunk it up. I don't know what it was, but I just could not get off the ground on this thing. This is the type of stuff that worries me when the exam comes around. Not getting pass the L2 stuff can just kill you. Sometimes I read to much into crap.
I always think etherchannels have to be more than 1 port...they don't have to be. If the task says "show int trunk" can only show port-channels and you have a single link in there, make it a port-channel dammit!
Here are the screw-ups:
-4 task 1.1. A tricky question. There is an unused gig port that needed to be set up as a port-channel and trunk link. Without it you didn't have L2 connectivity between all the switches. I looked in the PG.
-3 task 1.2. I couldn't this task to work without messing up another. Turns out you had to use a voice vlan instead of a trunk port. I cheated so I could continue, it was affecting reachability. As you can see, I didn't get off to a great start on this one.
-4 task 3.3. Made an error on the ospf timers throttle command. I used msec values instead of sec. BONEHEAD!
-4 task 6.2. Didn't apply ACL to all required interfaces. The task was to allow only certain devices to sync via NTP. Access-group was not allowed so you needed to configure an extended ACL and apply it to the interfaces. I didn't put an ACL on one interface of R1 and R2 each.
-4 task 7.1. Couldn't get Hierarchical MQC to work. I really had this one, but the commands were giving me IOS errors about needing certain things. We needed to police http video to 200k while giving normal http 20% bandwidth. I think my problem was I had "bandwidth 200" configured under the video class which screwed things up later in the road. All I needed was "police 200000" under it.
-3 task 8.1. Didn't block ICMP from other hosts besides the loopbacks. I thought something was funny when I had a permit ip any any after another permit statement. For future reference, if you have a "permit ip any any" after another permit statement, you are probably forgetting to deny something!
-4 task 8.2. I had everything on this task but transport input none on vty 5 through 15. Stuff like this kills me.
-3 task 8.3. Didn't apply control policing on outbound direction. I only did it inbound. Why? I don't know.
This is probably the last time I do two full-scale practice labs in one day. It's doable I just feel like I let myself down and my brain is fried. There is at least 20 points up there that I should NOT have missed. No excuses whatsoever. I missed the first 2 tasks and the last 3 for 17 total points.
It all comes down to planning your attack at the beginning, following through with that plan and finishing strong. A clear mind and stamina are two things I did NOT have on this lab. If you have these issues, I suggest you address them. Fortunately, I believe practice labs are the way to do this :)
Now for the optimistic part of the post. To be honest the first 7 or 8 labs of volume 2 were kind of easy, very cut and dry. This one was a real test. I felt good reading the solution guide knowing that I fully understood where they were coming from. Even though I haven't taken the real thing yet, I expect this type of situation. You HAVE to think outside of the box. If the rest of Volume 2 is like this, I think I shall be well prepared.
I always think etherchannels have to be more than 1 port...they don't have to be. If the task says "show int trunk" can only show port-channels and you have a single link in there, make it a port-channel dammit!
Here are the screw-ups:
-4 task 1.1. A tricky question. There is an unused gig port that needed to be set up as a port-channel and trunk link. Without it you didn't have L2 connectivity between all the switches. I looked in the PG.
-3 task 1.2. I couldn't this task to work without messing up another. Turns out you had to use a voice vlan instead of a trunk port. I cheated so I could continue, it was affecting reachability. As you can see, I didn't get off to a great start on this one.
-4 task 3.3. Made an error on the ospf timers throttle command. I used msec values instead of sec. BONEHEAD!
-4 task 6.2. Didn't apply ACL to all required interfaces. The task was to allow only certain devices to sync via NTP. Access-group was not allowed so you needed to configure an extended ACL and apply it to the interfaces. I didn't put an ACL on one interface of R1 and R2 each.
-4 task 7.1. Couldn't get Hierarchical MQC to work. I really had this one, but the commands were giving me IOS errors about needing certain things. We needed to police http video to 200k while giving normal http 20% bandwidth. I think my problem was I had "bandwidth 200" configured under the video class which screwed things up later in the road. All I needed was "police 200000" under it.
-3 task 8.1. Didn't block ICMP from other hosts besides the loopbacks. I thought something was funny when I had a permit ip any any after another permit statement. For future reference, if you have a "permit ip any any" after another permit statement, you are probably forgetting to deny something!
-4 task 8.2. I had everything on this task but transport input none on vty 5 through 15. Stuff like this kills me.
-3 task 8.3. Didn't apply control policing on outbound direction. I only did it inbound. Why? I don't know.
This is probably the last time I do two full-scale practice labs in one day. It's doable I just feel like I let myself down and my brain is fried. There is at least 20 points up there that I should NOT have missed. No excuses whatsoever. I missed the first 2 tasks and the last 3 for 17 total points.
It all comes down to planning your attack at the beginning, following through with that plan and finishing strong. A clear mind and stamina are two things I did NOT have on this lab. If you have these issues, I suggest you address them. Fortunately, I believe practice labs are the way to do this :)
Now for the optimistic part of the post. To be honest the first 7 or 8 labs of volume 2 were kind of easy, very cut and dry. This one was a real test. I felt good reading the solution guide knowing that I fully understood where they were coming from. Even though I haven't taken the real thing yet, I expect this type of situation. You HAVE to think outside of the box. If the rest of Volume 2 is like this, I think I shall be well prepared.
IPexpert Volume 2 Section 7 Review
I skipped this lab by accident last week so here is the review today. I just finished it in about 4 hours and change. There was nothing at all too difficult. In fact there was no QoS, Security or Multicast at all. Three of my favorite subjects! ;-)
I think I only missed a few tasks, although there was some issues I had with the PG regarding route redistribution. I am waiting on a reply from onlinestudylist to see if in fact there was an issue or if I am just mistaken. The issue had to do with redistributing OSPF into RIP version 1 and the networks weren't being advertised because of this...anyways, more on that later. Here are the mistakes I did make:
-3 task 1.4. Didn't configure max-age so switches would detect loss of link quicker than normal. I thought I could change the mode to rapid-pvst but this didn't change the max-age. Looks like I need a refresher on STP.
-2 task 3.2. Configured distance on wrong router. Task said RIP routes received by R2 should have AD of 105, I read it wrong as "from R2" so I configured R4. Bonehead mistake.
-3 task 5.4. Didn't configure passive interfaces. Bonehead mistake. Plus the redistribution issues I mentioned earlier were part of this task. If you're gonna miss a task, might as well miss the whole damn thing!
-3 task 9.2. Forget the word "errors" at the end of the logging command. I think the default is level 7 "debugging" so I should have got this one.
Well not too shabby. The BGP section had a lot of points but was rather easy. The IGP section was also pretty much a breeze. Good way to start a weekend I guess :)
I think I only missed a few tasks, although there was some issues I had with the PG regarding route redistribution. I am waiting on a reply from onlinestudylist to see if in fact there was an issue or if I am just mistaken. The issue had to do with redistributing OSPF into RIP version 1 and the networks weren't being advertised because of this...anyways, more on that later. Here are the mistakes I did make:
-3 task 1.4. Didn't configure max-age so switches would detect loss of link quicker than normal. I thought I could change the mode to rapid-pvst but this didn't change the max-age. Looks like I need a refresher on STP.
-2 task 3.2. Configured distance on wrong router. Task said RIP routes received by R2 should have AD of 105, I read it wrong as "from R2" so I configured R4. Bonehead mistake.
-3 task 5.4. Didn't configure passive interfaces. Bonehead mistake. Plus the redistribution issues I mentioned earlier were part of this task. If you're gonna miss a task, might as well miss the whole damn thing!
-3 task 9.2. Forget the word "errors" at the end of the logging command. I think the default is level 7 "debugging" so I should have got this one.
Well not too shabby. The BGP section had a lot of points but was rather easy. The IGP section was also pretty much a breeze. Good way to start a weekend I guess :)
Sunday, November 2, 2008
IPexpert Volume 2 Section 8 Review
I just completed this lab. It took me awhile because I was taking breaks watching Tennessee remain unbeaten, and Miami beat up Denver. I accidentally skipped lab 7 by the way, so I will do that one next weekend hopefully. This lab had some neat redistribution issues which I am getting better at fixing on the fly. I always tag and drop first when redistributing. Then alter distances based on what routing protocol should be used to reach certain networks.
Here are the mistakes I made on this lab:
-3 task 3.2. Didn't use rip triggered on R4 because serial interface was multipoint. Should have made a point-to-point subinterface on R4.
-3 task 5.2. Confused about the IP address, thought it was R8's loopback, but it wasn't. You need to configure static RP override as well as bidir PIM.
-3 task 6.4. Forgot to allow 127.127.7.1 in the NTP Acl. This caused R1 to lose sync with itself and it can't be master or serve time requests. I hadn't bothered to re-verify later in the lab that R2 was still synced. This is a good lesson learned.
-3 task 6.2. Couldn't find the DHCP options for TFTP. (They are 66 and 150 - thanks to the peeps on GS for the links)
-3 task 6.3. It was a NAT questions - I couldn't even figure out what they wanted. I knew there was a secondary address, but the task said "Configure support for a new network." Configure support? WTF. Anyways I was suppose to create a NAT rule for this new network.
-3 task 8.3. Didn't configure the Be parameter in FRTS. The task said to configure FRTS with CIR of 64k, ac "access-rate" of 96 and Tc of 20 ms. Easy one but I didn't equate access-rate with Be. If I knew that I would have had the Be right. Bc was 1280 so Be was 640. I guess what they are saying is you can burst up to your access-rate which is what most frame providers allow you to do.
-3 task 8.5. This task is ridiculous. It says to configure flow-based wred. Then give EF packets a min threshold of 65, max threshold of 80, then a MPD of...yeah right. You can only flow-based wred or dscp-based. NOT BOTH. Then it says configure the MPD so that packets are twice as likely to be dropped...twice as likely as what?!
Another tasked asked me to enable telnet to the switches, but prevent telnet out. I created an ACL to deny any, then applied it as an access-class outbound. This worked, but the PG used "transport output none" which is a much cleaner solution I presume.
I booked back to back session for today. I like to take my time sometimes while reading DocCD and trying to gain a really in-depth understanding of the solutions. I have about 4 hours left so maybe another post or 2 will come out of it.
Here are the mistakes I made on this lab:
-3 task 3.2. Didn't use rip triggered on R4 because serial interface was multipoint. Should have made a point-to-point subinterface on R4.
-3 task 5.2. Confused about the IP address, thought it was R8's loopback, but it wasn't. You need to configure static RP override as well as bidir PIM.
-3 task 6.4. Forgot to allow 127.127.7.1 in the NTP Acl. This caused R1 to lose sync with itself and it can't be master or serve time requests. I hadn't bothered to re-verify later in the lab that R2 was still synced. This is a good lesson learned.
-3 task 6.2. Couldn't find the DHCP options for TFTP. (They are 66 and 150 - thanks to the peeps on GS for the links)
-3 task 6.3. It was a NAT questions - I couldn't even figure out what they wanted. I knew there was a secondary address, but the task said "Configure support for a new network." Configure support? WTF. Anyways I was suppose to create a NAT rule for this new network.
-3 task 8.3. Didn't configure the Be parameter in FRTS. The task said to configure FRTS with CIR of 64k, ac "access-rate" of 96 and Tc of 20 ms. Easy one but I didn't equate access-rate with Be. If I knew that I would have had the Be right. Bc was 1280 so Be was 640. I guess what they are saying is you can burst up to your access-rate which is what most frame providers allow you to do.
-3 task 8.5. This task is ridiculous. It says to configure flow-based wred. Then give EF packets a min threshold of 65, max threshold of 80, then a MPD of...yeah right. You can only flow-based wred or dscp-based. NOT BOTH. Then it says configure the MPD so that packets are twice as likely to be dropped...twice as likely as what?!
Another tasked asked me to enable telnet to the switches, but prevent telnet out. I created an ACL to deny any, then applied it as an access-class outbound. This worked, but the PG used "transport output none" which is a much cleaner solution I presume.
I booked back to back session for today. I like to take my time sometimes while reading DocCD and trying to gain a really in-depth understanding of the solutions. I have about 4 hours left so maybe another post or 2 will come out of it.
Sunday, October 26, 2008
IPexpert Volume 2 Section 6 Review
This lab took me about 4.5 hours. I woke up late so I had only 5 hours of session time left, but I finished it. There were some bonehead mistakes because I was rushing it, notably in Multicast and BGP. I ended up with a maximum score of 83, maybe even less.
Here were the mistakes:
-3 task 3.5. Forgot max-paths command on R4 and R9. I used variance 2, the PG has variance 128. I misunderstood the question, using 2 for variance, instead of max-paths.
-3 task 4.2. Didn't get BGP reachability. CAT4 does not do BGP, but is in the middle of the BGP ASes and we are not supposed to redistribute into IGP. So I skipped this. PG had CAT4 being added to BGP. I didn't even think of this. I started thinking about tunnels, but just skipped this task instead.
-5 task 5.2 and 5.3. Completely froze on this multicast task, I didn't get reachability and skipped it. Turns out I didn't have auto-rp listener on. Maybe if I spent more time troubleshooting I could have got it.
-3 task 7.3. I had IPv6 reachability but I used default routes generated in RIPng and OSPFv3. The PG uses summary routes. Not sure if I would have missed this or not, but the beginning of the lab says do not use default routes.
-3 task 9.4. I didn't configure AAA for case sensitive authentication. I guess I didn't take the task literal enough.
I am definitely getting better at topics like QoS, IOS services and Security but as you can see I am still making some easy mistakes. I hope these bad habits don't make their way into the exam. One thing I do not like about online rack time is that you have to go on their schedule. I can't do it on the weekday because I work. The weekends are scrunched into 10pm-6am, 6am-2pm, and 2pm-10pm. This was a 6-2 session and I just could not get up that early today. Anyways, it's going to take some discipline to get my study habits in gear.
Here were the mistakes:
-3 task 3.5. Forgot max-paths command on R4 and R9. I used variance 2, the PG has variance 128. I misunderstood the question, using 2 for variance, instead of max-paths.
-3 task 4.2. Didn't get BGP reachability. CAT4 does not do BGP, but is in the middle of the BGP ASes and we are not supposed to redistribute into IGP. So I skipped this. PG had CAT4 being added to BGP. I didn't even think of this. I started thinking about tunnels, but just skipped this task instead.
-5 task 5.2 and 5.3. Completely froze on this multicast task, I didn't get reachability and skipped it. Turns out I didn't have auto-rp listener on. Maybe if I spent more time troubleshooting I could have got it.
-3 task 7.3. I had IPv6 reachability but I used default routes generated in RIPng and OSPFv3. The PG uses summary routes. Not sure if I would have missed this or not, but the beginning of the lab says do not use default routes.
-3 task 9.4. I didn't configure AAA for case sensitive authentication. I guess I didn't take the task literal enough.
I am definitely getting better at topics like QoS, IOS services and Security but as you can see I am still making some easy mistakes. I hope these bad habits don't make their way into the exam. One thing I do not like about online rack time is that you have to go on their schedule. I can't do it on the weekday because I work. The weekends are scrunched into 10pm-6am, 6am-2pm, and 2pm-10pm. This was a 6-2 session and I just could not get up that early today. Anyways, it's going to take some discipline to get my study habits in gear.
Subscribe to:
Posts (Atom)
Posts
