• 0 Vote(s) - 0 Average

DISCUSSION CCIE R&S v5 LAB Exam Takers Review 02 March 2017
Recent attempt, new TS (B12 with little variations), new DIAG (Snooping/TCL), old CONFIG (simplified A4)

1. VLAN filter.  Added action forward clause to the vlan access-map on SW400 and SW401.
No need to change the ACL, it has already deny ip any any line.
Didn't check the DHCP lease duration, but after two hours the user still had its address.

2.BGP next-hop-self.  Added next-hop-self to iBGP neighbors on R14, maybe changed some OSPF costs.

3. TE-1. All TE tuning was OSPF-related - changed OSPF costs on switches to which the routers are connected. BGP was OK, but R12 and R13 had the  same ACL as R22 and R23 (for, changed that, too.

4. TE-2. Again, no tampering with BGP, OSPF costs only. No wrong OSPF processes on any interfaces. Be careful as it might change the outcome for the previous ticket.

5. DMVPN is up, no OSPF neighborship. Added ip ospf network point-to-multipoint on hub and spokes.

6. IPv6. R15 didn't advertise its inward interface network and was not sending an aggregate because of that. Added a network statement for inward Ethernet interface.

7. MPLS. No LDP neighbors on R1, mismatched import/export between R1 and R3.

8. Snooping. No ip dhcp relay info trusted on relay switches and 2 hours lease time on the DHCP server (which was really mean thing  IMHO because you  won't notice this if you spent exactly two hours on TS section). Maybe some other DHCP servers should be checked, too (no problems with Server1 and Server2 though).

9. DMVPN-2. Either mismatched tunnel keys or no ip ospf network point-to-multi, don't remember exactly.

10. Outside NAT to an external address, not a loopback on the router. Inside NAT was already configured. There was an extra NAT command which I removed.

Almost every ticket had two trace output from both side, so there was some occasional TE to match all traces. Know the topology well, especially  both datacenters, as traces analysis could be overwhelming.


1. Which frame - the first frame with DHCP Discover and option 82 set.
2. Where the capture is taken - between the snooping switch and the relay switch.
3. What is seen from the capture - DHCP packet is sent with empty relay address.
1. Select four - http from victim to hacker, TCL script downloaded, tcp from hacker to victim on 1337, ransomware installed via backdoor.
2. How the victim could be effectively taken out - I answered 'sudo poweroff' (which didn't make any sense as the victim clearly was a Cisco router, and all commands in the script were IOS exec commands). But other options were even worse.
3. How the script was activated - I answered 'tclsh http://victim_address/xxx.tcl' (but again, nothing in the capture pointed to that, the router has downloaded the script and the hacker has used the backdoor in the very next packet).

LAB 4 with very little variations:
- different mac-address aging-time
- different password for EIGRP auth
- no requirement to use 64bit EIGRP anywhere except AS 45678
- no requirement to leak VRF default route into global
- not using mpls ldp autoconfig, by "smartest way" here using copy-and-paste is meant
- no BGP TE on R20 or R12-R14 except for preferred exit out of AS on R13
- ping multicast groups from SW5, preferred path via R16 is not required
- no serve-only option for NTP in the last question.

General notes.

The lab setup uses Putty as a terminal program, right-click paste is disabled (with no possibility to save changed settings as a default, if you are used to right-click paste you can change paste behavior for every opened window). Or train yourself to use Shift-Insert for pasting.

You will have two monitors, keep clickable map on the left one and drag terminal windows to the right one. You cannot bring the map in front of other windows for some strange reason, the terminal windows are always in front of the map until minimized, so better keep them on separate displays.

Don't waste time on organizing windows on your display, let them pile up and use the taskbar to bring up the window you need.

Lab keyboard and mouse are of the cheapest kind, don't expect typing and copypasting with the same speed as at home with your fancy keyboard and mouse. Even better to spend 20 bucks on the cheap kb and mouse at your local store and get used to them while preparing.

Type everything in the notepad first, then replicate for each router with minimal changes (as in router-id), then paste each portion to each  router's console. Of course, you have to type it without errors and you have to remember by heart everything you type. Don't paste large amounts of text as the console would choke and skip some characters.

If you are taking your lab from a mobile location or not from a major Cisco office, then your lab is hosted elsewhere and there could be a time lag because of slow or congested WAN link. Sometimes the lag could go up to 1-2 seconds, so don't expect a blazing speed while switching between windows.

Carefully read every task as there could be variations, don't type everything by memory. I recommend to go through config in the suggested order. In A4 the DMVPN will come up only after you configure MPLS on the core. If you type slowly, the combining tasks in bigger blocks could help (that is. configure MPLS along with OSPF, or vpnv4 address family along with ipv4). I have a firm suspicion I was screenshot several times during the lab (Big Brother is watching you!), so better act as if you have never seen your lab before.

Don't enter network commands with host mask for each interface as suggested in workbooks, it's a waste of time as you have to refer to the map for each interface and you will surely make a mistake or two. Use "network" or "network area 0"  format, you can save up to an hour that way (with the exception of R17-R19 where you enter two network commands). Don't type eigrp loopbacks id - EIGRP will automatically use the highest loopback ID. Use interface ranges wherever possible.

Use TCL scripts with caution as they will crash your switches. There are only 5 routers in A4 to ping each other (plus as an  Internet IP address). There is more pinging in IPv6 section though.

Save your configs after each step, it's faster to reload the device than to roll back the configuration you pasted to the wrong window.

Don't leave any debugs running, don't leave half-entered commands, don't leave your devices in the configuration mode. The consoles are supposed  to be reset before grading but who knows.

Don't forget to issue "clear ip bgp * soft" after changing BGP policies. If the task requires to choose your OSPF DR specifically then start configuring with DR and then proceed with the rest, or clear ospf process on each non-DR device if DR is configured last.

Have a good sleep before the take, cramming on the last night won't do you any good. Wear warm clothes, it could be freezing at the class. Bring some chocolate and soda/juice to keep your sugar high. Take your favorite smart drugs if you use any. Don't hesitate to go to the toilet at the first need - it is time well spent.

Don't panic if you have troubles with some part of the lab (especially TS) - proceed to the next task and come back to the problem part later. If you're out of time consider doing the security and infrastructure section first - they are easy and you can save you some points that way. Remember that network management gives you 3 points with a single command while NTP gives you only 1 point with a lot of typing on three devices.

While preparing, make sure you have full understanding what goes where and why. Don't even consider paying for the lab if you can't complete configuration at home in 3,5 hour tops and troubleshooting in 1 hour. If you've caught yourself thinking how to do this or that or remembering what to do next - you are not ready yet! The goal is to do the lab on a pure muscle memory (but don't skip reading the questions and keep looking for variations). The lab is not hard when you're really prepared.

Best luck to everyone!

Forum Jump:

Users browsing this thread:
1 Guest(s)

Copyright © ITStudyGroup.org 2015-2021

ITStudyGroup.org is not sponsored by, endorsed by or affiliated with Cisco Systems, Inc. Cisco®, Cisco Systems®, CCDA™, CCNA™, CCDP™, CCNP™, CCIE™ the Cisco Systems logo and the CCIE logo are trademarks or registered trademarks of Cisco Systems, Inc. All other trademarks, including those of Microsoft, CompTIA, VMware, Juniper ISC(2), and CWNP are trademarks of their respective owners.