I have recently passed lab, so, I would like to share overall experience
TS
Actually topology was TS1, however, nearly all of faults are new, so be very careful
Q1 – User1 cannot ping server There were no issues with VLANs (as it was before). While tracing, it was stopping at the last hop – server itself. If I am not wrong, there was problem with default GW, which was announced by DHCP
Q2 – PPP There were minor problems both on R12 and R17, should note them easily
Q3 – OSPF OSPF between R22 and R5 was not coming up. Router-id on R22 was the same, as on R5, so, correcting RID on R22 to its Loopback0 solved problem
Q4 – EIGRP
On one of the routers passive-interface was configured. No additional configurations like distribute-lists or offset lists, as well as interface property (delay/bandwidth) were seen, so, this question can be solved easily
Q5 – BGP First need to solve Q3(OSPF). If I am not wrong, next-hop-self was not configured on R22. Also, check route-maps on R21 and R22
Q6 – IPv6 IPv6 BGP was configured between R22 and R25. However, TCP over IPv6 was prohibited on R22 towards R25 bidirectionally bu IPv6 ACL, so, need to configure peering between R22 and R25 over IPv4, then activate peering under IPv6 AFI and correct next-hop with route-map (in my case, route-map was already created, so just need to apply it to neighbor). Needed prefixes were already advertised under AFI, if not – just do it
Q7 – DMVPN There was restriction, that only 2 faults exist. One of them was on R14 – ACL was prohibiting ESP traffic, so, R18(spoke) could not register on R15(hub). Permit ESP, and one fault is gone. Another one was to permit spoke-to-spoke traffic (DMVPN phase 3). This should be done ONLY on R19(another spoke) by “ip nhrp shortcut” (traceroute was originated from R19 to R18, so, be careful, R18 does not need this command, and on R15 “ip nhrp redirect” was applied already)
Q8 – MPLS VPN Really did not have time to look through it at all
Q9 – DMVPN NAT There was no crypto or NAT issue – ping from R24 to R7 was OK. However, even Phase 1 was failing with MM_NO_STATE or MM_KEY_EXCHANGE. Could not solve this ticket, so, it is missed
Q10 – NAS was not getting IP address from dedicated DHCP pool on R23. There were 2 pools – one for whole 192.168.1.0/24 subnet, another – only for NAS with specified cliend-identifier. On NAS, need to specify “ip address dhcp cliend-identifier ethernet0/0”. Make sure NAS gets 192.168.1.200 address, because NAT is hardcoded to permit 192.168.1.200 only. Nothing else need to be done
DIAG
First ticket was DHCP snooping, so, it was quite easy. Second ticket was TCL script, whose solution is also not difficult. Be careful with answer options and IP addresses of router and hacker’s server
CFG
Config was H1 variant. Some sections were pre-configured, but double-check, especially BGP peerings. No changes for tasks in different sections
Sorry, that cannot reproduce TS section completely – this was really challenging
