INE Workbook Vol 2 Lab 6

While in transparent mode, VTP advertisements can be carried through the transparent switch to other connected switches over trunk ports. If you are using DTP and the domains are mis-matched, the trunk will not form. You can override this by enabling static trunk mode, and disabling DTP. Also, VTP version 2 does NOT do any version checking.

Ok, I will say the MPLS section really tripped me up here, not because the scenario was particularly hard, but because partial configurations were there, and I thought I needed to add more configuration to make it work than was really necessary. This proves I need work troubleshooting MPLS. I can build a MPLS pretty easy from the ground up (at least in the CCIE realm) but make an existing one work is still a little bit of a weakness.

Multicast stub routing is accomplished by using the 'ip igmp helper-address x.x.x.x'. The address here is where group membership reports and leave messages will be sent to. When using the helper, typically there is no PIM neighbors between the two routers. Make the proxy router has another PIM interface to forward multicast traffic in the event that your neighbor-filter filtered the only connection.

You can stop communication with a malicious host by configuring a static mac entry and pointing it to an unused or dead interface. You could also use drop, as well as VACL.

I'm starting to get these dynamic ACLs w/ access-enable, but I still can't get there 100%. To prevent access to SW1 without being authenticated, here is the pertinent configurations. Once authenticated with the specified username/password - you can telnet to the host.


username TELNET password 0 CISCO
username TELNET autocommand access-enable 
username CLI password 0 CISCO
interface Serial0/0
 ip access-group DYNAMIC1 in
!
interface Serial0/1
 ip access-group DYNAMIC1 in
!
ip access-list extended DYNAMIC1
 dynamic PERMIT_TELNET permit tcp any any eq telnet
 deny   tcp any host 191.1.27.7 eq telnet
 deny   tcp any host 191.1.7.7 eq telnet
 deny   tcp any host 191.1.77.77 eq telnet
 deny   tcp any host 191.1.177.7 eq telnet
 deny   tcp any host 150.1.7.7 eq telnet
 permit ip any any
!
line vty 0 4
 password cisco
 login local
line vty 5 903
 login local

Fear not! If you do get this on the lab, it's easily found in the DocCD under Security -> Securing the Data Plan -> Configuring Lock and Key Security (dynamic access lists). Here is the directly link which I highly suggest you read... http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_lock_key_secrty_ps6441_TSD_Products_Configuration_Guide_Chapter.html

I get it. You create a regular extended access at list, but at the top you specify a permit statement to match the dynamic ACL. The autocommand access-enable will add the authenticated user to the dynamic access-list. Wow, now that I see it and read through the DocCD, it makes total sense. It's just one of those things you wont see very often. One important point - I believe you can attach the autocommand to either the username or the vty line. Attached to the username means only the specified username, attached to the vty line and it's any authenticated user. Also, when you attach a timeout value to the dynamic ACL, that is the absolute timeout. When you attach timeout to the autocommand, that is the idle timeout. Moving on...

When you are configuring RMON, you can send a trap, or you can log. Whichever one you chose, make sure you setup the proper logging/snmp server (logging 191.1.7.100 or snmp-server host 191.1.7.100 traps public). Again, CLOSE attention to details. Failing to do so would mean you missed out on 3 easy points. You may also need to add 'snmp-server ifindex persist' if not already enabled. I would as to not miss out on those points...if not given the ifindex, find them with 'do sh snmp mib ifmib ifindex'.

Not that I would expect Cisco to want you to know this, but UDP chargen is port 9. You can test UDP small servers with the traceroute command.

There was a tricky scenario that asked you to drop HTTP traffic, but not guarantee it any bandwidth. I simply added random-detect to the class default, as this will indeed drop HTTP traffic before the interface is congested. Now, is this the right answer? I can't be sure as the scenario said nothing about dropping ONLY http traffic. In any event, here is the 100% right answer.

class-map NOT_HTTP
match not proto http
policy-map Voice
class RTP
priority percent 25
class NOT_HTTP
class class-default
fair-queue
random-detect

In short, we removed everything except for HTTP from the class-default so when we enable random detect, only HTTP packets will be dropped in anticipation for interface congestion. Very tricky, but very cool.

With header compression, when it says 32 bi-directional connection, your compression-connections number should actually be 64. Again, another easy 2 points lost.

And with that, I am done with Lab 6. Overall, not really all the difficult, but lack of attention to details and the will to verify can absolutely kill you. My notes above reflect several small items that would have killed me. I love doing these full labs. These vendors all know how to present these to you, just like Cisco does. Is that breaking NDA? No. These guys have taken the exam themselves and have taught and mentored probably thousands of students when it comes to the CCIE. So if for nothing else, these full labs help you get familiar with the language you are likely to see in the real lab.

My time was pretty good on this lab - about 5 hours. I need to get faster, but overall I'm pretty happy with 5 hours right now. Short night, I've had kind of a rough day so I am going to prepare my racks for the next lab and start fresh tomorrow.