How2pass.com Forums
Just Passed! Corrected Labs and Advice - Printable Version

+- How2pass.com Forums (https://www.how2pass.com/forum)
+-- Forum: CCNP (https://www.how2pass.com/forum/forum-6.html)
+--- Forum: CCNP ENARSI 300-410 Forum (https://www.how2pass.com/forum/forum-15.html)
+--- Thread: Just Passed! Corrected Labs and Advice (/thread-2386.html)



Just Passed! Corrected Labs and Advice - jupertino - 10-14-2024

Hi everyone! I just passed with the help of this site after a while, and here's my summary - 

I used this site to study 300 questions a day until I got 90% or better on my exam.
I also used a usb capture card and a second laptop mounted under the table with a 3d print to record my screen for post-game review.

I've taken the exam twice (780 score on the first try!), and here were the labs they gave me:
  • First exam:
  • EIGRP Route Manipulation #3
  • AAA & IP Troubleshooting Lab
  • IPSec Config SIM
  • EIGRP #2
    Second exam:
  • VRF
  • DMVPN
  • EIGRP #2
I used chatGPT to "lab" a ton, and it gave me incredible feedback and IT. IS. WHAT. MADE. ME. PASS. I've included my prompt as well as my corrected labs, as the labs on this site are either incomplete or sometimes wrong.

My labs are below. I put these in Claude.ai and ChatGPT and told it to quiz me. I'll reply in a comment with my ChatGPT prompt for reference.


Part 1 is here, part 2 is in a comment. Copy both parts for your notes.

CORRECTED ENARSI LABS PART 1:

### CoPP (Verified/Labbed Solution)

### Tasks

A network is configured with CoPP to protect the CORE router route processor for stability and DDoS protection. As a company policy, a class named class-default is preconfigured and must not be modified or deleted. Troubleshoot CoPP to resolve the issues introduced during the maintenance window to ensure that:

1. Dynamic routing policies are under CoPP-CRITICAL and are allowed only from the 10.10.X.X range.
2. Telnet, SSH, and ping are under CoPP-IMPORTANT and are allowed strictly to/from 10.10.x.x to the CORE router (Hint: you can verify using Loopback1).
3. All devices ping (UDP) any CORE router interface successfully to/from the 10.10.X.X range and do not allow any other IP address.
4. All devices run a successful traceroute (UDP) to any interface on the CORE router to/from the 10.10.X.X range, are under CoPP-NORMAL, and do not allow any other IP address (make sure default traceroute TTL is accounted for). The traceroute is to be under CoPP-NORMAL (Hint: Traceroute port range 33434-33464).

### Solution

**CORE**
~~~~ip access-list extended COPP-CRITICAL
permit eigrp 10.10.0.0 0.0.255.255 any
permit eigrp any 10.10.0.0 0.0.255.255
permit ip 224.0.0.10 10.10.0.0 any
permit ip any host 224.0.0.10

ip access-list extended IMPORTANT
permit tcp 10.10.0.0 0.0.255.255 host 10.10.1.1 eq 22 telnet
permit tcp host 10.10.1.1 10.10.0.0 0.0.255.255 eq 22 telnet
permit icmp 10.10.0.0 0.0.255.255 host 10.10.1.1
permit icmp host 10.10.1.1 10.10.0.0 0.0.255.255
permit udp 10.10.0.0 0.0.255.255 host 10.10.1.1
permit udp host 10.10.1.1 10.10.0.0 0.0.255.255

ip access-list extended COPP-NORMAL
permit udp 10.10.0.0 0.0.255.255 host 10.10.1.1 eq 33434 33464
permit udp host 10.10.1.1 10.10.0.0 0.0.255.255 eq 33434 33464

---

### VRFs (Verified/Labbed Solution)

### Tasks

![sim-vrf-topology.png](https://prod-files-secure.s3.us-west-2.amazonaws.com/95d9fe2d-35e6-4fff-a767-8a5d09ac1ac3/5e92092e-c9a8-4846-9da8-f97f97ea5732/sim-vrf-topology.png)

Configure individual VRFs for each customer according to the topology to achieve these goals:

1. VRF "cu-red" has interfaces on routers R1 and R2. Both routers are preconfigured with IP addressing, VRFs and BGP. Do not use the BGP network statement for advertisement.
2. VRF "cu-green" has interfaces on routers R1 and R2.
3. BGP on router R1 populates VRF routes between router R1 and R2.
4. BGP on router R2 populates VRF routes between router R1 and R2.
5. LAN to LAN is reachable between SW1 and SW3 for VRF "cu-red" and between SW2 and SW4 for VRF "cu-green". All switches are preconfigured.

### Solution

**R1**

conf t
vrf definition cu-red
rd 65000:100
address-family ipv4 unicast

vrf definition cu-green
rd 65000:200
address-family ipv4 unicast

interface e0/0
vrf forwarding cu-red
ip address 192.168.1.254 255.255.255.0
no shut

interface e0/1
vrf forwarding cu-green
ip address 192.168.20.254 255.255.255.0
no shut

interface e0/2
no shut

interface e0/2.100
vrf forwarding cu-red
ip address 10.10.10.1 255.255.255.252
no shut

interface e0/2.200
vrf forwarding cu-green
ip address 10.10.20.1 255.255.255.252
no shut

router bgp 65000
bgp router-id 1.1.1.1
address-family ipv4 vrf cu-red
neighbor 10.10.10.2 remote-as 65000
redistribute connected
exit-address-family

address-family ipv4 vrf cu-green
neighbor 10.10.20.2 remote-as 65000
redistribute connected
exit-address-family

wr

**R2**

conf t
vrf definition cu-red
rd 65000:100
address-family ipv4 unicast

vrf definition cu-green
rd 65000:200
address-family ipv4 unicast

interface e0/0
vrf forwarding cu-red
ip address 192.168.2.254 255.255.255.0
no shut

interface e0/1
vrf forwarding cu-green
ip address 192.168.22.254 255.255.255.0
no shut

interface e0/2
no shut

interface e0/2.100
vrf forwarding cu-red
ip address 10.10.10.2 255.255.255.252
no shut

interface e0/2.200
vrf forwarding cu-green
ip address 10.10.20.2 255.255.255.252
no shut

router bgp 65000
bgp router-id 2.2.2.2
address-family ipv4 vrf cu-red
neighbor 10.10.10.1 remote-as 65000
redistribute connected

address-family ipv4 vrf cu-green
neighbor 10.10.20.1 remote-as 65000
redistribute connected

wr

---

### OSPF (Mostly Verified Solution)

### Tasks

A network is configured with IP connectivity, and the routing protocol between devices started having problems right after the maintenance window to implement network changes. Troubleshoot and resolve to a fully functional network to ensure that:

1. Inter-area links have link authentication (not area authentication) using MD5 with the key 1 string CCNP.
2. R3 is a DR regardless of R2 status while R1 and R2 establish a DR/BDR relationship.
3. OSPF uses the default cost on all interfaces. Network reachability must follow OSPF default behavior for traffic within an area over intra-area VS inter-area links.
4. The OSPF external route generated on R4 adds link cost when traversing through the network to reach R2. A network command to advertise routes is not allowed.

### Solution

**R2**
conf t
interface e0/1
ip ospf priority 0
wr

**R4**
conf t
interface e0/0
ip ospf message-digest-key 1 md5 CCNP
ip ospf authentication message-digest
router ospf 1
redistribute connected metric-type 1
wr

**R5**
conf t
int e0/0
ip ospf message-digest-key 1 md5 CCNP
ip ospf authentication message-digest
interface e0/1
no ip ospf cost 60
wr

---

### DMVPN (Mostly Verified Solution)


### Tasks

A DMVPN network is preconfigured with tunnel 0 IP address 192.168.1.254 on the HUB, IP connectivity, crypto policies, profiles, and EIGRP AS 100. The NHRP password is cсnp123, and the network ID and tunnel key is EIGRP ASN. Do not introduce a static route. Configure DMVPN connectivity between routers BR1 and BR2 to the HUB router using physical interface as the tunnel source to achieve these goals:

1. Configure NHRP authentication, static IP-to-NBMA address maps, hold time 5 minutes, network ID, and server on branch router BR1.
2. Configure NHRP authentication, static IP-to-NBMA address maps, hold time 5 minutes, network ID, and server on branch router BR2.
3. Ensure that packet fragmentation is done before encryption to account for GRE and IPsec header and allow a maximum TCP segment size of 1360 on an IP MTU of 1400 on the tunnel interfaces of both branch routers.
4. Apply an IPsec profile to the tunnel. Verify that direct spoke-to-spoke tunnel is functional between branch routers BR1 and BR2 by using traceroute to Ethernet 0/0 IP address to get a full score.

### Solution

**BR1**

conf t

Interface Tunnel0
IP address 192.168.1.1 255.255.255.0
no ip redirects
ip mtu 1400
ip tcp adjust-mss 1360
ip nhrp authentication ccnp123
ip nhrp map 192.168.1.254 10.10.255.254
ip nhrp map multicast 10.10.255.254
ip nhrp network-id 100
ip nhrp holdtime 300
ip nhrp nhs 192.168.1.254
ip nhrp shortcut
delay 1000
tunnel source 10.10.255.1
tunnel mode gre multipoint
tunnel key 100

router eigrp 100
network 10.10.10.1 0.0.0.0
network 192.168.1.0 192.168.1.0 0.0.0.255
wr



**BR2**

conf t
crypto ipsec df-bit clear
crypto ipsec fragmentation before-encrypt
Interface Tunnel0
IP address 192.168.1.2 255.255.255.0
no ip redirects
ip mtu 1400
ip tcp adjust-mss 1360
ip nhrp authentication ccnp123
ip nhrp map 192.168.1.254 10.10.255.254
ip nhrp map multicast 10.10.255.254
ip nhrp network-id 100
ip nhrp holdtime 300
ip nhrp nhs 192.168.1.254
ip nhrp shortcut
delay 1000
tunnel source 10.10.10.2
tunnel mode gre multipoint
tunnel destination 10.10.255.254
tunnel key 100

router eigrp 100
network 10.10.10.2 0.0.0.0
network 192.168.1.0 0.0.0.255
wr

verify -
BR1#traceroute 172.16.2.254
BR1#show dmvpn

alternative answer that I’m not sure would cut it, examtopics fam doesn’t think this one is it
https://www.examtopics.com/discussions/cisco/view/110091-exam-300-410-topic-1-question-473-discussion/
https://www.wolf-lab.com/ccie/1462.html

**BR1**

config t
crypto ipsec df-bit clear
crypto ipsec fragmentation before-encrypt
interface tunnel 0
ip address 192.168.1.1 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
ip nhrp authentication ccnp123
ip nhrp network-id 100
ip nhrp map 192.168.1.254 10.10.255.254
ip nhrp map multicast 10.10.255.254
ip nhrp nhs 192.168.1.254
ip nhrp holdtime 300
ip nhrp shortcut
tunnel source 10.10.255.1
tunnel mode gre multipoint
tunnel key 100
tunnel protection ipsec profile ccnp
wr
traceroute 192.168.1.2
show dmvpn
show crypto ipsec sa

**BR2**

config t
crypto ipsec df-bit clear
crypto ipsec fragmentation before-encrypt
interface tunnel 0
ip address 192.168.1.2 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
ip nhrp authentication ccnp123
ip nhrp network-id 100
ip nhrp map 192.168.1.254 10.10.255.254
ip nhrp map multicast 10.10.255.254
ip nhrp nhs 192.168.1.254
ip nhrp holdtime 300
ip nhrp shortcut
tunnel source 10.10.255.2
tunnel mode gre multipoint
tunnel key 100
tunnel protection ipsec profile ccnp
wr
traceroute 192.168.1.1
show dmvpn
show crypto ipsec sa

---

### DMVPN Phase-II (Verified, varies a lot between tests)

### Tasks

Configure HUB and SPOKE routers according to the topology to achieve these goals:

1. Configure mGRE neighborship to provide end-to-end reachability between Hub and Spokes.
2. Configure NHRP authentication using password "C!$c0123". Use 180 sec hold time for NHRP members where NHS should maintain next hop client NBMA registration messages for 60 sec. Verify configuration with ping from PC1 to PC2 and PC3.

### Solution

**R0**
en
conf t
interface tunnel 0
ip address 10.0.0.254 255.255.255.0
tunnel mode gre multipoint
tunnel source e0/1
ip nhrp network-id 1
ip nhrp authentication C!$c0123
ip nhrp registration timeout 60
ip nhrp holdtime 180

ip nhrp multicast dynamic - (only use this if there’s OSPF/EIGRP/RIP configured)

wr

**R1**

en
conf t
interface tunnel 0
ip address 10.0.0.1 255.255.255.0
tunnel source e0/1
ip nhrp network-id 1
tunnel mode gre multipoint
ip nhrp map 10.0.0.254 10.10.255.254
ip nhrp nhs 10.0.0.254
ip nhrp authentication C!Sco123
ip nhrp registration timeout 60
ip nhrp holdtime 180

ip nhrp map multicast 10.10.255.254 - (only use this if there’s OSPF/EIGRP/RIP configured)

wr

**R2**

en
conf t
interface tunnel 0
ip address 10.0.0.2 255.255.255.0
tunnel source e0/1
ip nhrp network-id 1
tunnel mode gre multipoint
ip nhrp map 10.0.0.254 10.10.255.254
ip nhrp nhs 10.0.0.254
ip nhrp authentication C!Sco123
ip registration timeout 60
ip nhrp holdtime 180

ip nhrp map multicast 10.10.255.254 - (only use this if there’s OSPF/EIGRP/RIP configured)

wr

---

### IPSEC #1 (Kinda Verified Solution)

### Tasks

Configure IPSec security policy on tunnel interfaces to ensure data confidentiality and integrity where mGRE tunnels are up and running between HUB and SPOKE routers.

1. Configure the ISAKMP policy parameters with the following attributes:
AES128
MD5
Group2
lifetime 86400
2. Ensure that GRE IP Header should not be encrypted inside the IPSec packet.
3. Configure a flexible ISAKMP Policy to add peers that have the dynamic IP addresses. Use a single command to configure it. Use IPSec phase-2 transform-set name as 'T-SET' and IPSec Profile name as 'T-SET-PROFILE'. Use ISAKMP key "abc123". Verify configuration with Ping from PC1 to PC2 and PC3.

### Starting Configs

### **Solution**

**R0/R1/R2**
en
conf t
crypto isakmp policy 10
encrypt aes 128
hash md5
authentication pre-share
group 2
lifetime 86400
crypto isakmp key abc123 address 0.0.0.0
crypto ipsec transform-set T-SET esp-aes128 esp-md5-hmac
crypto ipsec profile T-SET-PROFILE
set transform-set T-SET
interface tunnel 0
tunnel source e0/0
tunnel protection ipsec profile T-SET-PROFILE

wr

### Verification

show crypto isakmp sa
show crypto ipsec sa

---

### IPSEC #2 (Kinda Verified Solution)

### Tasks

Configure IPSec security policy on tunnel interfaces to ensure data confidentiality and integrity where mGRE tunnels are up and running between HUB and SPOKE routers.

1. Configure the ISAKMP policy parameters with the following attributes:
AES256
SHA256
Group 2
lifetime 86400
2. Ensure that GRE IP Header should be encrypted inside the IPSec packet. Verify IPSec security association and ISAKMP encrypted key. Use ISAKMP key "abc123".
3. Configure a flexible ISAKMP Policy on the HUB to add peers that have the dynamic IP & addresses where SPOKES must add HUB IP static entry using an encrypted key. Use a single command to configure it. Use IPSec phase-2 transform-set name as 'T-SET' and IPSec Profile name as 'IPSEC-PROFILE'.

### Solution

**R0/R1/R2**
en
conf t
crypto isakmp policy 10
encryption aes 256
hash sha256
authentication pre-share
group 2
lifetime 86400
crypto isakmp key abc123 address 0.0.0.0
crypto ipsec transform-set T-SET esp-aes256 esp-sha256-hmac
crypto ipsec profile IPSEC-PROFILE
set transform-set T-SET
int tunnel 0
tunnel source e0/0
tunnel protection ipsec profile IPSEC-PROFILE
wr

### Verification

show crypto isakmp sa
show crypto ipsec sa

---

### Timestamps/SNMP Config (Verified Solution)

### Tasks

Troubleshoot R-WEST to achieve the desired results:

1. The locally generated logs should have sequence numbers, date and time.
2. The SNMP related to OSPF and participating interface state changes utilizing RFC1253-MIB OSPFv2 should be sent to SNMP server.

### Solution:

**R-WEST**
en
conf t
service sequence-numbers
service timestamps log datetime msec
snmp-server enable traps ospf state-change
wr

---

**Ranking of Labs by Difficulty:**

- **Timestamps/SNMP Config (Lab 8)**
    - **Reason:** This lab involves minimal configuration changes—only about 3-4 commands. You enable sequence numbers and timestamps for logs and configure SNMP traps for OSPF state changes.
- **Archive Logging/SNMP Config (Lab 9)**
    - **Reason:** Similar to Lab 8, this lab requires a few additional commands (around 5-6). You configure command logging, ensure passwords are hidden, and enable specific SNMP traps.
- **AAA & ACL Lab (Lab 14)**
    - **Reason:** This lab involves troubleshooting AAA and ACL configurations on SW2 and the East router. It requires about 8-10 commands to fix access lists and authentication methods.
- **OSPF Troubleshooting (Lab 3)**
    - **Reason:** With approximately 10-12 commands, you adjust OSPF priorities, configure link authentication, and make minor tweaks to achieve the desired routing behavior.
- **CoPP (Control Plane Policing) (Lab 1)**
    - **Reason:** This lab requires creating multiple access lists and class maps, amounting to around 15-20 commands. You're setting up policies to protect the router's control plane.
- **EIGRP Route Manipulation #1 (Lab 10)**
    - **Reason:** Involves configuring route maps and adjusting EIGRP metrics, totaling about 20 commands. You manipulate routing paths without using static routes or policy-based routing.
- **EIGRP Route Manipulation #2 (Lab 11)**
    - **Reason:** Similar in complexity to Lab 10, with slight variations in the tasks. It also requires around 20 commands focused on route manipulation in EIGRP.
- **EIGRP Route Manipulation #3 (Lab 12)**
    - **Reason:** Slightly more complex than the previous EIGRP labs due to additional requirements like adjusting RIP distances and redistributing between protocols. Around 25 commands are needed.
- **IPSec #1 (Lab 6)**
    - **Reason:** You configure IPSec policies on multiple routers, including ISAKMP policies and crypto profiles, totaling approximately 30 commands.
- **IPSec #2 (Lab 7)**
    - **Reason:** Similar to Lab 6 but with different encryption standards and additional requirements like encrypting the GRE IP header. Around 30 commands are involved.
- **DMVPN (Lab 4)**
    - **Reason:** Configuring DMVPN with NHRP, IPsec profiles, and spoke-to-spoke tunnels requires about 30-35 commands across the routers involved.
- **DMVPN Phase-II (Lab 5)**
    - **Reason:** This lab builds upon basic DMVPN configurations with added complexities like NHRP authentication and hold times. It involves around 40-45 commands.
- **VRFs (Lab 2)**
    - **Reason:** Configuring VRFs, interfaces, and BGP across multiple routers is complex and command-intensive, requiring approximately 50 commands. It involves detailed configurations for separate routing tables and BGP instances.
- **BGP Troubleshooting (Lab 13)**
    - **Reason:** This lab is the most complex due to intricate BGP configurations, route manipulations using attributes like local preference, and summarization. It requires deep understanding and around 40-50 commands to resolve issues across multiple routers.


RE: Just Passed! Corrected Labs and Advice - jupertino - 10-14-2024

Part 2

### Archive Logging/SNMP Config (Verified Solution)
### Tasks
Troubleshoot R-WEST to achieve the desire kd results:
1. All the commands should be locally saved to the router as well as sent to the Syslog server except passwords.
2. All the Cisco OSPF LSA traps should be sent to the SNMP server.
### Solution
**R-WEST**
en
conf t
archive
log config
logging enable
hidekeys
notify syslog
snmp-server enable traps
snmp-server enable traps ospf lsa
snmp-server enable traps cisco-specific lsa
wr
---
### EIGRP Route Manipulation #1 (Verified Solution)
### Tasks
![sim-eigrp-route-manipulation-topology-1.png](https://prod-files-secure.s3.us-west-2.amazonaws.com/95d9fe2d-35e6-4fff-a767-8a5d09ac1ac3/b3afcdc0-ce2a-4bfe-a074-35fb8a3ad84a/sim-eigrp-route-manipulation-topology-1.png)
Troubleshoot and resolve the issues to achieve these goals:
1. Ensure that R1 reaches the prefix 10.6.66.6 without any single point of failure in the path. Do not use a static route or policy-based routing to accomplish this.
2. Ensure that R1 loopback 1 reaches to R6’s loopback 1 by following the path through R1, R3, R5 to R6 and vice versa. Use metric values K1=100000, K2=1, K3=255, K4=10, K5=1500 to modify the default metric in EIGRP if required. Do not use a route-map.
3. Ensure that on R3, prefix 10.0.56.6/32 uses the SP1 to route to the Internet, whereas prefix 172.16.12.2/32 uses the SP2 to route to the Internet. Do not use BGP to accomplish this. Use the pre-configured route-maps SP1 and SP2 and modify to accomplish the task if required. Use the ping and trace commands from R6 and R2 to prefixes 209.165.202.132 and 209.165.202.128, respectively to verify results.
### Solution
**R3**
conf t
router eigrp 10
no distance 255 0.0.0.0 255.255.255.255 66
redistribute ospf 10 metric 100000 1 255 10 1500
route-map SP1 permit 10
set ip next-hop 209.165.201.2
route-map SP2 permit 10
set ip next-hop 209.165.200.226
int e0/1
ip policy route-map SP1
int e0/0
ip policy route-map SP2
end
wr
**R4**
en
conf t
router eigrp 10
no distance 0.0.0.0 255.255.255.255 66
wr
---
### EIGRP Route Manipulation #2
### Tasks
Troubleshoot and resolve the issues to achieve these goals:
1. Ensure that R2 reaches the prefix 10.5.55.5 without any single point of failure in the path. Do not use a static route or policy-based routing to accomplish this.
2. Ensure that R1 loopback 0 reaches to R6’s loopback 0 by following the path through R1, R5 to R6 and vice versa. Use metric values K1=100000, K2=1, K3=255, K4=10, K5=1500 to modify the default metric in EIGRP if required. Do not use a route-map.
3. Ensure that on R3, prefix 10.0.0.0/8 uses the SP1 to route to the Internet, whereas prefix 172.16.0.0/12 uses the SP2 to route to the Internet. Do not use BGP to accomplish this. Use the pre-configured route-maps SP1 and SP2 and modify to accomplish the task if required. Use the ping and trace commands from R5 and R1 to verify results.
### Solution
**R3**
conf t
router eigrp 10
no distance 255 0.0.0.0 255.255.255.255 66
redistribute ospf 10 metric 100000 255 10 1 1500
route-map SP1 permit 10
set ip next-hop 209.165.201.2
route-map SP2 permit 10
set ip next-hop 209.165.200.226
int e0/1
ip policy route-map SP1
int e0/0
ip policy route-map SP2
wr
**R4**
en
conf t
router eigrp 10
no distance 255 0.0.0.0.0 255.255.255.255 5
wr
---
### EIGRP Route Manipulation #3 (Verified Solution)
### Tasks
Troubleshoot and resolve the issues to achieve these goals:
1. Ensure that R6 reaches the prefix 10.9.99.9. Manipulate the first basic routing decision-making criteria of longest prefix match that if a router learns a route from different routing protocols, the longest matched prefix can be changed. Use decimal value of 75 if required to accomplish this. Do not use a route-map.
2. Ensure that R2 loopback 1 reaches to R5's loopback 1 by following the path through R2, R4, R6 to R5 and R5 loopback 1 reaches R2's loopback 1 by following the path through R5, R6, R4 to R2. Use metric values K1= 100000, K2=1, K3=255, K4=10, K5=1500 to modify the default metric in EIGRP if required. Do not add or modify the default-metric command under router eigrp 10. Do not use a route-map to set metrics.
3. Ensure that on R3, prefix 10.0.56.6/32 uses the SP1 to route to the Internet, whereas prefix 172.16.12.2/32 uses the SP2 to route to the Internet. Do not use BGP to accomplish this. Use the pre-configured route-maps INTERNET1 and INTERNET2, and modify to accomplish the task if required. Use the ping and trace commands from R6 and R2 to prefixes 209.165.202.146 and 209.165.202.158, respectively to verify the results.
### Solution
**R3**
conf t
route-map INTERNET1 permit 10
set ip next-hop 209.165.200.237
route-map INTERNET2 permit 10
set ip next-hop 209.165.200.229
int e0/1
ip policy route-map INTERNET1
int e0/0
ip policy route-map INTERNET2
wr
**R4**
en
conf t
router rip
distance 75
router eigrp 10
no distance 255 0.0.0.0 255.255.255.255
redistribute ospf 10 metric 10000 255 10 1 1500
router ospf 10
redistribute eigrp 10 metric 10
wr
---
### BGP Troubleshooting (Solution Kinda Verified)
### Tasks
![sim-bgp-topology.png](https://prod-files-secure.s3.us-west-2.amazonaws.com/95d9fe2d-35e6-4fff-a767-8a5d09ac1ac3/32f5b6df-1ba2-459f-bf36-19a59621b133/sim-bgp-topology.png)
A company is connected to an ISP and some of the networks between the ISP and the company are not reachable. Troubleshoot and resolve the issues to achieve these goals:
1. A single /16 is advertised for all infrastructure-connected interfaces that belong to the 10.20.x.x network using BGP network commands from border routers connected to the ISP. Configuration modification is allowed in R4 and R5 to achieve the results. Do not use the BGP aggregate command.
2. R6 receives the ISP R2 Loopback2 from R4 and receives a summary address for both Loopbacks of ISP R2 from R4 or R5. Use BGP attribute local-preference, add <default value + router number>, for example, for R6, use "default+6=value to be used". Use the existing prefix lists or route maps with the sequence numbering starting at 10 and added in increments of 10.
3. R6 receives the ISP R2 Loopback1 from R5 and receives a summary address for both Loopbacks of ISP R2 from R4 or R5 using the same guidelines.
4. R6 advertises its Loopback1 /24 address through BGP.
### Solution
**R4**
conf t
ip route 10.20.0.0 255.255.0.0 null0
no ip prefix-list AS65001-in
access-list 10 permit 192.168.2.0 0.0.0.255
route-map LOCAL permit 10
match ip address 10
set local-preference 104
router bgp 65000
neighbor 10.20.6.6 route-map LOCAL out
route-map AS65001-in permit 20
match ip address prefix-list AS65001-in
set local-preference 104
clear ip bgp * soft
wr
**R5**
conf t
ip route 10.20.0.0 255.255.0.0 null0
no ip prefix-list AS65001-in
access-list 10 permit 192.168.3.0 0.0.0.255
route-map LOCAL permit 10
match ip address 10
set local-preference 105
router bgp 65000
neighbor 10.20.6.6 route-map LOCAL out
route-map AS65001-in permit 20
match ip address prefix-list AS65001-in
set local-preference 105
clear ip bgp * soft
wr
**R6**
conf t
router bgp 65000
address-family ipv4
network 172.16.6.0 mask 255.255.255.0
wr
---
### AAA & ACL Lab (Solution Verified?)
### Tasks
Troubleshoot and resolve the issues on West and East routers to achieve these goals:
1. SW2 should only allow telnet access from ISP router's Loopback 0 using the AAA services.
Fix the configs on SW2 to achieve this. Use preconfigured access-list ISP without removing the existing rule.
2. East router is configured to perform forwarding table lookup on an IP packet's source
address, and it checks the incoming interface to reduce the risk of IP Address spoofing. Fix the issue where some East Router fails to ping destinations which are reachable via default route such as loopback 16 on ISP router. Do not advertise this interface into ospf and neither use a static route on East router to perform this task.
You must remove wrong preconfigs that have impact on tasks you are performing to fix
issues.
Enable password is 'Cisco' on all devices
SW2: Local username is "SW2" and password is "Cisco"
## Starting Configs
**ISP**
ISP#sh run
Building configuration ...
Current confliguration : 1393 bytes
!
version 15.8
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ISP
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
redundancy
!
!
interface Loopback0
ip address 172.16.0.100 255.255.255.255
ip ospf 1 area 0
interface Loopback16
ip address 172.16.16.16 255.255.255.255
interface Ethernet0/0
ip address 10.0.10.1 255.255.255.252
ip ospf 1 area 1
duplex auto
!
interface Ethernet0/1
ip address 10.0.20.1 255.255.255.252
ip ospf 1 area 0
duplex auto
!
interface Ethernet0/2
no ip address
duplex auto
!
interface Ethernet0/3
no ip address
duplex auto
!
interface Ethernet1/0
no ip address
duplex auto
!
interface Ethernet1/1
no ip address
duplex auto
!
interface Ethernet1/2
no ip address
duplex auto
!
interface Ethernet1/3
no ip address
duplex auto
!
router ospf 1
default-information originate always
!
ip forward-protocol nd
!
!
!
ip http server
no ip http secure-server
!
ipv6 ioam timestamp
!
control-plane
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
line vty 0 4
login
transport input none
!
!
end
**East**
East#sh run
Building configuration ...
!
Current configuration : 1262 bytes
!
version 15.8
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname East
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
redundancy
!
interface Ethernet0/0
ip address 192.168.10.1 255.255.255.0
duplex auto
!
interface Ethernet0/1
ip address 10.0.10.2 255.255.255.252
ip verify unicast source reachable-via rx
duplex auto
!
interface Ethernet0/2
no ip address
duplex auto
!
!
interface Ethernet0/3
no ip address
duplex auto
!
interface Ethernet1/0
no ip address
duplex auto
!
interface Ethernet1/1
no ip address
duplex auto
!
interface Ethernet1/2
no ip address
duplex auto
!
interface Ethernet1/3
no ip address
duplex auto
!
router ospf 1
network 0.0.0.0 255.255.255.255 area 1
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
!
ipv6 ioam timestamp
!
!
!
control-plane
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
line vty 0 4
login
transport input none
!
!
end
**West**
West#sh run
Building configuration ...
!
Current configuration : 1281 bytes
!
version 15.8
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname West
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
redundancy
!
!
!
!
!
interface Ethernet0/0
ip address 192.168.20.1 255.255.255.0
duplex auto
!
interface Ethernet0/1
ip address 10.0.20.2 255.255.255.252
duplex auto
!
interface Ethernet0/2
no ip address
duplex auto
!
interface Ethernet0/3
no ip address
duplex auto
!
interface Ethernet1/0
no ip address
!
interface Ethernet1/1
no ip address
duplex auto
!
interface Ethernet1/2
no ip address
duplex auto
!
interface Ethernet1/3
no ip address
duplex auto
!
router ospf 1
passive-interface Ethernet0/0
network 10.0.20.2 0.0.0.0 area 0
network 192.168.20.1 0.0.0.0 area 2
!
ip forward-protocol nd
!
!
no ip http server
!
!
no ip http server
no ip http secure-server
!
ipv6 ioam timestamp
!
!
!
control-plane
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
line vty 0 4
login
transport input none
!
!
end
**SW2**
SW2#sh run
Building configuration ...
!
Current configuration : 1359 bytes
!
! Last configuration change at xx:xx:xx UTC Weekday Month Day 2024
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname SW2
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$HuWP$gE0KrE2aM2/VIhls6fnLB/
!
username SW2 secret 5 $1$lroA$vInoDRIF5jFxygAIB4NQL1
aaa new-model
!
!
aaa authentication login telnet local
!
!
aaa session-id common
!
no ip domain-lookup
ip domain-name [cisco.com](http://cisco.com/)
ip cef
no ipv6 cef
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
interface Ethernet0/0
no switchport
ip address 192.168.20.2 255.255.255.0
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet1/0
!
interface Ethernet1/1
!
interface Ethernet1/2
!
interface Ethernet1/3
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 192.168.20.1
!
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
ip access-list standard ISP
deny any log
!
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
line vty 0 4
access-class ISP in
exec-timeout 0 0
transport input ssh
!
!
end
### Solution
**SW2**
ip access-list standard ISP
5 permit 172.16.0.100
line vty 0 4
transport input telnet
login authentication telnet
**East**
configure terminal
interface Ethernet0/1
no ip verify unicast source reachable-via rx
ip verify unicast source reachable-via rx allow-default




And here is the ChatGPT prompt I used to create a custom GPT where I just added the labs as a .txt file. Good luck on the exam. You can do it!

--------

Purpose
This GPT is designed to serve as an interactive trainer for Cisco ENARSI 300-410 exam preparation, focusing on the effective use of IOS commands. It should guide users through the configuration and troubleshooting of various networking scenarios using a simulated command line interface.

General Behavior
User Guidance and Interaction:

Present a list of training topics upon initialization.
Allow the user to select a topic from the list to begin the lesson.
Guide the user step-by-step through the required IOS commands for the selected scenario.
Provide explanations for each command, including its purpose and usage.
Respond to incorrect commands or sequences with corrective guidance.
If the user requests a lab solution directly, provide only the exact solution from the documentation without improvisation or additional commentary.
If the user asks for an explanation or step-by-step guidance, offer additional context and walk through the commands, explaining the purpose of each step.
Command Line Simulation:

Simulate a realistic CLI environment for entering IOS commands.
Process and validate the entered commands as they would function in an actual Cisco device.
Offer feedback on command syntax, sequence, and context to help users understand the practical application.
Feedback and Assessment:

Provide immediate feedback for each command, indicating whether it is correct or incorrect.
Offer detailed explanations for incorrect commands, suggesting the correct command or sequence.
After each simulation, give a summary of performance, highlighting areas of improvement and providing additional resources or suggestions for further study.
Learning Reinforcement:

Include checkpoints within each scenario to review key concepts.
Present mini-quizzes or challenges at the end of each topic to reinforce learning.
Encourage the user to repeat topics as needed to master the command sequences.
Specific Instructions for Each Topic, please walk the user through the solution provided, but use the rest of the context of the question to get started - let the user know the topic of the lab and the tasks. Remember that we are challenging the user and we do not want to provide all of the lines all at once. Just provide a few lines of commands at a time, and ask the user to copy them. Refer to the uploaded file