TX 75035,USA
live:cciernstricks

CCIE R&S v5 Exam Review on 24 December 2014

CCIE Real Lab Workbook

CCIE R&S v5 Exam Review on 24 December 2014 No ratings yet.

Hi everyone,

I finally passed my exam recently.
I am now dual CCIE and this is the best x mas present I could have this year.
I will now take a well deserved break.
It might take me a while for me to reply any questions after friday, as I will be somewhere on the beach celebrating x mas with my wife.
But until friday I am still home and will answer anything you ask.

Here is my feedback:

_______________
Troubleshooting
_______________

***********
Q1: Layer 2
***********

POSSIBLE FAULTS:
————————-
1. SW2 wrong MAC port security
2. DHCP R7 R8 wrong client-id too
3. missing “vlan 12” on vtp server

FAULTS ON MY EXAM:
—————————-
1. VLAN 12 missing from trunk

************
Q2: PPP CHAP
************

POSSIBLE FAULTS:
—————————-
1. ppp ipcp route default is configured on R12 instead of R17
2. ppp authentication CHAP missing on R17 (should be only on R12)
3. ppp authentication chap is configured on R17

FAULTS ON MY EXAM:
—————————-
1. ppp authentication chap is configured on R17
2. incorrect chap username / pass on R17 interface, just match the one configured on R12

********************
Q3:OSPF LOAD BALANCE
********************

POSSIBLE FAULTS:
—————————-
1. max-metric router-lsa at R1
2. passive interface default on R22 and/or R5
3. ospf cost on R21 int e0/0
4. wrong mask on R22 interface

FAULTS ON MY EXAM:
—————————-
1. passive interface default on R22 and R5
2. wrong mask on R22 interface

**********************
Q4: EIGRP LOAD BALANCE
**********************

POSSIBLE FAULTS:
—————————-
1. Distribute-list filtering R14 loopback on R13
2. metrics should be 0 1 1 1 1 1
3. delay on R13 e01 is 10, should be 1000
4. offset list on R12

FAULTS ON MY EXAM:
—————————-
1. metric mismatched, metrics should be 0 1 1 1 1 1
2. offset list on R12
3. Distribute-list filtering R14 loopback on R13

********************
Q5: BGP Load Balance
********************

POSSIBLE FAULTS:
—————————-
1. R22 and R21 should have next-hop self to peering with R3-R5
2. maximum path 2 on R12 is missing
3. R5-R6 BGP ipv4 and vpnv4 not activated
4. MED wrongs

FAULTS ON MY EXAM:
—————————-
ip addresses to trace are different. Some of them are Loop of R21 and R3
1. R5-R6 BGP ipv4 and vpnv4 not activated <– Check that first. RR must have peering to all routers
2. Play with default local pref and MED to match output. Do not remember exactly all I did, but if you know how Local Pref and MED wroks it is easy

*********
Q6 : IPv6
*********

POSSIBLE FAULTS:
—————————-
1. R25 is not announcing Mobile network, be careful with prefix
2. next hop route-map incorrect for IPv6 over IPv4
FAULTS ON MY EXAM:
—————————-
1. R25 is not announcing Mobile network, be careful with prefix
2. next hop route-map incorrect for IPv6 over IPv4

**********
Q7 : DMVPN
**********

POSSIBLE FAULTS:
—————————-
1. R15 is doing redistribute connected and BGP into EIGRP. Filter the NBMA IP or DMVPN will bounce
2. ACL on R20 permiting only isakmp
3. wrong authentication for NHRP on any of the spokes
4. spoke to spoke communications fails as ip nhrp shortcut is missing on spoke(s)
5. wrong MAC on pools for host connected to R20, R15 and-or R16

FAULTS ON MY EXAM:
—————————-
1. ACL on R20 permitting only isakmp
ACL was similar to:
acl xxx permit udp host x.x.x.x any eq isakmp

I just allowed all udp ports needed, gre, esp and ip

*************
Q8 MPLS trace
*************

POSSIBLE FAULTS:
—————————-
First understand how it should work, read Pravine’s post, very clarifying
1. NAT wrong on R7/R8: it should be  ip nat source list xx int ex/x.125 overload
2. wrong ip nat inside / outside interfaces on R7/R8 : ex/x.123 & ex/x.124 ip nat inside, ex/x.125 ip nat outside
3. R7/R8 have default route pointing to 125.x.x.x neighbor, add default originate to vpnv4 nei with 123.x.x.x address. Just redistribute connected doenst work with default routes, as you should know by now.
4. if there is no ipv4 BGP peering for R7-R3 & R8-R4, advertise that link into BGP
5. wrong import on R3/R4
R3-R4 should import branches prefixes (exported by R5-R6) into vrf _To_Hub
R3-R4 should export prefixes from the vrf _To_Spoke
R5-R6 should only import 100 and export 101 on R5 and 102 on R6

R3

ip vrf Banco_To_Hub
rd 12345:651002
route-target import 12345:65101
route-target import 12345:65102
ip vrf Banco_To_Spoke
rd 12345:651001
route-target export 12345:65100

R4

ip vrf Banco_To_Hub
rd 12345:651002
route-target import 12345:65101
route-target import 12345:65102
ip vrf Banco_To_Spoke
rd 12345:651001
route-target export 12345:65100

R5-R6 just export their prefixes with route-target export 12345:65101(R5) / 12345:65102(R6)

6. R5-R6 receive the default route. Either we pass it to R9/R10 via BGP or on R9/R10 we inject it into OSPF (default originate allways)

FAULTS ON MY EXAM:
—————————-
Surprisingly, this was the easiest ticket. Maybe because I worked a lot on it.
Only fault was:
1. R7/R8 have default route pointing to 125.x.x.x neighbor, >>> add default originate to vpnv4 nei with 123.x.x.x address

*******************
Q9 DMVPN NAT Transv
*******************

POSSIBLE FAULTS:
—————————-
1 transform set incorrect for DMVPN
2 crypto nat transparency disabled on R23
3 wrong isakmp key address on R7

FAULTS ON MY EXAM:
—————————-
1 wrong isakmp key address on R7
As R23 is doing NAT, R7 had crypto key address pointing to the private address of R24
>>>> either add the WAN IP of R23, or just add 0.0.0.0

*******
Q9 NAS
*******

POSSIBLE FAULTS:
—————————-
1 Duplicate IP on R23 making NAS unable to receive IP from DHCP
2 NAS has ip domain lookup disabled
3 R23 is configured with ip name-server 8.8.8.8. Need to add also ip dns-server

FAULTS ON MY EXAM:
—————————-
1 Duplicate IP on R23 making NAS unable to receive IP from DHCP
2 R23 is configured with ip name-server 8.8.8.8. Need to add also ip dns-server

____
DIAG
____

Same as discussed:

1. SWITCH PROBLEM
– go to SW3 and do sh ip int brie
– solution would be to ask user for the mac address of his computer

2. uRPF
Same as Simon share, NAT to Lo0 and Lo1 and asymetrcic routing with uRPF strict mode.
– drag and drop as in Simon share
– Cause of problem is uRPF

3. DMVPN flapping
– lot of logs, careful check the Hub and you will see it is redistributing NBMA address into EIGRP
– Select device causing issue: Select Hub
– Cause: Hub is injecting NBMA causing recursive routing

______
CONFIG
______

During my preparation, my goal was to do Section 1 and OSPF on Section 2 with also Section 3 MPLS part before the lunch break. I managed to do that.
After lunch I knew I had plenty of time for the rest. However, problems would come … and they did. Having time to check for mis configuration is a must.

– SECTION 1
>>> Do not forget to add vlan 1 if using pvst rapid
access ports were configured, but most of them on wrong vlan. So take a pen and draw the Layer 2 diagram
I used root primary and secondary instead of manually setting priorities
do not forget to add unused ports to vlan 999
– SECTION 2
I configured OSPF and then used mpls ldp autoconfig to save time
No vrf for DMVPN
use named EIGRP on Routers as requested, but not on the SW.
IT was said to anable all interfaces, so I also added VLAN 5 and 6 to EIGRP
– SECTION 3
AS discussed here, nothing new.
Do not forget to add eigrp stub summary on the spokes and no auto-summary

– SECTION 4

R20
banner login ^CWARNING!ACCESS RESTRICTED! Login banner ^C
banner motd ^CWARNING!ACCESS RESTRICTED! MOTD banner ^C

line vty 0 4
transport input ssh
no motd-banner

SW3
interface range ethernet 0/0-3
switchport port security
switchport port security mac-address sticky
switchport port-security maximum 1
switchport port-security violation shutdown

– SECTION 5
For ssh, I used log on the ACL and also ip ssh logging events
For Netflow, I also used match destination, otherwise my output was showing some multicast traffic too
matching source ip, input interface and destination worked for me.
Totally skipped NTP for IPv6, didnt even read the question. It was just 1 point and didnt want to risk loosing the IPv6 points

Please rate this