这位海外考生抽到H3,看人家是如何通过的吧!
TSHOOT - TS1
Question 1
Fault(s): Port security configured on SW2. Host has no mac address configured and bia does not match.
Solution
Manually configure mac address on Host and bounce Interface E1/0 on SW1
Question 2
Fault(s): R17 has an IP address but no default route in its routing table. R11 unable to ping/telnet
Solution
Configure "ppp ipcp route default"
Question 3
Fault(s): Wrong subnet mask on R22.
Solution
Configure right subnet mask /29.
Note: S4/0 and some newly configured loopbacks are configured for ospf on R21/R22 but S4/0 is passive.
Question 4
Fault(s): Distribute-list on R13 blocking 145.14.14.14
Solution
Remove the sequence in prefix-list that is filtering the prefix
Question 5
Fault(s): Next-hop-self missing on R22. R21 has Prefix-list 194 missing 194.1.0.0/16 le 32 . R4 loopback not activated under ipv4 AF on R5
Solution
Activate R4 loopback under ipv4 AF on R5
configure nei IBGP next-hop-self <<< It's a different peer-group name in the exam. Can't remember the exact name
configure ip prefix-list 194 permit 194.1.0.0/16 le 32
Question 6
Fault(s): R25 has a wrong network advertised on interface e0/1
Solution
do a "show ipv6 route connected" and add correct network under ipv6 AF
Question 7
Fault(s): ip nhrp redirect missing on R15. ip nhrp shortcut missing on R19. Duplicate dns configured on R15
Note: Pay attention to the name resolution in your traceroute. R15 has duplicate dns for all the spokes but the trace only show from User109 to R18
Solution
Configure ip nhrp redirect/shortcut
Remove wrong dns on R18. << There are many dns configured on R15 with some strange names. Only do what you are asked to match and move on.
Question 8
Fault(s): No bgp nei established between R3/R4 and R7/8 on one of the VRFs . missing ip nat on E0/0.123 on R8. Wrong NAT statement - Missing "Inside..."
Solution
Configure nei 124.45.67.xx remote-as 12345 R7/R8
Remove wrong NAT statement and add correctly.
Apply "nat inside" on interface E0/0.123
Increase ospf cost on interface e2/0 of R4/R6 to 1000 to influence route path.
Question 9:
Fault(s): Mismatch Transform-set and mode on R24 & R7
Solution:
Match crypto config on both devices. No restriction on which device to modify. I did Spoke R24 and bounced the tunnel.
Question 10
Fault(s): R24 has a IP address secondary configured which should be dynamically assigned to NAS.
Solution:
Remove the secondary address. This might affect Question 9 if the secondary address is used as a tunnel source. Bounce your Physical (E0/0) andTunnel (Tu10) interface.
DIAG -- H3++
ALL same as Spoto
CFG -- H3
Section 1.1
Same as Spoto
Section 1.2
Pay attention to the etherchannel ports mapping. They are not uniform for all.
Since the question ask to have Dynamic Trunking turned off, I configured all ports that are ON to access port mode.
Verification: sh int switchport | i Neg << All must be "Off"
From the Layer 2 Diagram, SW300/SW301 have interfaces e3/0 & e3/1 assigned to vlan 2000 & vlan 2001 respectively. One of them is admin shut. You have to enable it.
Section 1.3/1.4/2.1
Same as Spoto
Section 2.2
OSPF already preconfigured but without advertising Lo1 of SW100/SW101 necessary for Multicast. Others same as Spoto
Section 2.3
OSPF 10 already configured on R100 but diagram shows OSPF 2. You have to remove it and reconfigure
Loopback 1 on R100 has 10.4.42.42 which is the loopback of R42. You have to shut it to match the output.
OSPF 1 pre-configured on SW400/SW401/R40/R41 but with no router-id.
SW400/SW401 have vlan 2000-2001 passive but advertised in BGP with network command. I think that should still work but I removed the passive and established ospf nei.
Section 2.4 - 2.5
Router BGP and router-id already preconfigured on all DC1 devices
SW110/SW111 already advertised VLAN2000-2001 network in BGP.
Others same as Spoto.
Section 2.6
All EBGP already pre-configured
R30/R31 advertise vlan 2000-2001 in BGP using network command.
You only need to apply address aggregation, timer and network loopback.
Section 2.7
Same as Spoto
Section 2.8
Same as Spoto except that I added a route-map of low LocPf on R14 outbound R13. This will make DC1 Server to go through MPLS cloud when tracing to AS65005.
This is not shown in any outputs in the exam but the requirement explicitly mentions the expected flow of traffic.
Section 2.9
IPV6 BGP Nei already preconfigured but not activated under ipv6 AF. Follow Spoto for other configs and you should be able to ping/tracert after completing section 5.3
Section 2.10
IP PIM Sparse-mode already configured in all except between the RPs - SW100/SW101. Also to be safe, I applied this to all multicast devices.
!
ip cef
ip multicast-routing
!
Followed Spoto for others and worked as expected.
Section 2.11 (THIS DIDN'T WORK AS EXPECTED)
Same as Spoto but didn't work as expected. Not sure why it worked in the practice lab but not in the exam. I tried other solutions but none worked.
I am not a fan of Multicast so I let that slide.
Section 3.1
Two confusing diagrams - BGP diagram shows ipv4 & vpnv4 in the MPLS cloud while VPN diagram shows only vpnv4.
I thought it makes sense not to include ipv4 BGP in a supposed VPN Diagram. so I followed BGP diagram and activated under both ipv4 & vpnv4 AF.
BGP has "no bgp default ipv4" already preconfigured but with no router-id.
RD not configured. You have to configure it and choose anything XX:XX for it and your Route Target RT. No restriction.
LDP already preconfigured in all except between R1>R2. I didn't take any chance and had to reapply the following:
conf t
ip cef
mpls ip
mpls label protocol ldp
mpls ldp router-id lo0 force
end
!
clear mpls ldp nei *
Section 3.2
Tunnel preconfigured but incomplete and might be stressful to match what is missing. Everything you can think of is applied on the tunnel - about 12-15 lines
Note: Missing authentication on the Spokes R60/R51 - password HMCorp
Missing ip nhrp redirect/shortcut on Hub/Spoke
Missing ip nhrp map <> <> on Spokes
Missing tunnel vrf INTERNET on Spokes
Missing tunnel protection: R14 has crypto fully configured but R60/R51 are missing the key under "crypto keyring HollyMaya vrf INTERNET"
missing >>>> "pre-shared-key address 0.0.0.0 0.0.0.0 key HollyMaya"
Test that DMVPN is UP before applying Tunnel Protection to ease troubleshooting if necessary.
The Hub/Spoke have "no bgp default ipv4" configured so you need to practise with that and know what commands go under the Address Family.
In preconfiguration, R51/R60 already peered with R14 but without " local-as & allowas-in". You need to add them. R14 has no preconfiguration for DMVPN BGP Peer.
R14 has a looback123 and a NAT pool is configured using the range of addresses in that subnet. The loopback is advertised in BGP using network command.
Section 3.3
NAT already applied to the interfaces e0/0 & e0/1. You need to write ACL and configure NAT statement.
Others same as Spoto
Section 3.4
R24 has all preconfigured except static route. Also it uses NAT Pool for Natting but it's nothing to worry about. Instruction says not to remove anything from R24.
ACL and NAT Statement already preconfigured on R71.
What is pending is ONLY the crypto config and apply on interface e0/0.
Section 4.1 (2 points)
I followed this solution:
ipv6 cef
ipv6 nd raguard policy RA-FILTER
int range e0/0-3
ipv6 nd raguard attach-policy RA-FILTER
!
int vlan 2001
ipv6 nd route-preference High
Section 4.2 (1 point)
Same as Spoto
Section 5.1
Same as Spoto. You can configure dot1dBridge.
Section 5.2
Same as Spoto
Section 5.3
Server 2 has "ipv6 nd ra suppress" configured under interface e0/0 and question asked not to remove anything on Server2.
This will suppress the Route Advertisement and avoid host on the LAN to unexpectedly join the IPv6 network.
Regardless, Follow Spoto for other configs and it will work. No output to match here but this is a good time to test Section 2.9 if you are solving sequentially.
Section 5.4
Same as Spoto
I believe Cisco has many variations of H3 in terms of what you get preconfigured correctly/incorrectly.
My advice is understand the topology and configuration inside out so you are not thrown off balanced when you see something strange.
This is all I can remember for now. Pardon any typos. I will update if I remember anything new.
Thanks to Spoto and all contributors in the Training Group!!! Ama CCIE baby :) :) :) CCDE up next...
