Failed - all new

丝路明珠

I got all new - b12/b13, A5 and DHCP snooping/TCL diag. I passed tshoot and diag but failed configuration. There were MANY new variations in my configuration which have not been reported so far.

TSHOOT

B12/B13. If you've practiced the solutions already reported here, you should be good. To clear some doubts -

/ R. t# L4 ~# u5 O0 C: V, k- trace for question 3 (odd/even octet question) was shown from SW111 in the question. You don't have to trace from the server.
- question 8, the user already had an IP. ARP inspection was the problem - it was not enabled on the link between active HSRP peer to DHCP snooping switch in that part of the network.
- other questions were largely the same.

DIAG
& ]6 q& P- B- |& b8 s7 F
- S% U" N* S4 Y& F- o& q& c' lDHCP snooping
: O& i+ B2 h/ ^- s
0 D/ Z: t$ G+ N; y. \- Which packet - it was packet 113 for me. Just search with bootp filter and you'll see around 4 DHCP discover packets. I chose the first one.
- Where was the capture taken - between snooping switch and relay switch. Cisco specifies clearly which switch is snooping and which switch is relay.
3 n$ k& k! u) q- What information combined with packet capture told you the problem - 'show ip dhcp relay information trust' command on relay switch

, g+ ?( b+ R3 H9 e6 a8 sTCL script
4 u- u+ a  M+ |2 J7 T
- This was a little bit tricky because the packet capture can be confusing. Filter by 'tcp' first. You will see 10.1.1.1 initiating a TCP session against 10.1.1.2 But notice that this is a TCP session against port 80, making it a HTTP session. 10.1.1.1 is the victim, 10.1.1.2 is the attacker.
: ]1 c' p- c9 W
- First question asked you to describe whats happening. I chose - TCP session from 10.1.1.1 to 10.1.1.2, TCP session from 10.1.1.2 to 10.1.1.1 on port 1337 (you will see port number clearly in the packet capture), TCL script downloaded via HTTP, ransomware installed via backdoor.

- Second question was what command can attacker run to bring down the system - sudo poweroff

, G. X$ c6 d0 B+ o4 f- ^& u- Third question was how was the script run - answer was tcl http://10.1.1.1/<scriptname>.tcl

( U. Q- m. t( l% K2 |CONFIG
' }2 F% d5 c8 K, S
% i7 q, M  r/ k' N. Bsection 1 - mst 2 instances, port-channel between sw5 and sw3, sw6 and sw6. cisco proprietary. sw5/sw6 should initiate. eth2/0 and eth2/1 between sw3 and sw4 not in port-channel. configure on sw4 so that eth2/1 is forwarding for vlan 34 (I used port-priority for the instance 34 was part of). sw3 root for one instance, sw4 for another.
& P% f  J5 W% \" ^7 ?all switches are transparent.
port-channel load-balancing src-dst-ip for sw3/sw4 and source mac based for sw5/sw6.

; Q6 ]: N( j# l5 c5 nsection 1.4 - r17 WAN link not in VRF, LAN link in VRF. interface lo0 and tunnel in VRF. on branch side, eth0/1, lo and tunnel0 all in VRF. branch router should get default route but don’t use any static routes to achieve this.
( |6 k6 m* h9 j, B6 H7 V
for IGP in DC, ospf process ID 1 but there should be no type-2 LSA in this network (so i made all links p2p).
branch routers in area 51. R17 should advertise a default route to area0 and area 51 if and only if it already has a default route present. you can configure one static route to achieve this - I did not know what to do here properly. Since WAN link is not in VRF, I couldn't configure a static route inside the VRF. So i thought of configuring it for global RIB and trying to export it into the VRF but that wasn't working properly. Have to think about this some more.

2.3 jacob’s IGP - r52 should redis lo52 - no tags requirement. lo52 bandwidth is set to 1kbps and you are specifically asked not to change it. so when you redis this, none of the others routers install it into RIB because of very high metric. next part of the question asks you to make sure this is installed in RIB. so i changed rib-scale to 255 and then it did. same o r9/r10 as well. asked to prevent loop during mutual redis between eigrp/ospf. so increased ospf external distance to 171 on r9/r10. question specifically asked not to use route-map, ACL or prefix-list.
! P& g) V# w* C  S) r: }
also, r17 should send 10.2.0.0/16 into area 51. and r15/r16 should send 10.0.0.0/8 towards jameson core.
# |. p: P( U+ {; q! k
# t% _) N6 f# @. @8 p2.6 r18 to r57 - specifically asked to use summary-only so you can’t leak specific prefixes via prefix-list. next part asks you to make this backdoor for 172.18.1.0/24 and some 10 something prefix. so you need to use unsuppress-map instead (that's the solution I came up with in the exam at least).

* ]+ ^/ |, `: ~2 F, j* _branch, HQ and main all in VRF Corp. DC in VRF DC. Jacob both sites in VRF JacobsCorp.

3.4 - interVPN - jameson can go to jameson directly, jacob to jacob, but jacob should go via DC to jameson and vice versa.

=============================================

- p9 N/ K2 I1 N1 o- B$ p+ c
Basically, the paper is VERY long and I started running out of time. I ended up making mistakes in MPLS part and majorly failed config due to that.
" U; V( ~/ T/ W5 s( b- K. m( \' R* F
My advice would be to give the exam only if you're able to finish this configuration in under 3 hrs at home. Practice practice till you can. Don't waste an attempt if you cannot because in the exam, it takes MUCH longer.
! }# n5 u! Q) f9 R. V7 \
Feel free to ask any questions. I'll try and answer as best as I can.

saadnwz

wst2080

Good luck for you. I hope you will get CCIE number next time.

gingerboy

thanks for share

Rockyw

感谢楼主分享！

nickhuang1268

jamesscooby

thank you offer

nickhuang1268