CCIE R&S v5 Exam Review on 15 July 2015
Hello CCIE Dreamers !!
I am sharing with you my experience hoping it might be helpful.
1> PC101 needs to ping Server1 . Ping was already working. However they ask you to trace as well. Since Vlan 12 was not allowed on trunk on one switch, trace did not take desired path.
Resolution: Add Vlan 12. Note that they did not ask to ping using hostname “Server1/Server” so need not bother about DNS part.
2> PPP R12-R17 > Nothing special. On R17, “ppp chap hostname <name> command was wrong . So R17 was responding to R12 with wrong host name.
Resolution : Changed it to match what is configured on R12 in “username <name> password <pass>” command.
3> OSPF : OSPF neighbor-ship was missing between R5 and R22. Passive interface was present on R22.Resolution: Did no passive interface for concerned interface. Note there was no max-metric router-lsa. Had it been there I would have gone for “max-metric router-lsa summary 20 / max-metric router-lsa on-startup 5”. Both give desired result.
4> EIGRP : “metric weight 0 1 1 1 1 1” was missing on R11, R12,R14. Also there was offset 1000 out on R12. The ACL for this offset was permit ip any any.Resolution: Added “metric weight 0 1 1 1 1 1” where it was needed. Also denied 126.96.36.199 in ACL defined in offset-list statement.
5> BGP :In my case all traces were by default OK. They needed 188.8.131.52 to be going via R6 was we have in our practice IOUs.Resolution: They had route-map on R4 and R6. Increased MED on R4 as a result R6 is preferred. In short, alter route-map.
6> BGP IPv6: Network of e0/0 not advertised on R25 so I did that. Note that they have on Se4/0 R22 an ACL denying tcp any any. And they explicitly mention don’t modify ACL. I did not scratch my head much as doing network advertisement made it work. However I still curious how did “tcp deny any any” did not interfere BGP operation.
7> DMVPN: Nothing special. Wring NHS IP somewhere and some silly typo that everyone practicing IOUs would know.
8 > MPLS : Approach resolving this in a structured manner and it is easy. Faults in my case:
a) R7 and R8 -> default originate missing. I added on both along with pre-configured route-map. What I mean is that they had “neighbor 123.x.x.x route-map MED” . MED was set to 100 on R7 and 101 on R8.
Note that this command does not have effect on default route we originate. In order for R7 to be preferred, I used “neighbor 123.x.x.x default-originate route-map MED”
As a result default route also carries MED which otherwise would not. Doing so R7 became preferred path.
😎 NAT statement missing on R7 so added it (ip nat inside source list <ACL> interface e0/0.125 overload)
c) On R8 interface e0/0.125 missing “ip nat outside”
d) MPLS broken between R4 and R6. Check using “ping mpls ipv4 184.108.40.206/32 source 220.127.116.11”. Increased cost on E2/0 on both R4 and R6.
e) Many would stop here seeing all traces worked. But check how is return traffic from server coming back. On SW1 do “show ip cef <IP of test PC from where we test ping and traces>. You will see asymmetric flow and return comes back via R8 that is not how it should be. So we had:
R7 > router ospf 1 > redistribute bgp <n> metric 10
R8 > router ospf 1 > redistribute bgp <n> . So I added metric 11 and made it look like router ospf 1 > redistribute bgp <n> metric 11.
I hope you guys would understand the logic I am trying to put.
9> DMVPN R7-R24 : Again all known issues as per our IOUs shared here on cert-collection. Wrong pre-shared key IP on R7 under crypto configuration and one more basic fault. NAT was all fine.
10> NAS : Telnet was already working. Ping from NAS to “www.cciecloud.net” was not. I added “ip dns server” on R23 to make it work.
Frank advice: Do practice but have faith on your s
kills. In exam , troubleshooting was way to easy than what we have been discussing here.
And without a doubt there would be jitters if I remove , change ,leave it as it is etc etc. Let that moment come and figure it out depending on what question needs.
For example many would say that I could have avoided route-map part in MPLS where I added “neighbor 123.x.x.x default-originate route-map MED”. Truth is yes I could have. Then I would have played with OSPF cost make cost to reach 18.104.22.168 higher from R6. But that is again just another way of dealing with it. I chose to use route-map and why would Cisco bother if you are using a legitimate way of doing it.
1> SW3 has been replaced due to failure and a user is complaining. They give you tons of log. Be quick and without wasting go to console logs and see that vto configuration number is zero.
part1: Sw3 is problematic device. How did you check -> show vtp status.
part 2 : Sw3 is the device and “Ask for show vtp password”.
Note I am not sure. Some say that ask for VTP password of working switch which is also fine but what is the harm in asking password for SW3 to check if it is correct. I chose SW3 as device and asked for its VTP password.
2. EIGRP/DMVPN: They show an email that spokes have issues with HUB and connectivity problems. There is a big diagram showing connectivity. I checked console logs and wallah….. Midchain logs pointing to NBMA being advertised in EIGRP. I went to R15 (HUB) and it was not advertised. I checked the diagram and both R15 and R16 were shown as /30. I checked for config of R16 and actually inerface was /29.
So device with issues -> R16 and how will you fix it -> Increase subnet mask length on E0/0.
3. uRPF: There was hell lot of information there about this. Drag and drop. Choose 8 correct options.
Not we had
r1 -e0/0———e0/0 r2
r1 e0/1 ———e0/1 r3
Loose mode on both interface of R1.
Strict on R2 and R3 on interfaces going towards R1.
What I did:
R1 checks input ACL
R1 realizes it has multiple egress point.
R1 checks RIB (They give you output of show ip route , show ip cef etc)
R1 translates and forwards to R3.
R3 inspects ACL.
R3 notices that source is learnt via another of interface and drops it.
Part 2: BGP asymmetric routing with strict uRPF, BGP default missing. This is what I chose.
However what I believe it should be is : strict uRPF with per destination load sharing.
Frank advice: This section is more of luck than knowledge. Some might argue but you need to scrutinize hell lot of info if you have not seen kit discussed here on forums like this.
Pray that Diag does not change and proceed with preparations.
1> SW1,SW2 (Transparent), SW3(Server), SW4 (Client)
2> MST -> They ask you that there should be three instances.
3> mac-address ageing 10800 (3 hours)
4> EIGRP strongest auth/anti replay -> Named mode on R15,R16,R17,SW5,SW6.
5> NTP authentication
6> Terminal shell/Shell processing/R17
Rest was same.
Just note that they use “ipv6 general-prefix” to assign IPs on R12,R13,SW3, etc. This is just another way of assigning IP. So should you need to check IPV6 address, do show ipv6 interface brief.
Read on cisco about ipv6 general prefix to understand it.
Rest all was same.