Just Passed! Corrected Labs and Advice - Printable Version +- How2pass.com Forums (https://www.how2pass.com/forum) +-- Forum: CCNP (https://www.how2pass.com/forum/forum-6.html) +--- Forum: CCNP ENARSI 300-410 Forum (https://www.how2pass.com/forum/forum-15.html) +--- Thread: Just Passed! Corrected Labs and Advice (/thread-2386.html)

Just Passed! Corrected Labs and Advice - jupertino - 10-14-2024 Hi everyone! I just passed with the help of this site after a while, and here's my summary -  I used this site to study 300 questions a day until I got 90% or better on my exam. I also used a usb capture card and a second laptop mounted under the table with a 3d print to record my screen for post-game review. I've taken the exam twice (780 score on the first try!), and here were the labs they gave me: First exam: EIGRP Route Manipulation #3 AAA & IP Troubleshooting Lab IPSec Config SIM EIGRP #2 Second exam: VRF DMVPN EIGRP #2 I used chatGPT to "lab" a ton, and it gave me incredible feedback and IT. IS. WHAT. MADE. ME. PASS. I've included my prompt as well as my corrected labs, as the labs on this site are either incomplete or sometimes wrong. My labs are below. I put these in Claude.ai and ChatGPT and told it to quiz me. I'll reply in a comment with my ChatGPT prompt for reference. Part 1 is here, part 2 is in a comment. Copy both parts for your notes. CORRECTED ENARSI LABS PART 1: ### CoPP (Verified/Labbed Solution) ### Tasks A network is configured with CoPP to protect the CORE router route processor for stability and DDoS protection. As a company policy, a class named class-default is preconfigured and must not be modified or deleted. Troubleshoot CoPP to resolve the issues introduced during the maintenance window to ensure that: 1. Dynamic routing policies are under CoPP-CRITICAL and are allowed only from the 10.10.X.X range. 2. Telnet, SSH, and ping are under CoPP-IMPORTANT and are allowed strictly to/from 10.10.x.x to the CORE router (Hint: you can verify using Loopback1). 3. All devices ping (UDP) any CORE router interface successfully to/from the 10.10.X.X range and do not allow any other IP address. 4. All devices run a successful traceroute (UDP) to any interface on the CORE router to/from the 10.10.X.X range, are under CoPP-NORMAL, and do not allow any other IP address (make sure default traceroute TTL is accounted for). The traceroute is to be under CoPP-NORMAL (Hint: Traceroute port range 33434-33464). ### Solution **CORE** ~~~~ip access-list extended COPP-CRITICAL permit eigrp 10.10.0.0 0.0.255.255 any permit eigrp any 10.10.0.0 0.0.255.255 permit ip 224.0.0.10 10.10.0.0 any permit ip any host 224.0.0.10 ip access-list extended IMPORTANT permit tcp 10.10.0.0 0.0.255.255 host 10.10.1.1 eq 22 telnet permit tcp host 10.10.1.1 10.10.0.0 0.0.255.255 eq 22 telnet permit icmp 10.10.0.0 0.0.255.255 host 10.10.1.1 permit icmp host 10.10.1.1 10.10.0.0 0.0.255.255 permit udp 10.10.0.0 0.0.255.255 host 10.10.1.1 permit udp host 10.10.1.1 10.10.0.0 0.0.255.255 ip access-list extended COPP-NORMAL permit udp 10.10.0.0 0.0.255.255 host 10.10.1.1 eq 33434 33464 permit udp host 10.10.1.1 10.10.0.0 0.0.255.255 eq 33434 33464 --- ### VRFs (Verified/Labbed Solution) ### Tasks  Configure individual VRFs for each customer according to the topology to achieve these goals: 1. VRF "cu-red" has interfaces on routers R1 and R2. Both routers are preconfigured with IP addressing, VRFs and BGP. Do not use the BGP network statement for advertisement. 2. VRF "cu-green" has interfaces on routers R1 and R2. 3. BGP on router R1 populates VRF routes between router R1 and R2. 4. BGP on router R2 populates VRF routes between router R1 and R2. 5. LAN to LAN is reachable between SW1 and SW3 for VRF "cu-red" and between SW2 and SW4 for VRF "cu-green". All switches are preconfigured. ### Solution **R1** conf t vrf definition cu-red rd 65000:100 address-family ipv4 unicast vrf definition cu-green rd 65000:200 address-family ipv4 unicast interface e0/0 vrf forwarding cu-red ip address 192.168.1.254 255.255.255.0 no shut interface e0/1 vrf forwarding cu-green ip address 192.168.20.254 255.255.255.0 no shut interface e0/2 no shut interface e0/2.100 vrf forwarding cu-red ip address 10.10.10.1 255.255.255.252 no shut interface e0/2.200 vrf forwarding cu-green ip address 10.10.20.1 255.255.255.252 no shut router bgp 65000 bgp router-id 1.1.1.1 address-family ipv4 vrf cu-red neighbor 10.10.10.2 remote-as 65000 redistribute connected exit-address-family address-family ipv4 vrf cu-green neighbor 10.10.20.2 remote-as 65000 redistribute connected exit-address-family wr **R2** conf t vrf definition cu-red rd 65000:100 address-family ipv4 unicast vrf definition cu-green rd 65000:200 address-family ipv4 unicast interface e0/0 vrf forwarding cu-red ip address 192.168.2.254 255.255.255.0 no shut interface e0/1 vrf forwarding cu-green ip address 192.168.22.254 255.255.255.0 no shut interface e0/2 no shut interface e0/2.100 vrf forwarding cu-red ip address 10.10.10.2 255.255.255.252 no shut interface e0/2.200 vrf forwarding cu-green ip address 10.10.20.2 255.255.255.252 no shut router bgp 65000 bgp router-id 2.2.2.2 address-family ipv4 vrf cu-red neighbor 10.10.10.1 remote-as 65000 redistribute connected address-family ipv4 vrf cu-green neighbor 10.10.20.1 remote-as 65000 redistribute connected wr --- ### OSPF (Mostly Verified Solution) ### Tasks A network is configured with IP connectivity, and the routing protocol between devices started having problems right after the maintenance window to implement network changes. Troubleshoot and resolve to a fully functional network to ensure that: 1. Inter-area links have link authentication (not area authentication) using MD5 with the key 1 string CCNP. 2. R3 is a DR regardless of R2 status while R1 and R2 establish a DR/BDR relationship. 3. OSPF uses the default cost on all interfaces. Network reachability must follow OSPF default behavior for traffic within an area over intra-area VS inter-area links. 4. The OSPF external route generated on R4 adds link cost when traversing through the network to reach R2. A network command to advertise routes is not allowed. ### Solution **R2** conf t interface e0/1 ip ospf priority 0 wr **R4** conf t interface e0/0 ip ospf message-digest-key 1 md5 CCNP ip ospf authentication message-digest router ospf 1 redistribute connected metric-type 1 wr **R5** conf t int e0/0 ip ospf message-digest-key 1 md5 CCNP ip ospf authentication message-digest interface e0/1 no ip ospf cost 60 wr --- ### DMVPN (Mostly Verified Solution) ### Tasks A DMVPN network is preconfigured with tunnel 0 IP address 192.168.1.254 on the HUB, IP connectivity, crypto policies, profiles, and EIGRP AS 100. The NHRP password is cсnp123, and the network ID and tunnel key is EIGRP ASN. Do not introduce a static route. Configure DMVPN connectivity between routers BR1 and BR2 to the HUB router using physical interface as the tunnel source to achieve these goals: 1. Configure NHRP authentication, static IP-to-NBMA address maps, hold time 5 minutes, network ID, and server on branch router BR1. 2. Configure NHRP authentication, static IP-to-NBMA address maps, hold time 5 minutes, network ID, and server on branch router BR2. 3. Ensure that packet fragmentation is done before encryption to account for GRE and IPsec header and allow a maximum TCP segment size of 1360 on an IP MTU of 1400 on the tunnel interfaces of both branch routers. 4. Apply an IPsec profile to the tunnel. Verify that direct spoke-to-spoke tunnel is functional between branch routers BR1 and BR2 by using traceroute to Ethernet 0/0 IP address to get a full score. ### Solution **BR1** conf t Interface Tunnel0 IP address 192.168.1.1 255.255.255.0 no ip redirects ip mtu 1400 ip tcp adjust-mss 1360 ip nhrp authentication ccnp123 ip nhrp map 192.168.1.254 10.10.255.254 ip nhrp map multicast 10.10.255.254 ip nhrp network-id 100 ip nhrp holdtime 300 ip nhrp nhs 192.168.1.254 ip nhrp shortcut delay 1000 tunnel source 10.10.255.1 tunnel mode gre multipoint tunnel key 100 router eigrp 100 network 10.10.10.1 0.0.0.0 network 192.168.1.0 192.168.1.0 0.0.0.255 wr **BR2** conf t crypto ipsec df-bit clear crypto ipsec fragmentation before-encrypt Interface Tunnel0 IP address 192.168.1.2 255.255.255.0 no ip redirects ip mtu 1400 ip tcp adjust-mss 1360 ip nhrp authentication ccnp123 ip nhrp map 192.168.1.254 10.10.255.254 ip nhrp map multicast 10.10.255.254 ip nhrp network-id 100 ip nhrp holdtime 300 ip nhrp nhs 192.168.1.254 ip nhrp shortcut delay 1000 tunnel source 10.10.10.2 tunnel mode gre multipoint tunnel destination 10.10.255.254 tunnel key 100 router eigrp 100 network 10.10.10.2 0.0.0.0 network 192.168.1.0 0.0.0.255 wr verify - BR1#traceroute 172.16.2.254 BR1#show dmvpn alternative answer that I’m not sure would cut it, examtopics fam doesn’t think this one is it https://www.examtopics.com/discussions/cisco/view/110091-exam-300-410-topic-1-question-473-discussion/ https://www.wolf-lab.com/ccie/1462.html **BR1** config t crypto ipsec df-bit clear crypto ipsec fragmentation before-encrypt interface tunnel 0 ip address 192.168.1.1 255.255.255.0 ip mtu 1400 ip tcp adjust-mss 1360 ip nhrp authentication ccnp123 ip nhrp network-id 100 ip nhrp map 192.168.1.254 10.10.255.254 ip nhrp map multicast 10.10.255.254 ip nhrp nhs 192.168.1.254 ip nhrp holdtime 300 ip nhrp shortcut tunnel source 10.10.255.1 tunnel mode gre multipoint tunnel key 100 tunnel protection ipsec profile ccnp wr traceroute 192.168.1.2 show dmvpn show crypto ipsec sa **BR2** config t crypto ipsec df-bit clear crypto ipsec fragmentation before-encrypt interface tunnel 0 ip address 192.168.1.2 255.255.255.0 ip mtu 1400 ip tcp adjust-mss 1360 ip nhrp authentication ccnp123 ip nhrp network-id 100 ip nhrp map 192.168.1.254 10.10.255.254 ip nhrp map multicast 10.10.255.254 ip nhrp nhs 192.168.1.254 ip nhrp holdtime 300 ip nhrp shortcut tunnel source 10.10.255.2 tunnel mode gre multipoint tunnel key 100 tunnel protection ipsec profile ccnp wr traceroute 192.168.1.1 show dmvpn show crypto ipsec sa --- ### DMVPN Phase-II (Verified, varies a lot between tests) ### Tasks Configure HUB and SPOKE routers according to the topology to achieve these goals: 1. Configure mGRE neighborship to provide end-to-end reachability between Hub and Spokes. 2. Configure NHRP authentication using password "C!$c0123". Use 180 sec hold time for NHRP members where NHS should maintain next hop client NBMA registration messages for 60 sec. Verify configuration with ping from PC1 to PC2 and PC3. ### Solution **R0** en conf t interface tunnel 0 ip address 10.0.0.254 255.255.255.0 tunnel mode gre multipoint tunnel source e0/1 ip nhrp network-id 1 ip nhrp authentication C!$c0123 ip nhrp registration timeout 60 ip nhrp holdtime 180 ip nhrp multicast dynamic - (only use this if there’s OSPF/EIGRP/RIP configured) wr **R1** en conf t interface tunnel 0 ip address 10.0.0.1 255.255.255.0 tunnel source e0/1 ip nhrp network-id 1 tunnel mode gre multipoint ip nhrp map 10.0.0.254 10.10.255.254 ip nhrp nhs 10.0.0.254 ip nhrp authentication C!Sco123 ip nhrp registration timeout 60 ip nhrp holdtime 180 ip nhrp map multicast 10.10.255.254 - (only use this if there’s OSPF/EIGRP/RIP configured) wr **R2** en conf t interface tunnel 0 ip address 10.0.0.2 255.255.255.0 tunnel source e0/1 ip nhrp network-id 1 tunnel mode gre multipoint ip nhrp map 10.0.0.254 10.10.255.254 ip nhrp nhs 10.0.0.254 ip nhrp authentication C!Sco123 ip registration timeout 60 ip nhrp holdtime 180 ip nhrp map multicast 10.10.255.254 - (only use this if there’s OSPF/EIGRP/RIP configured) wr --- ### IPSEC #1 (Kinda Verified Solution) ### Tasks Configure IPSec security policy on tunnel interfaces to ensure data confidentiality and integrity where mGRE tunnels are up and running between HUB and SPOKE routers. 1. Configure the ISAKMP policy parameters with the following attributes: AES128 MD5 Group2 lifetime 86400 2. Ensure that GRE IP Header should not be encrypted inside the IPSec packet. 3. Configure a flexible ISAKMP Policy to add peers that have the dynamic IP addresses. Use a single command to configure it. Use IPSec phase-2 transform-set name as 'T-SET' and IPSec Profile name as 'T-SET-PROFILE'. Use ISAKMP key "abc123". Verify configuration with Ping from PC1 to PC2 and PC3. ### Starting Configs ### **Solution** **R0/R1/R2** en conf t crypto isakmp policy 10 encrypt aes 128 hash md5 authentication pre-share group 2 lifetime 86400 crypto isakmp key abc123 address 0.0.0.0 crypto ipsec transform-set T-SET esp-aes128 esp-md5-hmac crypto ipsec profile T-SET-PROFILE set transform-set T-SET interface tunnel 0 tunnel source e0/0 tunnel protection ipsec profile T-SET-PROFILE wr ### Verification show crypto isakmp sa show crypto ipsec sa --- ### IPSEC #2 (Kinda Verified Solution) ### Tasks Configure IPSec security policy on tunnel interfaces to ensure data confidentiality and integrity where mGRE tunnels are up and running between HUB and SPOKE routers. 1. Configure the ISAKMP policy parameters with the following attributes: AES256 SHA256 Group 2 lifetime 86400 2. Ensure that GRE IP Header should be encrypted inside the IPSec packet. Verify IPSec security association and ISAKMP encrypted key. Use ISAKMP key "abc123". 3. Configure a flexible ISAKMP Policy on the HUB to add peers that have the dynamic IP & addresses where SPOKES must add HUB IP static entry using an encrypted key. Use a single command to configure it. Use IPSec phase-2 transform-set name as 'T-SET' and IPSec Profile name as 'IPSEC-PROFILE'. ### Solution **R0/R1/R2** en conf t crypto isakmp policy 10 encryption aes 256 hash sha256 authentication pre-share group 2 lifetime 86400 crypto isakmp key abc123 address 0.0.0.0 crypto ipsec transform-set T-SET esp-aes256 esp-sha256-hmac crypto ipsec profile IPSEC-PROFILE set transform-set T-SET int tunnel 0 tunnel source e0/0 tunnel protection ipsec profile IPSEC-PROFILE wr ### Verification show crypto isakmp sa show crypto ipsec sa --- ### Timestamps/SNMP Config (Verified Solution) ### Tasks Troubleshoot R-WEST to achieve the desired results: 1. The locally generated logs should have sequence numbers, date and time. 2. The SNMP related to OSPF and participating interface state changes utilizing RFC1253-MIB OSPFv2 should be sent to SNMP server. ### Solution: **R-WEST** en conf t service sequence-numbers service timestamps log datetime msec snmp-server enable traps ospf state-change wr --- **Ranking of Labs by Difficulty:** - **Timestamps/SNMP Config (Lab 8)**     - **Reason:** This lab involves minimal configuration changes—only about 3-4 commands. You enable sequence numbers and timestamps for logs and configure SNMP traps for OSPF state changes. - **Archive Logging/SNMP Config (Lab 9)**     - **Reason:** Similar to Lab 8, this lab requires a few additional commands (around 5-6). You configure command logging, ensure passwords are hidden, and enable specific SNMP traps. - **AAA & ACL Lab (Lab 14)**     - **Reason:** This lab involves troubleshooting AAA and ACL configurations on SW2 and the East router. It requires about 8-10 commands to fix access lists and authentication methods. - **OSPF Troubleshooting (Lab 3)**     - **Reason:** With approximately 10-12 commands, you adjust OSPF priorities, configure link authentication, and make minor tweaks to achieve the desired routing behavior. - **CoPP (Control Plane Policing) (Lab 1)**     - **Reason:** This lab requires creating multiple access lists and class maps, amounting to around 15-20 commands. You're setting up policies to protect the router's control plane. - **EIGRP Route Manipulation #1 (Lab 10)**     - **Reason:** Involves configuring route maps and adjusting EIGRP metrics, totaling about 20 commands. You manipulate routing paths without using static routes or policy-based routing. - **EIGRP Route Manipulation #2 (Lab 11)**     - **Reason:** Similar in complexity to Lab 10, with slight variations in the tasks. It also requires around 20 commands focused on route manipulation in EIGRP. - **EIGRP Route Manipulation #3 (Lab 12)**     - **Reason:** Slightly more complex than the previous EIGRP labs due to additional requirements like adjusting RIP distances and redistributing between protocols. Around 25 commands are needed. - **IPSec #1 (Lab 6)**     - **Reason:** You configure IPSec policies on multiple routers, including ISAKMP policies and crypto profiles, totaling approximately 30 commands. - **IPSec #2 (Lab 7)**     - **Reason:** Similar to Lab 6 but with different encryption standards and additional requirements like encrypting the GRE IP header. Around 30 commands are involved. - **DMVPN (Lab 4)**     - **Reason:** Configuring DMVPN with NHRP, IPsec profiles, and spoke-to-spoke tunnels requires about 30-35 commands across the routers involved. - **DMVPN Phase-II (Lab 5)**     - **Reason:** This lab builds upon basic DMVPN configurations with added complexities like NHRP authentication and hold times. It involves around 40-45 commands. - **VRFs (Lab 2)**     - **Reason:** Configuring VRFs, interfaces, and BGP across multiple routers is complex and command-intensive, requiring approximately 50 commands. It involves detailed configurations for separate routing tables and BGP instances. - **BGP Troubleshooting (Lab 13)**     - **Reason:** This lab is the most complex due to intricate BGP configurations, route manipulations using attributes like local preference, and summarization. It requires deep understanding and around 40-50 commands to resolve issues across multiple routers. RE: Just Passed! Corrected Labs and Advice - jupertino - 10-14-2024 Part 2 ### Archive Logging/SNMP Config (Verified Solution) ### Tasks Troubleshoot R-WEST to achieve the desire kd results: 1. All the commands should be locally saved to the router as well as sent to the Syslog server except passwords. 2. All the Cisco OSPF LSA traps should be sent to the SNMP server. ### Solution **R-WEST** en conf t archive log config logging enable hidekeys notify syslog snmp-server enable traps snmp-server enable traps ospf lsa snmp-server enable traps cisco-specific lsa wr --- ### EIGRP Route Manipulation #1 (Verified Solution) ### Tasks  Troubleshoot and resolve the issues to achieve these goals: 1. Ensure that R1 reaches the prefix 10.6.66.6 without any single point of failure in the path. Do not use a static route or policy-based routing to accomplish this. 2. Ensure that R1 loopback 1 reaches to R6’s loopback 1 by following the path through R1, R3, R5 to R6 and vice versa. Use metric values K1=100000, K2=1, K3=255, K4=10, K5=1500 to modify the default metric in EIGRP if required. Do not use a route-map. 3. Ensure that on R3, prefix 10.0.56.6/32 uses the SP1 to route to the Internet, whereas prefix 172.16.12.2/32 uses the SP2 to route to the Internet. Do not use BGP to accomplish this. Use the pre-configured route-maps SP1 and SP2 and modify to accomplish the task if required. Use the ping and trace commands from R6 and R2 to prefixes 209.165.202.132 and 209.165.202.128, respectively to verify results. ### Solution **R3** conf t router eigrp 10 no distance 255 0.0.0.0 255.255.255.255 66 redistribute ospf 10 metric 100000 1 255 10 1500 route-map SP1 permit 10 set ip next-hop 209.165.201.2 route-map SP2 permit 10 set ip next-hop 209.165.200.226 int e0/1 ip policy route-map SP1 int e0/0 ip policy route-map SP2 end wr **R4** en conf t router eigrp 10 no distance 0.0.0.0 255.255.255.255 66 wr --- ### EIGRP Route Manipulation #2 ### Tasks Troubleshoot and resolve the issues to achieve these goals: 1. Ensure that R2 reaches the prefix 10.5.55.5 without any single point of failure in the path. Do not use a static route or policy-based routing to accomplish this. 2. Ensure that R1 loopback 0 reaches to R6’s loopback 0 by following the path through R1, R5 to R6 and vice versa. Use metric values K1=100000, K2=1, K3=255, K4=10, K5=1500 to modify the default metric in EIGRP if required. Do not use a route-map. 3. Ensure that on R3, prefix 10.0.0.0/8 uses the SP1 to route to the Internet, whereas prefix 172.16.0.0/12 uses the SP2 to route to the Internet. Do not use BGP to accomplish this. Use the pre-configured route-maps SP1 and SP2 and modify to accomplish the task if required. Use the ping and trace commands from R5 and R1 to verify results. ### Solution **R3** conf t router eigrp 10 no distance 255 0.0.0.0 255.255.255.255 66 redistribute ospf 10 metric 100000 255 10 1 1500 route-map SP1 permit 10 set ip next-hop 209.165.201.2 route-map SP2 permit 10 set ip next-hop 209.165.200.226 int e0/1 ip policy route-map SP1 int e0/0 ip policy route-map SP2 wr **R4** en conf t router eigrp 10 no distance 255 0.0.0.0.0 255.255.255.255 5 wr --- ### EIGRP Route Manipulation #3 (Verified Solution) ### Tasks Troubleshoot and resolve the issues to achieve these goals: 1. Ensure that R6 reaches the prefix 10.9.99.9. Manipulate the first basic routing decision-making criteria of longest prefix match that if a router learns a route from different routing protocols, the longest matched prefix can be changed. Use decimal value of 75 if required to accomplish this. Do not use a route-map. 2. Ensure that R2 loopback 1 reaches to R5's loopback 1 by following the path through R2, R4, R6 to R5 and R5 loopback 1 reaches R2's loopback 1 by following the path through R5, R6, R4 to R2. Use metric values K1= 100000, K2=1, K3=255, K4=10, K5=1500 to modify the default metric in EIGRP if required. Do not add or modify the default-metric command under router eigrp 10. Do not use a route-map to set metrics. 3. Ensure that on R3, prefix 10.0.56.6/32 uses the SP1 to route to the Internet, whereas prefix 172.16.12.2/32 uses the SP2 to route to the Internet. Do not use BGP to accomplish this. Use the pre-configured route-maps INTERNET1 and INTERNET2, and modify to accomplish the task if required. Use the ping and trace commands from R6 and R2 to prefixes 209.165.202.146 and 209.165.202.158, respectively to verify the results. ### Solution **R3** conf t route-map INTERNET1 permit 10 set ip next-hop 209.165.200.237 route-map INTERNET2 permit 10 set ip next-hop 209.165.200.229 int e0/1 ip policy route-map INTERNET1 int e0/0 ip policy route-map INTERNET2 wr **R4** en conf t router rip distance 75 router eigrp 10 no distance 255 0.0.0.0 255.255.255.255 redistribute ospf 10 metric 10000 255 10 1 1500 router ospf 10 redistribute eigrp 10 metric 10 wr --- ### BGP Troubleshooting (Solution Kinda Verified) ### Tasks  A company is connected to an ISP and some of the networks between the ISP and the company are not reachable. Troubleshoot and resolve the issues to achieve these goals: 1. A single /16 is advertised for all infrastructure-connected interfaces that belong to the 10.20.x.x network using BGP network commands from border routers connected to the ISP. Configuration modification is allowed in R4 and R5 to achieve the results. Do not use the BGP aggregate command. 2. R6 receives the ISP R2 Loopback2 from R4 and receives a summary address for both Loopbacks of ISP R2 from R4 or R5. Use BGP attribute local-preference, add <default value + router number>, for example, for R6, use "default+6=value to be used". Use the existing prefix lists or route maps with the sequence numbering starting at 10 and added in increments of 10. 3. R6 receives the ISP R2 Loopback1 from R5 and receives a summary address for both Loopbacks of ISP R2 from R4 or R5 using the same guidelines. 4. R6 advertises its Loopback1 /24 address through BGP. ### Solution **R4** conf t ip route 10.20.0.0 255.255.0.0 null0 no ip prefix-list AS65001-in access-list 10 permit 192.168.2.0 0.0.0.255 route-map LOCAL permit 10 match ip address 10 set local-preference 104 router bgp 65000 neighbor 10.20.6.6 route-map LOCAL out route-map AS65001-in permit 20 match ip address prefix-list AS65001-in set local-preference 104 clear ip bgp * soft wr **R5** conf t ip route 10.20.0.0 255.255.0.0 null0 no ip prefix-list AS65001-in access-list 10 permit 192.168.3.0 0.0.0.255 route-map LOCAL permit 10 match ip address 10 set local-preference 105 router bgp 65000 neighbor 10.20.6.6 route-map LOCAL out route-map AS65001-in permit 20 match ip address prefix-list AS65001-in set local-preference 105 clear ip bgp * soft wr **R6** conf t router bgp 65000 address-family ipv4 network 172.16.6.0 mask 255.255.255.0 wr --- ### AAA & ACL Lab (Solution Verified?) ### Tasks Troubleshoot and resolve the issues on West and East routers to achieve these goals: 1. SW2 should only allow telnet access from ISP router's Loopback 0 using the AAA services. Fix the configs on SW2 to achieve this. Use preconfigured access-list ISP without removing the existing rule. 2. East router is configured to perform forwarding table lookup on an IP packet's source address, and it checks the incoming interface to reduce the risk of IP Address spoofing. Fix the issue where some East Router fails to ping destinations which are reachable via default route such as loopback 16 on ISP router. Do not advertise this interface into ospf and neither use a static route on East router to perform this task. You must remove wrong preconfigs that have impact on tasks you are performing to fix issues. Enable password is 'Cisco' on all devices SW2: Local username is "SW2" and password is "Cisco" ## Starting Configs **ISP** ISP#sh run Building configuration ... Current confliguration : 1393 bytes ! version 15.8 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname ISP ! boot-start-marker boot-end-marker ! no aaa new-model ! ! mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ! ip cef no ipv6 cef ! multilink bundle-name authenticated ! redundancy ! ! interface Loopback0 ip address 172.16.0.100 255.255.255.255 ip ospf 1 area 0 interface Loopback16 ip address 172.16.16.16 255.255.255.255 interface Ethernet0/0 ip address 10.0.10.1 255.255.255.252 ip ospf 1 area 1 duplex auto ! interface Ethernet0/1 ip address 10.0.20.1 255.255.255.252 ip ospf 1 area 0 duplex auto ! interface Ethernet0/2 no ip address duplex auto ! interface Ethernet0/3 no ip address duplex auto ! interface Ethernet1/0 no ip address duplex auto ! interface Ethernet1/1 no ip address duplex auto ! interface Ethernet1/2 no ip address duplex auto ! interface Ethernet1/3 no ip address duplex auto ! router ospf 1 default-information originate always ! ip forward-protocol nd ! ! ! ip http server no ip http secure-server ! ipv6 ioam timestamp ! control-plane ! line con 0 exec-timeout 0 0 privilege level 15 logging synchronous line aux 0 line vty 0 4 login transport input none ! ! end **East** East#sh run Building configuration ... ! Current configuration : 1262 bytes ! version 15.8 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname East ! boot-start-marker boot-end-marker ! ! no aaa new-model ! mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ! ! ip cef no ipv6 cef ! multilink bundle-name authenticated ! redundancy ! interface Ethernet0/0 ip address 192.168.10.1 255.255.255.0 duplex auto ! interface Ethernet0/1 ip address 10.0.10.2 255.255.255.252 ip verify unicast source reachable-via rx duplex auto ! interface Ethernet0/2 no ip address duplex auto ! ! interface Ethernet0/3 no ip address duplex auto ! interface Ethernet1/0 no ip address duplex auto ! interface Ethernet1/1 no ip address duplex auto ! interface Ethernet1/2 no ip address duplex auto ! interface Ethernet1/3 no ip address duplex auto ! router ospf 1 network 0.0.0.0 255.255.255.255 area 1 ! ip forward-protocol nd ! no ip http server no ip http secure-server ! ! ipv6 ioam timestamp ! ! ! control-plane ! line con 0 exec-timeout 0 0 privilege level 15 logging synchronous line aux 0 line vty 0 4 login transport input none ! ! end **West** West#sh run Building configuration ... ! Current configuration : 1281 bytes ! version 15.8 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname West ! boot-start-marker boot-end-marker ! ! no aaa new-model ! ! mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ! ip cef no ipv6 cef ! multilink bundle-name authenticated ! ! ! redundancy ! ! ! ! ! interface Ethernet0/0 ip address 192.168.20.1 255.255.255.0 duplex auto ! interface Ethernet0/1 ip address 10.0.20.2 255.255.255.252 duplex auto ! interface Ethernet0/2 no ip address duplex auto ! interface Ethernet0/3 no ip address duplex auto ! interface Ethernet1/0 no ip address ! interface Ethernet1/1 no ip address duplex auto ! interface Ethernet1/2 no ip address duplex auto ! interface Ethernet1/3 no ip address duplex auto ! router ospf 1 passive-interface Ethernet0/0 network 10.0.20.2 0.0.0.0 area 0 network 192.168.20.1 0.0.0.0 area 2 ! ip forward-protocol nd ! ! no ip http server ! ! no ip http server no ip http secure-server ! ipv6 ioam timestamp ! ! ! control-plane ! line con 0 exec-timeout 0 0 privilege level 15 logging synchronous line aux 0 line vty 0 4 login transport input none ! ! end **SW2** SW2#sh run Building configuration ... ! Current configuration : 1359 bytes ! ! Last configuration change at xx:xx:xx UTC Weekday Month Day 2024 ! version 15.2 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption service compress-config ! hostname SW2 ! boot-start-marker boot-end-marker ! ! enable secret 5 $1$HuWP$gE0KrE2aM2/VIhls6fnLB/ ! username SW2 secret 5 $1$lroA$vInoDRIF5jFxygAIB4NQL1 aaa new-model ! ! aaa authentication login telnet local ! ! aaa session-id common ! no ip domain-lookup ip domain-name [cisco.com](http://cisco.com/) ip cef no ipv6 cef ! spanning-tree mode pvst spanning-tree extend system-id ! ! ! interface Ethernet0/0 no switchport ip address 192.168.20.2 255.255.255.0 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet1/0 ! interface Ethernet1/1 ! interface Ethernet1/2 ! interface Ethernet1/3 ! ip forward-protocol nd ! no ip http server no ip http secure-server ! ip route 0.0.0.0 0.0.0.0 192.168.20.1 ! ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr ! ip access-list standard ISP deny any log ! ! ! ! ! control-plane ! ! line con 0 exec-timeout 0 0 privilege level 15 logging synchronous line aux 0 line vty 0 4 access-class ISP in exec-timeout 0 0 transport input ssh ! ! end ### Solution **SW2** ip access-list standard ISP 5 permit 172.16.0.100 line vty 0 4 transport input telnet login authentication telnet **East** configure terminal interface Ethernet0/1 no ip verify unicast source reachable-via rx ip verify unicast source reachable-via rx allow-default And here is the ChatGPT prompt I used to create a custom GPT where I just added the labs as a .txt file. Good luck on the exam. You can do it! -------- Purpose This GPT is designed to serve as an interactive trainer for Cisco ENARSI 300-410 exam preparation, focusing on the effective use of IOS commands. It should guide users through the configuration and troubleshooting of various networking scenarios using a simulated command line interface. General Behavior User Guidance and Interaction: Present a list of training topics upon initialization. Allow the user to select a topic from the list to begin the lesson. Guide the user step-by-step through the required IOS commands for the selected scenario. Provide explanations for each command, including its purpose and usage. Respond to incorrect commands or sequences with corrective guidance. If the user requests a lab solution directly, provide only the exact solution from the documentation without improvisation or additional commentary. If the user asks for an explanation or step-by-step guidance, offer additional context and walk through the commands, explaining the purpose of each step. Command Line Simulation: Simulate a realistic CLI environment for entering IOS commands. Process and validate the entered commands as they would function in an actual Cisco device. Offer feedback on command syntax, sequence, and context to help users understand the practical application. Feedback and Assessment: Provide immediate feedback for each command, indicating whether it is correct or incorrect. Offer detailed explanations for incorrect commands, suggesting the correct command or sequence. After each simulation, give a summary of performance, highlighting areas of improvement and providing additional resources or suggestions for further study. Learning Reinforcement: Include checkpoints within each scenario to review key concepts. Present mini-quizzes or challenges at the end of each topic to reinforce learning. Encourage the user to repeat topics as needed to master the command sequences. Specific Instructions for Each Topic, please walk the user through the solution provided, but use the rest of the context of the question to get started - let the user know the topic of the lab and the tasks. Remember that we are challenging the user and we do not want to provide all of the lines all at once. Just provide a few lines of commands at a time, and ask the user to copy them. Refer to the uploaded file