CCIE R&S v5 Exam Review on 02 August 2018
I took the exam yesterday. it was really a little nervous, but i managed as well & and the following is my feedback,
I got TS1 , Diag DHCP/TCL & Config H2+
TS – 1 1 hour 55 min (verified twice)
1 – Access lis blocking OSPF in Vlan 12 towards switches
2 – Exam has Pere Configured encapsulation frame-relay instead of PPP, i removed it and reconfigured with encapsulation ppp , hostname , password & ipcp route default
3 – Same ospf router-id on both router & wrong network type on one side (P2P), removed
4 – Metric weight missing on all routers & prefix list blocking R14 loopback
5 – LSP broken R1-R2 & next-hope-self missing on R5
6 – No eBGP peer configurations on R22 , i configured ebgp peers between R22 & R25 , but its not working ,i spend around 20 min for this ticket , finally i reload the devices ,after reboot its working fine
7– Access lis blocking ESP traffic on R14 , spokes missing ip nhrp redirect/shortcut ( ticket 7 & 9 solved together )
8 – NAT configuration missing on R7 & R8 , corrected route-target export / import on R3 & R4 ,i configured origin IGP in neighbor R24 under RM then trace was fine & ip cef missing on R1
9 – IPSEC configuration mismatch on Spokes , Access lis blocking ESP traffic on R21
10 – wrong client-id on NAS , secondary ip configured at R24 interface
Diag – DHCP/TCL – 15 min
Ans – Command used – show ip dhcp relay information trusted-sources
Ans – in my scenario Seq was 119, the packet is about DHCP discovery, source ip address is 0.0.0.0
Ans – Between SW1-SW3
Ans – TCP Connection from the router to 10.1.1.2
TCP Connection from a remote host to the router’s IP address 10.1.1.1 on port 1337.
Download of a TCL script in memory via HTTP
Installment of a backdoor via some ransomwares
I finished diag within 15 minutes, but i should have to wait 15 minutes more to start Config Section,
I take a little refreshment with a coffe . after TS & diag my stress was down.
Config H2+ : 4 Hr:10 min
some ports are preconfigured but i removed and reconfigured, VTP mode transparent for all switches
exam say “use encapsulation method that insert a 4-byte tag for all inter switch links “, I used dot1q
Spanning-tree required MST with 3 instances, Questions are clearly mentioned in a table what vlans are in each instance.
Traffic from vlan 34 must go trough Et2/1 in SW3, but do not delete them from the trunks,
exam say “it will cause interface of Ethernet 2/1 “
interface portchannel also pree configured, i deleted and reconfigured,
required Cisco Proprietary protocol
no portchannnel between SW3 & SW4
All interface of R17/R19/R20/R21 in VRF except WAN interfaces
Requirement was all Branch routers get default route without configure a static route.
exam say “you are not allowed to use static routes in branch routers “
OSPF was pree configured in Jameson Core, HQ and Office
Only is required configure OSFP in Datacenter with the restriction that there isn’t OSPF type 2 LSA in database. no requirement for DR in R1, SW1 and SW2, but it was preconfigured
One static route for default route is allowed on R17
Must be advertised in ospf only if he has it in the routing table
10.2.0.0/16 must be advertised to area 51 ,i configured on R17 with area 0 range 10.2.0.0 255.255.0.0 command
In area 51 must not have Type 2 LSA , no requirements for area 51 stub
Only required to configure Jacobs CORE.
R52 must inject only it’s Lo52 as an external. But bandwidth was preconfigured to 1 KBPS and we are not allowed to remove. so the routes not installed on routing table. You need calculate rib scale.
Question clearly say that don’t use any metric for redistribute connected and don’t modify metric weights.
output required for show ip route 18.104.22.168 from R9 and R10 with a specific metric
requirement for Lo52 you must use Rib-scale in EIGRP, output of sh ip route you can calculate value for metric rib-scale.
i used this equation; Feasible distance / metric = Rib Scale.
You will get FD with sh ip eigrp topology 22.214.171.124/32 in R52
Metric value showed in output ( in question sh ip route 126.96.36.199 in R9)
I configured in eigrp routers R50,51,52,53,54,R9 and R10 with command metric rib-scale
Difference was in that is required that R15/R16 advertised 10.0.0.0/8 in BGP.
There was a output for sh ip bgp 10.0.0.0/8 in R11 with as-path shows 65001 65002
exam say R15/16 advertise their ospf default route to PEs , therefore, I configure redistribute ospf internal external 2 in BGP and default-information originate for this advertise
This section in exam is about loop prevention in Jameson’s sites. Don’t have any restriction, but exam says that the solution must be valid for any prefix added in the future.
I configured a prefix-list for filter this summary route in the IGP , because don’t advertise back route generated by BGP aggregate. by this way i avoide that R16 could learn this route from R15
Backdoor link. Exam requires the aggregate-address with summary-only.
In R57 there were preconfigured mutual redistribution between eigrp and bgp.
there is no pree configured route filters and redistribution on R55/R56 and not allowed to configure summarization on R55/R56
I done 2.6 & 2.8 together
exams say “You are not allowed to use ACL, prefix-list or route-map ”
There was a output required in this question for show ip route 188.8.131.52 from R9 and R10 with a specific metric.
In this case we are only permitted to change AD,
i used R9/R10 I use distance external command in OSPF because, because R9 learned 184.108.40.206 as EIGRP external prefix (AD-170) >> R9 inject this prefix in OSPF Domain (AD 110) then R10 learned prefix 220.127.116.11 as OSPF route because AD 110 < 170, after higher AD Both, R9 and R10 must be learned Lo52 as EIGRP External prefix
The only restriction in this question is not to use ACL, therefore route-map are permitted. In fact, the only way to advertise /24 prefix with “summary-only” in BGP aggregation is with unsuppress/map with implicit route-map.
Exam clearly say s “All other traffic must be routed via the MPLS network” ( implicit that traces from SW10 to 10.3.x.x and 10.1.x.x must not go trough backdoor link)
Besides, question explicitly indicated that the announced summarized prefix in 2.6 were not advertised to the MPLS network (the aggregated /8 of each site in R15/16 and R55/56).
And besides, another restriction was that in R55/R56 no summarization could be configured.
there was a output with traces from R101 and SW10 to /24 prefix for backdoor and another prefix whose trace had to go through the MPLS network
Ospfv3 between SW3, SW4, R15 and R16 with route preference value
SW4 was HSRP active
Ethe 0/1 in R19 was the source for ping
Ethe 0/1 in R20/R21 was join to 18.104.22.168
cisco proprietary protocol & R17 was RP
there was a requirement for Branch Routers Never have DR election & need command spt-threshold infinity in branch routers.
Phase 3 must be configured and verified although output required was ping between branch routers.
IPSEC profile was pree configured,
Eth0/0 was not in VRF, so dialer was not in VRF , Only tunnel was in VRF, as WAN wasn’t in VRF, wasn’t necessary keyring VRF for ISAKMP
LDP Was preconfired, but ldp router-id is missing in some routers.
R3/R4 vrf DC
R5/6/7/8 vrf Corp
required traces from SW1 and SW2 in HQ Jameson and Office Jameson to DC show load-balance between source and dst in MPLS and Datacenter.
i used RT import/export, SOO & allowas-in on CE side
Exam required to change AS to 65001 in Jacobs PEs.
Sessions between PEs and CEs must be recovered with new AS without modify CEs config.
AS 65001 must not showed in BGP NLRI in Jacobs CEs
AS 65006 must not showed in BGP NLRI in CORE
Output required was ping and trace from SW10 to Datacenter
I deleted bgp 65006 and configure AS 65001 with IPv4 and VPNv4 peer to R1 , next-hop-self in ipv4 address-family
I did not reconfigure ibgp session between R50,R51,R52
I use local-as in PEs with keyword for as-prepend neighbor ship between Jacobs PEs and Jacobs CEs
communication directly between jameson sites
communication directly between jacobs sites
communication between jameson sites and Jacobs Sites will goes trough the Datacenter.
Route target export are the same in each PE but don’t import this value of route-target. by this way you don’t import routes from dual-homed PE
DC import all (Jameson’s & Jacob sites )
Jameson sites import each others
Jacob sites import each others
do not import what i export
nothing new , no restrictions
used this config
ip access-list extended COP_ACL
deny ospf any any
deny tcp any any eq 179
deny tcp any eq 179 any
deny pim any any
deny udp any any eq 500
deny udp any any eq 4500
deny udp any any range 33434 33464
deny esp any any
deny gre any any
permit ip any any ttl eq 1
permit ip any any ttl eq 0
class-map match-any COP_CLASS
match access-group name COP_ACL
service-policy input COP_POLICY
I skipped this section because of broadcast storm, someone reported this issue earlier, so I skipped
DHCP in R15.
R101 must be a specific prefix.
Don’t change config in Ethe0/0 in R101 (there was a preconfigured mac-address)
i configured two pools , 1 for /24 and 1 for R101 (with specific client identifier)
Nat of R17 , nothing New
SW4 was HSRP active