Posted 08 December 2017 - 01:55 PM

Sooo, I have joined the unlucky club of "got destroyed by H3", here are my comments
(sorry for the wall of text, hopefully it's useful)

- L2 nothing new, but watch out, in MO, the switches are switched (501 is on the
left) and you need to adjust port channel numbers accordinly. it cost me some time.
but they actually have it in bold mentioned in L2 detailed diagram, if you pay
attention ^_^ I believe the lab from CertDude has it this way, so no big deal. Just
watch out when copy-pasting.
- OSPF in HQ nothing new
- OSPF in DC1 nothing new. Prefix suppresion is asked for, but no ispf. Vlan
2000/2001 preconfigured in OPSF and passive, you are asked not to change any
preconfig. Just loopbacks has to be visible in OSPF RIB.
- B2B with R100: R100 has loopback 100.100.100.100 + some other networks like
10.100.100.100 and 2x 172.16/24. All those are actually shown in the MPLS core, so
no problem with that. I did not have any loopback that was needed to shut as some
guys mentioned.
- BGP in DC, nothing new. Multipath is requested, but they asked to balance ping
from server1 to access switch in HQ. Since both IGP metrics and AS path are the
same, no need for IGP metric ignore and black magic with non documented relaxed
commands ^_^
- DC2 is fully preconfigured, both OSPF and iBGP, same for both offices
- eBGP are preconfigured from CE side, needed to do them from AS10000 side, eBGP to
AS10001 was done
- "show bgp vpnv4..." on all PE is indeed shown, with PE-CE, and 10.7/16 links
redistributed. "redistribute static" is in place on R24 already. CE-PE links needed
to be redistributed manualy. I don' t thin the PE-CE prefixes needs to be filtered
out at corporate sites, they ask to mathc output with "sho ip bgp | i 10.*" only.
- there are some prefixes in the MPLS core, that I needed to get rid of. AS 10001
was propagating the PE-CE links (101.10./30), plus R14 and R15 are having NAT pools
with 135.something/28. Those are originated to BGP and through DC1 goes to MPLS.
R24/25 do the same thing, but there is filtering already done
- routing policies nothing new, traffic from LO should go via R40, from MO via R50
with the exception of DMVPN. The asymetric routing issue we have been discussing is
not mentioned, no preference for internet exit point is requested.
- PBR in the small office nothing new
- Home office: both R70 and R71 are preconfigured with NAT, including the access-
lists. R25 is indeed configured with LP 1000 for the default. No preconfig change
on R24 is requested.
- all NATs (R14/15/24/25) are preconfigured, no need touching that
- IPv6 - they ask SW111 to install both BGP paths to default to RIB
- multicast: well, nothing really new. R13 indeed show SW100 e0/2 iface as
information source, plus DNS names. But in the "sho ip pim rp map" they give you,
only the DNS names are in bold. so hard to tell how much it matters. Anyway, I did
exactly the same as I have in my lab (where everything is fine), and it simply
didn't work. R13 was able to ping SW300 only when auto-rp information was visible
in DC. The first mcast task is ok, SW100/101 asked to be anycast RP.
- all the other stuff (DHCP, HSRP, QoS etc) nothing new.
- snmp filter, they ask for comunity "ccie" and access list should permit just
10.1./16, disable v1 for this comunity. No need for any magic with EEM or
something, they are NOT rebooting the devices.

I would say the K3 share is very accurate, but we are really missing the show
outputs, which actually tells you what exactly you need to do, since there is a lot
of stuff that you can't get from the task wording itself.
I don't really want to share exact score for each part, but even in the parts where
I was matching all the required outputs exactly, I was not getting full points. And
I did not have full points in security... since it's just 2 questions, I think the
RA guard solution discussed here on forum is wrong.
Other then H3, I had TS2 and HSRPv6 and MCAST diag. TS2 nothing really new, just in
the 3rd ticket I needed to play with OSPF priorities in DC1, which kinda throwh me
off, as it was actually affecting trace in ticket 7(?). The MPLS problem. Both
4pointers, so I took some time on that to be really sure.
DIAG nothing new, I just hate the fact that I actually understand the problem and
still not really sure, which answer to choose. Cisco standard.

Some general notes:

- I needed to reboot R70 get the PPPoE working, that really throw me off, since
it's like second thing you do. Lost some time on that.
- one guy was there for second attempt, and he got H2
- mine was the 1st attempt
- I noticed 2 other guys with H3. I don't know which attempt for them.
- there is no timer on the config part. So, if you finish TS in 1 hour, move to
DIAG (fixed 30 minutes, time for coffee), you have 6:30 hours to finish CFG
- I have done my TS in cca 1,5 hours, and was basically done with the basic CFG H3
reachability with cca 3 hours left. But then I started to do stupid mistakes that
cost me a lot of time and in the end was not able to verify everything (not to
mention the MCAST task I have not finished properly).
- the lab environment, there is no direct copy-paste with right click, you got pop-
up menu, no big deal even without practice. The CMD window you get when you click
on device is "always on top", that's a bit annoying when you have 20 of them
opened. Mouse and keyboard cheap but ok.

Good luck everyone!

P.S. And wsxedc, yes, the multicast section and PBR on R60 is significantly more
complicated than H2/1. Happy? ;-)